4

Let's assume that I unwittingly connect to a malicious WiFi network and visit some websites. By malicious, I mean the network has been set up for the purpose of stealing data.

  • From what I've read, using https:// is safe. Is this true for networks set up for malicious purposes?
  • If I visit websites where I'm already logged in, and thus don't enter any passwords, can my credentials to these websites be compromised? What about session hijacking?
Peter
  • 143
  • 6

2 Answers2

8

From what I've read, using https:// is safe. Is this true for networks set up for malicious purposes?

If done right https is still safe. But, if you (actively) accept any kind of untrusted certificate (self-signed or signed by unknown CA) an active man-in-the-middle attack is possible. If the attacker owns a public root-CA or some intermediate CA or managed to issue specific certificates it is even possible to mount such attack without needing the victim to actively accept the spoofed certificates. While this is unlikely it was actually done.

If you are connecting to a site which uses public key pinning or certificate pinning (like access to google.com from Google Chrome) you are still safe in this case, but only for accessing these specific sites. If the attacker instead managed to steal some high value certificate or issue such certificate for sites not protected by pinning, than it is possible to do harm on other sites too, because high-value sites like google-analytics.com, jquery.com etc are often included as script into other sites.

If I visit websites where I'm already logged in, and thus don't enter any passwords, can my credentials to these websites be compromised? What about session hijacking?

For HTTPS you should be safe (see above). For plain HTTP it depends a lot on the site. Some sites not only use a random session cookie but also add browser fingerprint into it. This makes session hijacking harder but usually not impossible. Other sites instead let you change the users password or the reset e-mail without asking for the old password. In these cases a permanent takeover of the account is possible.

EDIT to summarize the good comments here: any security collapses when you use unencrypted HTTP (or FTP). From then on sslstrip, script or HTML injection etc make it possible for an attacker to hijack anything. So you better disable HTTP and FTP , which could be done by setting the relevant protocol proxy to something non-existent.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 2
    Regarding hijacking, even with fingerprinting, it's comically easy to emulate given that every request from the browser broadcasts everything a hijacker would need to clone it. Maliciously interfered HTTP would also present a huge phishing opportunity (injected **PLEASE CONFIRM YOUR PASSWORD TO CONTINUE!** message boxes, etc). – Oli Jan 05 '15 at 12:45
  • 1
    I would say if you are connected to a malicious network then you are subject to SSL Strip which would render HTTPS useless. The real answer to this question is there is no PERFECT answer. There is, and always will be a work around. The real question is which is MOST secure. https://www.youtube.com/watch?v=XtaAuhQWvcg – DotNetRussell Jan 05 '15 at 13:26
  • 2
    @AnthonyRussell: while sslstrip is important it only works if you just follow links. Explicit use of `https://` is not affected by sslstrip and also following links from inside a https-site is not affected. – Steffen Ullrich Jan 05 '15 at 13:34
  • @SteffenUllrich I'm not saying you're wrong with your answer. I just think it's always worth mentioning there is no perfect solution – DotNetRussell Jan 05 '15 at 13:46
1
  1. HTTPS is safe, if you pay attention to the browser's security indicator. There are various ways of redirecting HTTPS connection attempts to become plain HTTP, and it's possible to perform a man-in-the-middle attack with a self-signed certificate, but if you're paying attention, your browser will alert you to these.

  2. Yes. If the connection is performed over plain HTTP, an attacker can intercept the cookies and perform a session-stealing attack. If your login credentials are stored in the cookies (something a distressing number of forums do when you click "keep me logged in"), those can also be stolen; if the website does not require you to re-enter your password to access or change your login details, a session-stealing attack can get your credentials that way.

Mark
  • 34,513
  • 9
  • 86
  • 135
  • Are there mechanisms whereby well-designed websites can detect the change in client and log the user out? – Peter Jan 05 '15 at 06:06
  • 1
    @Peter, not if the attacker is smart about how they do the attack. Any factor that the site could use to identify a change of client, the attacker can imitate. – Mark Jan 05 '15 at 10:04
  • 1
    If there are [website vulnerabilities such as XSS on a reflected cookie value](http://security.stackexchange.com/a/44976/8340) or any other cookie poising attacks then any accidental HTTP browsing to any site over the malicious network would put you at risk. – SilverlightFox Jan 06 '15 at 08:33