public internet security
bsilver at chrononomicon.com
Mon May 7 14:09:33 UTC 2007
Paul S wrote:
> OK, here's what prompted me to raise this question in the first place.
> It's a Q&A from the Wall Street Journal Mossburg column of May 3 at this
> Here's the exact quote that has me concerned.
> "Q I am concerned about security on my laptop when traveling and using
> nonsecure Internet connections available at motels. Is there a way to be
> secure when accessing my financial Web sites while using a motel's
> A. You can install a good firewall, and sweep your laptop with security
> software for spyware and other malicious software that might transmit
> passwords. And you can make sure you are using antiphishing software.
> Better yet, you could use a sort of private Internet tunnel, called a
> Virtual Private Network, or a remote control service, like GoToMyPC, so
> you are actually using your home PC --- remotely --- to contact the Web
> sites involved.
> But, the bottom line is that, unless you are on a network that you can
> control and secure, such as a home or office network, I wouldn't advise
> accessing financial accounts online, or performing financial
> transactions. I wouldn't trust sensitive online transactions to any
> public Internet connection, such as those at motels. There are too many
> people, including other guests, the motel staff, and the people at the
> company that provides the motel's Internet service, who could
> potentially be watching what you are doing."
> Is Mossburg just wrong when he says even https connections aren't safe
> on public internets?
Okay, here's my view and understanding.
Are you absolutely 100% safe? No. Never. Not even from home. You
control *your* network, and that's pretty much it. Once your connection
leaves your controlled network, you don't necessarily know what is
intercepting your connection and doing something to it. If the
government wants to specifically target you, your communications are not
safe, no matter what someone says. Even though you could take all the
precautions in the world, you don't know if some idiot at the bank is
going to slip a finger on the keyboard and mis-allocate something at
some point, or someone is targetting their database and gets information
that makes transactions look like it's coming from you when in fact they
are not. This view usually requires the use of a tin foil hat to make
sure "they" can't read your mind to extract your passwords.
Practically speaking, however, he's wrong.
HTTPS is certainly safe enough to use. Much of security is based on
trust; the security part comes in the form of who you're trusting with
what. For example, the crypto certificate that makes HTTPS work means
you're trusting the third party company that issues the cert (and you
made sure the cert was legitimate when your browser popped up a
warning). The SSH connection means you're trusting the endpoint's
crypto key and that the machines are not compromised. Even the "go to
my pc" service he mentioned in the article still means you're trusting a
third party company not to intercept your keystrokes.
The way that story was written is still wrong, as if malware on your
machine is magically thwarted if you have a VPN connection. Sorry, but
if you have a keystroke logger on your machine phoning home, using your
laptop or your home PC if't they're compromised means your VPN isn't
going to help you.
If you want security, you should use something other than Windows. That
alone alleviates much of your need for concern over malware. If you're
tech savvy, use Linux. If not, use OS X.
If you insist on needing Windows you should run a good software firewall
(not one that came with Windows; something that allows for monitoring
incoming and outgoing connections). You should run scans for malware to
prevent keystroke loggers from taking root. You should learn how to
recognize spam and malware emails and how to prevent certain executable
types from automatically running and you need to learn how to keep your
Windows system up to date. If you can you may even want to get a small
portable SOHO NAT router to take with you on trips, as that will be a
good pseudo-firewall device.
And yes, HTTPS is secure enough for you to use for banking and such
remotely as long as you educate yourself on how to check that you're
using an encrypted channel (the padlock on the status bar) and you're
running clean of keystroke loggers and such. Also periodically check
over your account records to find any anomalies. Run financial software
on your system that you can use to track and balance transactions, and
make sure the number jive with what your bank says your accounts should
Things to avoid; I wouldn't use a public terminal for banking or secure
information. I don't use most of my personal email without using SSH
tunnels for the IMAP/SMTP ports. Anythings else really isn't worth me
trying to hide, although I have been known to create local image files
that mount as volumes that are encrypted for some information storage on
hard drives in case something happens that a drive is stolen.
Your best security if all you're doing is financial work over
HTTPS-based connections is simply paying attention for signs of things
not being "right"...a cert changing or not matching one you know is
good, your balance being off from your records...otherwise you should be
More information about the ubuntu-users