public internet security

Bart Silverstrim bsilver at chrononomicon.com
Mon May 7 14:09:33 UTC 2007 

Paul S wrote:

> OK, here's what prompted me to raise this question in the first place. 
> It's a Q&A from the Wall Street Journal Mossburg column of May 3 at this 
> address: 
> http://mailbox.allthingsd.com/20070503/accessing-financial-web-sites-on-a-public-connection/
> 
> Here's the exact quote that has me concerned.
> 
> "Q I am concerned about security on my laptop when traveling and using 
> nonsecure Internet connections available at motels. Is there a way to be 
> secure when accessing my financial Web sites while using a motel's 
> connection?
> 
> A. You can install a good firewall, and sweep your laptop with security 
> software for spyware and other malicious software that might transmit 
> passwords. And you can make sure you are using antiphishing software. 
> Better yet, you could use a sort of private Internet tunnel, called a 
> Virtual Private Network, or a remote control service, like GoToMyPC, so 
> you are actually using your home PC --- remotely --- to contact the Web 
> sites involved.
> 
> But, the bottom line is that, unless you are on a network that you can 
> control and secure, such as a home or office network, I wouldn't advise 
> accessing financial accounts online, or performing financial 
> transactions. I wouldn't trust sensitive online transactions to any 
> public Internet connection, such as those at motels. There are too many 
> people, including other guests, the motel staff, and the people at the 
> company that provides the motel's Internet service, who could 
> potentially be watching what you are doing."
> 
> Is Mossburg just wrong when he says even https connections aren't safe 
> on public internets?

Okay, here's my view and understanding.

Are you absolutely 100% safe?  No.  Never.  Not even from home.  You 
control *your* network, and that's pretty much it.  Once your connection 
leaves your controlled network, you don't necessarily know what is 
intercepting your connection and doing something to it.  If the 
government wants to specifically target you, your communications are not 
safe, no matter what someone says.  Even though you could take all the 
precautions in the world, you don't know if some idiot at the bank is 
going to slip a finger on the keyboard and mis-allocate something at 
some point, or someone is targetting their database and gets information 
that makes transactions look like it's coming from you when in fact they 
are not.  This view usually requires the use of a tin foil hat to make 
sure "they" can't read your mind to extract your passwords.

Practically speaking, however, he's wrong.

HTTPS is certainly safe enough to use. Much of security is based on 
trust; the security part comes in the form of who you're trusting with 
what.  For example, the crypto certificate that makes HTTPS work means 
you're trusting the third party company that issues the cert (and you 
made sure the cert was legitimate when your browser popped up a 
warning).  The SSH connection means you're trusting the endpoint's 
crypto key and that the machines are not compromised.  Even the "go to 
my pc" service he mentioned in the article still means you're trusting a 
third party company not to intercept your keystrokes.

The way that story was written is still wrong, as if malware on your 
machine is magically thwarted if you have a VPN connection.  Sorry, but 
if you have a keystroke logger on your machine phoning home, using your 
laptop or your home PC if't they're compromised means your VPN isn't 
going to help you.

If you want security, you should use something other than Windows.  That 
alone alleviates much of your need for concern over malware.  If you're 
tech savvy, use Linux.  If not, use OS X.

If you insist on needing Windows you should run a good software firewall 
(not one that came with Windows; something that allows for monitoring 
incoming and outgoing connections).  You should run scans for malware to 
prevent keystroke loggers from taking root.  You should learn how to 
recognize spam and malware emails and how to prevent certain executable 
types from automatically running and you need to learn how to keep your 
Windows system up to date.  If you can you may even want to get a small 
portable SOHO NAT router to take with you on trips, as that will be a 
good pseudo-firewall device.

And yes, HTTPS is secure enough for you to use for banking and such 
remotely as long as you educate yourself on how to check that you're 
using an encrypted channel (the padlock on the status bar) and you're 
running clean of keystroke loggers and such.  Also periodically check 
over your account records to find any anomalies.  Run financial software 
on your system that you can use to track and balance transactions, and 
make sure the number jive with what your bank says your accounts should 
have.

Things to avoid; I wouldn't use a public terminal for banking or secure 
information.  I don't use most of my personal email without using SSH 
tunnels for the IMAP/SMTP ports.  Anythings else really isn't worth me 
trying to hide, although I have been known to create local image files 
that mount as volumes that are encrypted for some information storage on 
hard drives in case something happens that a drive is stolen.

Your best security if all you're doing is financial work over 
HTTPS-based connections is simply paying attention for signs of things 
not being "right"...a cert changing or not matching one you know is 
good, your balance being off from your records...otherwise you should be 
fine.

More information about the ubuntu-users mailing list