EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: engineheat on January 15, 2020, 03:42:21 am
-
A flight got cancelled so I had to make an emergency booking online (yes, the airline told us to book on another airline using a website or else we won't get reimbursed). The 4G signal was so bad that I had to use the airport wifi. There is no password other than going to the homepage and agreeing to terms. So I used my credit card. Should I call my credit card company to send me a new one?
thanks
-
If you used your own hardware (phone or laptop) AND if the website you wrote your credit card number on was using encryption (which I assumed it did, with most browsers now you get a warning if a site isn't using encryption) then you don't need to worry.
A public wifi is not encrypted so anyone can in theory see your traffic. If the website you are connected to uses encryption though, the only thing a potential hacker would be able to see is that you are connected to that website, not the contents you are sending or receiving from that website.
-
And if you didn't see any weird happening when logging in (for example being redirected after login and getting a login page again, this time however of the actual site ). On a public wifi network it's possible that someone does a "man in the middle attack" This works by transmitting the same SSID as the public wifi. On the hackers hardware a fake website is running. The idea of course is to steal the user and password, and possible other important private information. When using a public wifi network, it's best to use some kind of a VPN service.
-
Fully agree with Daixiwen‘s summary. For clarity: You can see that a website is using encryption when its address in your web browser begins with „https:“ (rather than „http:“). Some sites might only switch to https for the actual shopping/payment pages, but these days most major sites use the https protocol throughout.
Just open the site which you used and have a look at the browser‘s address input line. Increasingly, browsers shorten the displayed address to cater for non-technical users; you might have to click into the input field to see the full details.
-
There are three things you need to consider:
You need to...
1. Trust the device
2. Trust the transport
3. Trust the service/application
If you are using your own device, the first point is probably easy.
The second is a little trickier. Wi-Fi that doesn't have encryption sends all traffic in the clear. If the site you're using uses strong encryption (almost all reputable payment merchants), then you're fine.
The third can also be difficult. If it's a reputable service (which you've used before), then you'll be fine. If it's some strange site or application that is new to you, be very cautious.
Monitor your credit card frequently and report any suspicious transactions.
-
Sorry guys, but replies #2 and #4 are misleading. The whole idea of https end-to-end encryption is that you do *not* need to trust the transport provider, since he only sees encrypted traffic.
(You do need to be sure that you are talking to the right website at the other end. That’s what https certificates are for.)
-
Yes, you shouldn't need to trust the transport. If anyone listening to your WiFi transmissions can see the CC number, then so can anyone tapping into your DSL cable or working at / hacking into your telco's infrastructure.
Any website dealing with CC numbers should be secured from that kind of eavesdropping as a matter of principle and, AFAIK, also regulations. An airline should get it right.
That being said, CCs are of course a braindamaged idea in the first place.
edit
And yes, you should be checking what you are connecting to, and doubly so when on some fishy network. That's what that lock icon on your browser's address bar is for. Because even if nobody could see your communications with the legitimate site, they could still try to impersonate the legitimate site so that you never even connect to the real thing, and this actually is doable on open WiFi networks. It does require that you connect over plain HTTP, no S.
But chances of that happening are low, and chances of that happening only to you and not lots of people are lower still. I haven't heard of such tricks being used to steal CCs yet.
-
Sorry guys, but replies #2 and #4 are misleading. The whole idea of https end-to-end encryption is that you do *not* need to trust the transport provider, since he only sees encrypted traffic.
(You do need to be sure that you are talking to the right website at the other end. That’s what https certificates are for.)
Not misleading at all. What if the OP used an insecure protocol or application? Then hopefully the transport layer adds some security.
Security is a multi-layered approach. No one should just rely on one mechanism (particularly in a public place on dubious networks). By "transport", that includes the use of trusted VPN tunnels.
This is of course a very simplified explanation, there are many more details involved.
-
When you connect to the internet, the internet you get to see is whatever the access point wants you to see. Might be the real internet or a whole parallel universe. That wifi (*) can spoof everything, the DNSs, the certificates, the content, the scripts, everything. Can also inject code in every page you see. It can't spoof the roots in your browsers' local trusted certificates list, but that's not enough to guarantee a 100% secure communication.
(*) And your usual, trusted ISP too.
-
O'rly?
In case this isn't some secret proprietary knowledge of whatever criminal enterprise you work for, could you share how are you spoofing TLS certificates such that they appear to be signed by an authority trusted by a non-compromised browser? Or maybe somehow using the original site's cert? I'm curious ;)
-
I dunno, in a context where the OP wonders whether he needs to cancel his credit card, this feels like scaremongering to me. Personally, I would check that the site uses https and that my browser finds nothing wrong with its certificate, then proceed. Your mileage may vary.
-
https://youtu.be/WVDQEoe6ZWY
-
Set up a PiVPN at home so next time, you'll have a layer of security as trustworthy as your home network.
-
In case this isn't some secret proprietary knowledge of whatever criminal enterprise you work for, could you share how are you spoofing TLS certificates
I'd tell you, but then I'd have to kill you... :-DD
such that they appear to be signed by an authority trusted by a non-compromised browser? Or maybe somehow using the original site's cert? I'm curious ;)
Which CAs does your browser trust? And why? Do you know who controls them? Do you ever check which CA has given the green light to your https:// connection?
The truth is out there.
-
O'rly?
In case this isn't some secret proprietary knowledge of whatever criminal enterprise you work for, could you share how are you spoofing TLS certificates such that they appear to be signed by an authority trusted by a non-compromised browser? Or maybe somehow using the original site's cert? I'm curious ;)
If you think HTTPS is non-interceptable you will be to a big surprise. Every big company including financial institutions run SSL/TLS inspection gateways to decrypt and inspect user traffic. I will leave it to you to research how it is done. Unless you specifically check in your browser who issued the certificate to the site you are connecting to you would not know if the connection was point to point or with a TLS decrypting proxy in between.
-
If you think HTTPS is non-interceptable you will be to a big surprise. Every big company including financial institutions run SSL/TLS inspection gateways to decrypt and inspect user traffic. I will leave it to you to research how it is done. Unless you specifically check in your browser who issued the certificate to the site you are connecting to you would not know if the connection was point to point or with a TLS decrypting proxy in between.
Yes, my employer uses such a system too. Essentially a "man in the middle" attack sanctioned by the IT guys.
But web browsers do very much notice that the certificates are incorrect. If you use the officially sanctioned company browser under Windows, IT has preconfigured it to accept the certificate used by the SSL eavesdropping software, so that it does not complain. But use any other device or browser, and the invalid certificate will be pointed out.
(Is it a smart idea to deploy such a monitoring tool? I don't think so. It only trains users to click the "yes, I trust that server and certificate" button whenever an alert comes up. Taking that alert seriously is an important lesson here, if you want SSL/https to remain a meaningful protection mechanism.)
-
If you think HTTPS is non-interceptable you will be to a big surprise. Every big company including financial institutions run SSL/TLS inspection gateways to decrypt and inspect user traffic. I will leave it to you to research how it is done.
I know how it's done. If you go to such a network with your own device, you will see a big red warning which in case of Firefox literally says something along the lines of "it looks like somebody may be doing something nasty" ;)
Which CAs does your browser trust? And why? Do you know who controls them? Do you ever check which CA has given the green light to your https:// connection?
The truth is out there.
Point taken, I believe there were some fuckups by CAs even though I don't remember the details. It frankly is a fragile system, for things like banking I would prefer to get a public key straight from the bank itself, but tell that to all those, ehm, "nontechnical" users ::)
But is it common for that stuff to get exploited in practice? By DNS intercept on a public networks? I don't know, whenever I hear about it, it's people saying that it could be done, rather than it is being done. Seems that in practice, once you have that fake login page up, it's easier to just send phishing emails.
(Is it a smart idea to deploy such a monitoring tool? I don't think so. It only trains users to click the "yes, I trust that server and certificate" button whenever an alert comes up. Taking that alert seriously is an important lesson here, if you want SSL/https to remain a meaningful protection mechanism.)
That's not a great idea because you don't know if you are connecting to the corporate proxy or Johny Hacker's computer nearby ;)
If you really want to use such network, you should obtain and install a copy of the proxy's root certificate. And remove it once you are out of there.
-
But is it common for that stuff to get exploited in practice? By DNS intercept on a public networks? I don't know, whenever I hear about it, it's people saying that it could be done, rather than it is being done. Seems that in practice, once you have that fake login page up, it's easier to just send phishing emails.
You can download ready-to-use frameworks/packages for such stuff. Easy enough for any script kiddy.
-
Additionally, if your card provider allows, have them send to your phone a text message for all transactions.
Otherwise, go to their website daily, and check the transactions.
Report anything suspicious, even if it is a very small amount. Many hackers "dip their toe" in the waters before making a huge purchase.
I know, I know....it is a hassle.
-
Last time I checked, metasploit didn't have a function to create rogue TLS certs trusted by mainstream browsers :-//
As for the rest, no argument. I learned low level networking as a kid by pwning strangers on local LAN, good times :-DD
edit
And again, the question was does it really happen, not could it happen ;)
Are there actual criminals who walk around hacking people in the public to obtain CCs, passwords, etc?
And I'm specifically not interested in bored teenagers doing it for fun and demos at security conferences ;)
-
Last time I checked, metasploit didn't have a function to create rogue TLS certs trusted by mainstream browsers :-//
I was talking about MITM tools for WiFi hotspots. And for TLS certs there are several methods to trick the user. The hotspot's captive portal can ask users to install a "special" cert for whatever reason. The bad guy could also try to get a valid cert from some CA which doesn't check applicants properly. Or he could setup a domain with a similar name, get a valid cert for it and play with DNS to redirect the user to his fake website. The CA system is broken anyway. DNSSEC and DANE could help to make things harder for the bad guy, but it's still rarely deployed.
BTW, the current update for Win10 includes a fix for a critical security issue with crypt32.dll (CVE-2020-0601). A few sites posted exploits for that already, and one does a fake TLS cert look like a valid one.
-
my background is in networking; started at DEC in the mid 80's and went to cisco, juniper, lots of other networking companies.
I'm now in a network/system security group.
I've also personally interviewed at 'firewall' vendors who were PROUD to show me their man-in-the-middle attacks on https and ssl.
I've grown to distrust any corporate firewall. https is mostly untrustable for lots of reasons (not the math, but other reasons).
and, if you have a system that was built by your company (its IT department), 95% chance it has pre-installed certs that let THEIR firewall decrypt everything you think you encrypted. again, its a mitm attack and every company over a certain size (in the US) does this. and your corporate laptop also has so much spyware on it from corp IT. just don't even log into personal email from a corp laptop.
phones are worse. I never trust a phone for banking or anything critical. I don't control my phone. even rooted phones; I don't trust it since you don't have access to all the layers in the phone architecture (and there are many level of access; its sickening, to be honest).
wifi encryption is broken. some think even higher end protocols are NSA broken. I have my doubts but I would not be surprised either way.
securing your system is hard. securing someone's network is not your job and you have no control over it.
bottom line: I know how bad things are and so I don't trust it. I don't install ANY apps on my phone that I don't truly need. less attack vectors. I don't run windows for anything sensitive. I don't use the company laptop for ANY personal stuff (not once did I type in a password of my home account).
cellular is a lot safer as the carrier secures that. if you insist on doing secure things over a network, cellular is at least a step up from wifi.
and I'd still run a vpn over the cell connection, just to stop the carrier from sniffing your traffic.