Good Sam Community

Oh boy lots of info here on internet security. Just got back from an extra long weekend thanks for all the very good input which I will go over when I get unpacked!

I used to use Kaspersky products but after the last election, I won't use any commie products. I just don't trust them.

I apologize for this thread drifting way off the OP.

I agree the comments are PC centric, and for a reason, the OP was a PC centric question and this is a PC centric forum. Luckily Googles search algorithms have come a long way in being able to determine the context of this post.

Comments re TLS were never meant to say that TLS is not used by banks in other ways like back end transactions, what the defaults are or are not or the security posture of individual American banks, I will not weigh in on that, as I believe that was not the intention of the OP or my comments, they were PC centric and in the context of the security of using the net as a whole in a public place. Context is important in that statement. I apologize if the context was not clear.

Your comments re the green padlock is probably the biggest step users can take to ensure they are not a victim of a man in the middle attack when surfing with https. A green padlock does not guarantee you are secure to the destination (ie bank), it means you are secure to someone and that someone could be the attacker. A man in the middle attack is no different than Deep Packet Inspection, which many large organizations rely on to be able to watch encrypted traffic in their organization. By clicking on the padlock and VERIFYING who the certificate issuer is, is the only way to ensure that you are secure to the destination you think you are. The point though, is that https is not a guarantee that your traffic is safe, it is a good start, add to that having an up to date OS and browser goes further.

It is important to note that this is not a conversation about American banking security, but overall security when surfing in public places and American banking is only a small piece of the conversation. We rely on many other sites and services to put personal information in than just Bank of America or Chase and these sites and services like the campground itself, may not have the same access to security staff or security posture as a large American Bank.

The other thing to consider, is that TLS and many other security protocols and encryption algorithms are ASSUMED to be safe. Up to a few years ago OpenSSL was assumed to be safe and Revenue Canada, an organization that cannot be argued that security is of the upmost importance fell victim to a flaw a few years ago. It is not a question of if current security protocols will be compromised but when and for how long before it is discovered and patched.

VPN's are absolutely about trust, you need to trust the service you are using to secure your traffic. There is a wealth of good information on the trust of each specific VPN service. You can NEVER guarantee public WIFI is secure (sometimes it maybe under some circumstances), but based on peer and professional reviews and public disclosure you CAN determine if a VPN service can be trusted. Which is why my original comments stated that browser based or free VPN services may not be the best option as you many not be able to verify trust.

I think we can agree that regardless of the specifics, the point of this thread is the OP wants to be secure in a public place and there are different ways to do this, and different sites and services have different levels of security. But I will say it again, the single biggest way to avoid being a victim is to not be the lowest hanging fruit. Not using an old or not updated OS goes a long way, and using a trusted VPN goes a long way as well. Does this mean that you will prevent hacking, no never, but not being the low hanging fruit goes a long way to hackers passing you over when surfing in a public place.

Sorry for any insult my comments have caused.

I'm not going to get into a discussion about this but instead present some alternate facts so that someday, if someone googles TLS and happens to find this page, they will have some food for thought.

The statement "TLS is not used by the banks per se, it is used by the browser to negotiate a connection to the bank" is simply untrue. You should try expanding your internet research and include the term "OpenSSL". We use this Open Source library to provide TLS 1.2 encryption services so a number of our outward-facing applications. And not just to browsers but also to the wire services for inter-bank transfers (high-value transactions).

"It is also a newer option that has only been the default connection method in the past few years "if" you are fully up to date" I don't know of any financial institutions that are not supporting TLS 1.2 (still effective even though it is now obsoleted by 1.3) as the default protocol. Our software is set to not downgrade to TLS 1.1 and I am pretty sure we are not the only geniuses that figured out the liability of automatically degrading our customer's security by falling back to a dangerous protocol without telling them. I urge people to click on the green padlock in the address bar of their favorite browser, then click Details, and confirm they are connected using TLS 1.2 and AES 256.

I think the issue is that you have a PC-centrist view of banking and not a good comprehension of how the back ends work. A browser is nothing more than an example of an application program that uses Internet protocols, lots of other applications use the same tools but are not browsers.

Regarding the topic of a VPN, I use one for work every day so I don't have to ever be in an office somewhere and I believe they have their place. If using a VPN makes one feel comfortable that's fine - as long as you remember that the VPN provider is the one collecting all of the information about your travels around the web, instead of whoever provided you access to the Internet. Since I have complete faith in the security protocols we use in our banking software and those same protocols are employed by the browser on my PC, I don't worry about using a VPN and, quite frankly, I don't care who knows where I've been on the web. It's a choice.

Dave

magicbus wrote:
Man in the middle can be enacted if a connection uses older security. It cannot (yet) be enacted against the latest TLS encryption, which I am quite sure all banks use. You can check your bank's encryption easily by clicking on the padlock. We rely on TLS 1.2 for all of our communication encryption needs for the banking software we develop, and we transfer trillions of dollars every day, even using HTTPS as one of our protocols.

Dave

I did not want to bore those not interested in the specifics of security. To clarify for those who are interested, TLS is not used by the banks per se, it is used by the browser to negotiate a connection to the bank, it is one of several options for negotiating an HTTPS secure browser connection. It is also a newer option that has only been the default connection method in the past few years "if" you are fully up to date. Many people, especially those who do not have easy access to broadband to download major updates or are hanging on to old computers using older OS's can be using browsers that are more vulnerable than others. Both scenarios are more common in the RV community due to less reliable access to unlimited or high speed internet. Add to that, we are often using easy to spoof public shared WIFI far more frequently when on the road and many mobile people purposely choose to turn off updates (like the ones that enforce TLS and disable SSL) to save bandwidth.

There are also too many other ways to exploit computers, some of which are not discussed in this thread, or many of which have not yet been published or patched, and there will be many more to follow them after they are published and patched.

The use of a VPN almost completely eliminates all of these potential risks some of which are very easy to exploit. It is a simple to setup and reasonably priced solution to avoid being the easy to target low hanging fruit that hackers look for.

Man in the middle can be enacted if a connection uses older security. It cannot (yet) be enacted against the latest TLS encryption, which I am quite sure all banks use. You can check your bank's encryption easily by clicking on the padlock. We rely on TLS 1.2 for all of our communication encryption needs for the banking software we develop, and we transfer trillions of dollars every day, even using HTTPS as one of our protocols.

Dave

magicbus wrote:

theoldwizard1 wrote:


Besides is all https data encrypted end to end ?

Yes, which is why I never worry about doing banking no matter where I am. In fact someone videoing me in a public location as I type in my ID and password is a much greater threat.

Dave

Be worried, a man in the middle attack can still defeat https and it is really easy to do, a kid can do it, and you would never know it was done. It does not crack the encryption, it simply replaced the trusted certificate with an alternate trusted one created by the hacker so you end up unknowingly trust the wrong person and send your encrypted traffic to them to decrypt instead. This is the exact reason why a VPN is so important

Also this seems to come up in the forums regularly, why would they attack a RV park. Working in IT security, I can think of no better place then going to Myrtle Beach, Florida, Arizona or Texas in the winter when the mega RV parks are full of hundreds or thousands of middle class retirees packed in like sardines, with lots of money in their bank account, high limits on their credit cards and a paid off mortgage, no IT security specialist on staff to ensure the RV park network is safe, and a belief by the guests (just like people on this thread) that they are safe in an RV park. I am just surprised someone with less honest intentions has not thought of this. A single man in the middle attack from the gate of an RV park could jeopardize every single person in the park without them ever knowing it happened.

If you always assume that the WIFI network "joes RV Park" is not actually put up by Joe, assume that your traffic is being passed thru someone else (man in the middle attack) and decrypted before being reencrypted and that smart algorithms are looking for things like credit card numbers and logging them unless you are using a VPN. Don't assume this because it is likely to happen but because it is easy for someone to do.

theoldwizard1 wrote:


Besides is all https data encrypted end to end ?

Yes, which is why I never worry about doing banking no matter where I am. In fact someone videoing me in a public location as I type in my ID and password is a much greater threat.

Dave

we use kaspersky vpn that is available with kaspersky security.

naturist wrote:

Except that unless you ALSO set up encryption, your communications back and forth to that router are out in the open for anybody with a radio to monitor.

True !

But now we are discussing a topic like the use of mechanical locks. "Locks keep honest people honest !" Given enough time ANY LOCK can be defeated.

I kind of doubt that any hacker is going to sit and monitor the air wave hoping to to catch a password into someone bank account at an RV park. There are much bigger fish to go after that would require less time and effort.

Besides is all https data encrypted end to end ?

I use either Comodo Dragon, or Yandex browser, both of which have built in VPN's and feel safe with that. I believe the Opera browser also contains a VPN.

There are some good paid VPN's available, such as Nord VPN and Express VPN. You may wish to check them out, also, in addition to the others mentioned on this thread.

theoldwizard1 wrote:
Install your own wifi router with password.

Except that unless you ALSO set up encryption, your communications back and forth to that router are out in the open for anybody with a radio to monitor.

Kaspersky Secure Connection works like IPVanish only quicker, easier and cheaper.. jmho.