How Safe Is SSL In a Public Place (Airport/Coffee Shop)
If someone is monitoring all of the traffic on a network, and then I connect to it, and log into a website that is protected with SSL - is there any security risk?
windows-7 wireless-networking security ssl
add a comment |
If someone is monitoring all of the traffic on a network, and then I connect to it, and log into a website that is protected with SSL - is there any security risk?
windows-7 wireless-networking security ssl
add a comment |
If someone is monitoring all of the traffic on a network, and then I connect to it, and log into a website that is protected with SSL - is there any security risk?
windows-7 wireless-networking security ssl
If someone is monitoring all of the traffic on a network, and then I connect to it, and log into a website that is protected with SSL - is there any security risk?
windows-7 wireless-networking security ssl
windows-7 wireless-networking security ssl
edited May 21 '11 at 5:09
Jeff F.
4,13811341
4,13811341
asked May 20 '11 at 16:42
RobRob
3771417
3771417
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Some, but there is risk everywhere.
Extra diligence is required, however, to ensure that your certificate is valid.
Never accept a self-signed or expired certificate in this scenario(you'll see security warnings from modern browsers). Click on the lock next to your URL to ensure everything looks good!
Ensure the the site is using complete SSL and not mixed mode(Some elements encrypted others not or login via HTTPS and pop back to HTTP after) and you should be alright to use it.
5
To elaborate on this some, the site must be using an SSL certificate issued by a legitimate and trusted CA (if it is, your browser will silently accept it), and you must make sure that you don't ignore any warnings that the certificate may not be legit. If the site is using a self-signed certificate, an expired certificate, or one that is issued by a CA your browser doesn't know/trust, verifying that you're connected to the site and not an attacker's computer becomes extremely difficult.
– Kromey
May 20 '11 at 16:51
@Kromey True enough. And make sure your using a modern browser.
– Jeff F.
May 20 '11 at 17:24
3
For what its worth, there are concerns about the "chain of trust" concept used by the CA system, as it turns out that several smaller CAs have been issuing incorrect certificates for major websites. You aren't likely to be affected, but it is possible.
– Lukasa
May 20 '11 at 17:24
@Lukasa True, but exploiting this would require quite the conspiracy and there are easier ways to gain access to data.
– Jeff F.
May 20 '11 at 17:27
@ Jeff F.: Oh, absolutely, and I don't spend my day-to-day life panicking about every SSL certificate I see. Nevertheless, it is worth noting that an SSL-based impersonation is not theoretical.
– Lukasa
May 20 '11 at 17:33
|
show 1 more comment
If you haven't pruned the CA root list in your browser then you shouldn't feel great about having privacy from government entities - otherwise if your system is patched/current and so is the sever's and you are doing reasonable validity checking (expiration, chain validity, certificate status) you are probably in reasonable shape against unsophisticated attackers.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f286336%2fhow-safe-is-ssl-in-a-public-place-airport-coffee-shop%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Some, but there is risk everywhere.
Extra diligence is required, however, to ensure that your certificate is valid.
Never accept a self-signed or expired certificate in this scenario(you'll see security warnings from modern browsers). Click on the lock next to your URL to ensure everything looks good!
Ensure the the site is using complete SSL and not mixed mode(Some elements encrypted others not or login via HTTPS and pop back to HTTP after) and you should be alright to use it.
5
To elaborate on this some, the site must be using an SSL certificate issued by a legitimate and trusted CA (if it is, your browser will silently accept it), and you must make sure that you don't ignore any warnings that the certificate may not be legit. If the site is using a self-signed certificate, an expired certificate, or one that is issued by a CA your browser doesn't know/trust, verifying that you're connected to the site and not an attacker's computer becomes extremely difficult.
– Kromey
May 20 '11 at 16:51
@Kromey True enough. And make sure your using a modern browser.
– Jeff F.
May 20 '11 at 17:24
3
For what its worth, there are concerns about the "chain of trust" concept used by the CA system, as it turns out that several smaller CAs have been issuing incorrect certificates for major websites. You aren't likely to be affected, but it is possible.
– Lukasa
May 20 '11 at 17:24
@Lukasa True, but exploiting this would require quite the conspiracy and there are easier ways to gain access to data.
– Jeff F.
May 20 '11 at 17:27
@ Jeff F.: Oh, absolutely, and I don't spend my day-to-day life panicking about every SSL certificate I see. Nevertheless, it is worth noting that an SSL-based impersonation is not theoretical.
– Lukasa
May 20 '11 at 17:33
|
show 1 more comment
Some, but there is risk everywhere.
Extra diligence is required, however, to ensure that your certificate is valid.
Never accept a self-signed or expired certificate in this scenario(you'll see security warnings from modern browsers). Click on the lock next to your URL to ensure everything looks good!
Ensure the the site is using complete SSL and not mixed mode(Some elements encrypted others not or login via HTTPS and pop back to HTTP after) and you should be alright to use it.
5
To elaborate on this some, the site must be using an SSL certificate issued by a legitimate and trusted CA (if it is, your browser will silently accept it), and you must make sure that you don't ignore any warnings that the certificate may not be legit. If the site is using a self-signed certificate, an expired certificate, or one that is issued by a CA your browser doesn't know/trust, verifying that you're connected to the site and not an attacker's computer becomes extremely difficult.
– Kromey
May 20 '11 at 16:51
@Kromey True enough. And make sure your using a modern browser.
– Jeff F.
May 20 '11 at 17:24
3
For what its worth, there are concerns about the "chain of trust" concept used by the CA system, as it turns out that several smaller CAs have been issuing incorrect certificates for major websites. You aren't likely to be affected, but it is possible.
– Lukasa
May 20 '11 at 17:24
@Lukasa True, but exploiting this would require quite the conspiracy and there are easier ways to gain access to data.
– Jeff F.
May 20 '11 at 17:27
@ Jeff F.: Oh, absolutely, and I don't spend my day-to-day life panicking about every SSL certificate I see. Nevertheless, it is worth noting that an SSL-based impersonation is not theoretical.
– Lukasa
May 20 '11 at 17:33
|
show 1 more comment
Some, but there is risk everywhere.
Extra diligence is required, however, to ensure that your certificate is valid.
Never accept a self-signed or expired certificate in this scenario(you'll see security warnings from modern browsers). Click on the lock next to your URL to ensure everything looks good!
Ensure the the site is using complete SSL and not mixed mode(Some elements encrypted others not or login via HTTPS and pop back to HTTP after) and you should be alright to use it.
Some, but there is risk everywhere.
Extra diligence is required, however, to ensure that your certificate is valid.
Never accept a self-signed or expired certificate in this scenario(you'll see security warnings from modern browsers). Click on the lock next to your URL to ensure everything looks good!
Ensure the the site is using complete SSL and not mixed mode(Some elements encrypted others not or login via HTTPS and pop back to HTTP after) and you should be alright to use it.
edited Jan 17 at 15:29
answered May 20 '11 at 16:44
Jeff F.Jeff F.
4,13811341
4,13811341
5
To elaborate on this some, the site must be using an SSL certificate issued by a legitimate and trusted CA (if it is, your browser will silently accept it), and you must make sure that you don't ignore any warnings that the certificate may not be legit. If the site is using a self-signed certificate, an expired certificate, or one that is issued by a CA your browser doesn't know/trust, verifying that you're connected to the site and not an attacker's computer becomes extremely difficult.
– Kromey
May 20 '11 at 16:51
@Kromey True enough. And make sure your using a modern browser.
– Jeff F.
May 20 '11 at 17:24
3
For what its worth, there are concerns about the "chain of trust" concept used by the CA system, as it turns out that several smaller CAs have been issuing incorrect certificates for major websites. You aren't likely to be affected, but it is possible.
– Lukasa
May 20 '11 at 17:24
@Lukasa True, but exploiting this would require quite the conspiracy and there are easier ways to gain access to data.
– Jeff F.
May 20 '11 at 17:27
@ Jeff F.: Oh, absolutely, and I don't spend my day-to-day life panicking about every SSL certificate I see. Nevertheless, it is worth noting that an SSL-based impersonation is not theoretical.
– Lukasa
May 20 '11 at 17:33
|
show 1 more comment
5
To elaborate on this some, the site must be using an SSL certificate issued by a legitimate and trusted CA (if it is, your browser will silently accept it), and you must make sure that you don't ignore any warnings that the certificate may not be legit. If the site is using a self-signed certificate, an expired certificate, or one that is issued by a CA your browser doesn't know/trust, verifying that you're connected to the site and not an attacker's computer becomes extremely difficult.
– Kromey
May 20 '11 at 16:51
@Kromey True enough. And make sure your using a modern browser.
– Jeff F.
May 20 '11 at 17:24
3
For what its worth, there are concerns about the "chain of trust" concept used by the CA system, as it turns out that several smaller CAs have been issuing incorrect certificates for major websites. You aren't likely to be affected, but it is possible.
– Lukasa
May 20 '11 at 17:24
@Lukasa True, but exploiting this would require quite the conspiracy and there are easier ways to gain access to data.
– Jeff F.
May 20 '11 at 17:27
@ Jeff F.: Oh, absolutely, and I don't spend my day-to-day life panicking about every SSL certificate I see. Nevertheless, it is worth noting that an SSL-based impersonation is not theoretical.
– Lukasa
May 20 '11 at 17:33
5
5
To elaborate on this some, the site must be using an SSL certificate issued by a legitimate and trusted CA (if it is, your browser will silently accept it), and you must make sure that you don't ignore any warnings that the certificate may not be legit. If the site is using a self-signed certificate, an expired certificate, or one that is issued by a CA your browser doesn't know/trust, verifying that you're connected to the site and not an attacker's computer becomes extremely difficult.
– Kromey
May 20 '11 at 16:51
To elaborate on this some, the site must be using an SSL certificate issued by a legitimate and trusted CA (if it is, your browser will silently accept it), and you must make sure that you don't ignore any warnings that the certificate may not be legit. If the site is using a self-signed certificate, an expired certificate, or one that is issued by a CA your browser doesn't know/trust, verifying that you're connected to the site and not an attacker's computer becomes extremely difficult.
– Kromey
May 20 '11 at 16:51
@Kromey True enough. And make sure your using a modern browser.
– Jeff F.
May 20 '11 at 17:24
@Kromey True enough. And make sure your using a modern browser.
– Jeff F.
May 20 '11 at 17:24
3
3
For what its worth, there are concerns about the "chain of trust" concept used by the CA system, as it turns out that several smaller CAs have been issuing incorrect certificates for major websites. You aren't likely to be affected, but it is possible.
– Lukasa
May 20 '11 at 17:24
For what its worth, there are concerns about the "chain of trust" concept used by the CA system, as it turns out that several smaller CAs have been issuing incorrect certificates for major websites. You aren't likely to be affected, but it is possible.
– Lukasa
May 20 '11 at 17:24
@Lukasa True, but exploiting this would require quite the conspiracy and there are easier ways to gain access to data.
– Jeff F.
May 20 '11 at 17:27
@Lukasa True, but exploiting this would require quite the conspiracy and there are easier ways to gain access to data.
– Jeff F.
May 20 '11 at 17:27
@ Jeff F.: Oh, absolutely, and I don't spend my day-to-day life panicking about every SSL certificate I see. Nevertheless, it is worth noting that an SSL-based impersonation is not theoretical.
– Lukasa
May 20 '11 at 17:33
@ Jeff F.: Oh, absolutely, and I don't spend my day-to-day life panicking about every SSL certificate I see. Nevertheless, it is worth noting that an SSL-based impersonation is not theoretical.
– Lukasa
May 20 '11 at 17:33
|
show 1 more comment
If you haven't pruned the CA root list in your browser then you shouldn't feel great about having privacy from government entities - otherwise if your system is patched/current and so is the sever's and you are doing reasonable validity checking (expiration, chain validity, certificate status) you are probably in reasonable shape against unsophisticated attackers.
add a comment |
If you haven't pruned the CA root list in your browser then you shouldn't feel great about having privacy from government entities - otherwise if your system is patched/current and so is the sever's and you are doing reasonable validity checking (expiration, chain validity, certificate status) you are probably in reasonable shape against unsophisticated attackers.
add a comment |
If you haven't pruned the CA root list in your browser then you shouldn't feel great about having privacy from government entities - otherwise if your system is patched/current and so is the sever's and you are doing reasonable validity checking (expiration, chain validity, certificate status) you are probably in reasonable shape against unsophisticated attackers.
If you haven't pruned the CA root list in your browser then you shouldn't feel great about having privacy from government entities - otherwise if your system is patched/current and so is the sever's and you are doing reasonable validity checking (expiration, chain validity, certificate status) you are probably in reasonable shape against unsophisticated attackers.
answered Aug 18 '11 at 19:47
RamRam
8071521
8071521
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f286336%2fhow-safe-is-ssl-in-a-public-place-airport-coffee-shop%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown