Accessing Financial Web Sites on a Public Connection

On 04/05/07, keluina <keluinaearthlink.net> wrote:

> If one can safely assume that the browser's 128-bit encryption has not been hacked and the user's computer is free of spyware, it seems to me accessing a secure server on financial web site via a public (unsecured) network on your "clean" personal computer is not a risky action. Is my understanding correct or have I missed something?

Your understanding is correct. Mossberg is being paranoid here. For
exemple my bank is using AES 256, which is unbreakable, at least by
mere mortals and companies; who knows what gouvernments and military
can do, see I can be paranoid too! If the browser and server don't
have a security flaw in their implementation of the protocol, your
data is safe.

Besides he wrote "unless you are on a network that you can control and
secure, such as a home or office network": unless you're the network
admin of the company, you don't control the office network at all!
Worse, any network admin (like me if I worked for your company) could
capture your traffic with the right tools, and try to play
man-in-the-middle if a protocol (or its implementation) is insecure.
And let's not talk about WEP Wi-Fi networks at home...

-Thomas

At 21:58 on 03-05-2007, keluina wrote:
> In the 3 May 2007 Wall Street Journal (pg B3), Walter Mossberg
> wrote in his column Mossberg's Mailbox, "... the bottom line is
> that, unless you are on a network that you can control and secure,
> such as a home or office network, I wouldn't advise accessing
> financial accounts online, or performing financial transactions. I
> wouldn't trust sensitive online transactions to any public Internet
> connection, such as those at motels. ..."
>
[...]
> If one can safely assume that the browser's 128-bit encryption has
> not been hacked and the user's computer is free of spyware, it
> seems to me accessing a secure server on financial web site via a
> public (unsecured) network on your "clean" personal computer is not
> a risky action. Is my understanding correct or have I missed
> something?

My understanding is the same as yours. Especially since, while you
may control your home or office network, once it leaves your network
it travels on 'public' connections that you have no control over. If
browser security relied on the person browsing having full control
and knowledge of the networks their data passes over, it would be a
pretty flawed security model.

_________________
=> Jolin

At 9:58 PM -0700 5/3/07, keluina wrote:
>If one can safely assume that the browser's 128-bit encryption has
>not been hacked and the user's computer is free of spyware, it seems
>to me accessing a secure server on financial web site via a public
>(unsecured) network on your "clean" personal computer is not a risky
>action. Is my understanding correct or have I missed something?

If an attacker controls the network you are using, then he can set up
a DNS server that maps www.yourbank.com to a phishing site. Whether
that's successful depends on how careful you are at checking things
out.

Suppose you type "www.mybank.com" into the browser. Normally, this
connects to http://www.mybank.com/, which will often send a redirect
to "https://www.mybank.com/". If the attacker controls the network,
he can make http://www.mybank.com/ go to his own site. Unless you
carefully inspect the browser address bar to see if it says "https"
you may think you're connected to the bank's site.

In other cases, a bank's home page is on a non-SSL server, but it
contains a login form that talks to an SSL server. The attacker can
then change the form to post to an non-SSL server. In that case,
even if you notice that SSL isn't being used, you've already given
away your password.

Finally, if you use a browser on a public machine, then you have to
consider whether the attacker has planted a fake root certificate.
If so, then he can create certificates for any site that will appear
to be 100% genuine.

--
Larry Rosenstein
lrosensteincatsincharge.com

Some months or years ago there was a discussion of ways to work with this issue, using key / value / petname triplets. I think it was in Bruce Schniers CryptGram. Here it is

<http://www.schneier.com/blog/archives/2006/02/petnames.html>

Essentially on a "trusted" network, you validate a HTTPS server you might want to do business with. Later over any intermediate connection that may or may not be hijacked, you have verification that your connection is to the same computer. SSL then encrypts all data from your web browser to that server so all men in the middle can't watch your data.

I use the FireFox 'Petname tool' extension which implements this system. Not that I've ever seen anything hijacked, it is just a minor piece of security. As with most all trust situations, the initial setup is key to maintaining a trusted situation.

Mikey Reppy