Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
WiFi Security
Old 05-11-2019, 03:06 PM   #1
Recycles dryer sheets
COZICAN's Avatar
 
Join Date: Aug 2018
Location: YUKON,OK
Posts: 226
WiFi Security

I have never done anything financial on my phone other than look at my credit card or bank statement and even then I always do it under my secure wifi connection. That said....I'm wanting to buy an IPad mainly so I can sit in my backyard and do the things I normally do on my desktop. Do you feel secure accessing your VG, Fido, TDA etc accounts on your own secure wifi? What about on other wifi (restaurant, airport etc)? I've always been leery of wifi on general. But then again it is 2019.

Coz
__________________

__________________
Counting down to 01MAR21 @ 59.5
COZICAN is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 05-11-2019, 03:13 PM   #2
Administrator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee ba gum
Posts: 24,664
All of my devices, laptop, iPad and iPhone are connected to the internet via my home’s secure WiFi, so if I didn’t trust it I would never do any financial transactions electronically.

I never do financial transactions over public WiFi networks such as hotels, malls and cafes, however I do trust the data connection (3G, 4G etc) through my iPhone and often do financial transactions, particularly using Apple Pay which is everywhere here.
__________________

__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Enough private pension and SS income to cover all needs
Alan is online now   Reply With Quote
Old 05-11-2019, 03:33 PM   #3
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 4,162
I trust my home WiFi security and regularly check/update the router firmware.

Outside the home my phone will auto-connect to secure hotspots from my provider (Spectrum aka Time Warner) and I feel OK with that but don’t need to connect with financial institutions/brokerages, those can wait.

If I’m using a wide-open hotspot somewhere, I have a VPN available but not often used.
__________________

steelyman is offline   Reply With Quote
Old 05-11-2019, 03:52 PM   #4
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Sunset's Avatar
 
Join Date: Jul 2014
Location: Spending the Kids Inheritance and living in Chicago
Posts: 7,198
My home wifi is secure, so I'm comfortable using it. Wireless and wired.

Note, if you use wired at home to a router with wifi, and if the wifi is not secure, someone can get on your network to try to see your wired machine activity. So just using a wire does not mean nobody is looking.

I now have VPN to use when traveling so that makes me feel better about outside use, even just getting email.
__________________
Fortune favors the prepared mind. ... Louis Pasteur
Sunset is offline   Reply With Quote
Old 05-11-2019, 03:52 PM   #5
Moderator
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 5,517
If you have to type a password for the WiFi and your connection is https, it's probably going to be fine. If it's your own home wifi and has a non obvious password, you're fine because your devices will be the only ones connected. In a restaurant WiFi, if you have to type a password, you're in ok shape, but there's the possibility that bad actors are also on the restaurant LAN and so your device could be attacked. But if you apply updates to your OS, then there are probably no attack vectors open for exploitation. In any case, I don't use wifi without the lock/password (don't use open WiFi) for any web browsing that requires a password. You can tell which of your friends use open WiFi when you see spam emails coming from them.
sengsational is offline   Reply With Quote
Old 05-11-2019, 05:08 PM   #6
Thinks s/he gets paid by the post
Car-Guy's Avatar
 
Join Date: Aug 2013
Location: Citizen of Texas
Posts: 3,322
With security enabled on my personal wireless router (e.g. WPA2), sure.
Car-Guy is offline   Reply With Quote
Old 05-11-2019, 10:22 PM   #7
Recycles dryer sheets
 
Join Date: Nov 2017
Location: Rapid City, SD
Posts: 185
So long as your web transactions are to sites that connect via https rather than http, the security or lack thereof on the WiFi connection isn’t important. Your communication is encrypted within your browser and decrypted at the destination host. Furthermore, the browser authenticates the destination to ensure it isn’t being faked. Only sites like early-retirement.org which allow or use http connections are at risk. Any username and password you use when logging in to this site goes over the Internet in clear text. WiFi security may encrypt the hop from mobile device to the wireless access point, but doesn’t help for the remaining router hops to the destination unless each in turn uses link-layer or transport-layer encryption. Even with all that the destination isn’t authenticated.

(Just before I retired, one project I worked on was a tool designed to stress test TLS software libraries to ensure they were robust and conformant to Internet standards(RFCs). TLS is the protocol used in https web connections.)
Cessna152 is offline   Reply With Quote
Old 05-12-2019, 06:49 AM   #8
Thinks s/he gets paid by the post
 
Join Date: Jan 2006
Posts: 3,700
Quote:
Originally Posted by Cessna152 View Post
........................... Only sites like early-retirement.org which allow or use http connections are at risk. username and password you use when logging in to this site goes over the Internet in clear text. .....................................
Thanks for your observation about this site. I had never noticed before that this site (unlike any of the 10 other sites I have on my toolbar) does have the plain http (w/o the s) when using it. However I believe that when you log in, it does have the https but switches to http after log in step is completed.......at least for my Mac. Is there a security issue then if you are not posting "secret" stuff?
kaneohe is offline   Reply With Quote
Old 05-12-2019, 07:13 AM   #9
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
REWahoo's Avatar
 
Join Date: Jun 2002
Location: Texas Hill Country
Posts: 45,418
Quote:
Originally Posted by kaneohe View Post
Thanks for your observation about this site. I had never noticed before that this site (unlike any of the 10 other sites I have on my toolbar) does have the plain http (w/o the s) when using it. However I believe that when you log in, it does have the https but switches to http after log in step is completed.......at least for my Mac. Is there a security issue then if you are not posting "secret" stuff?
More info about ER.org security here: Not Secure
__________________
Numbers is hard

Charter resident of the lumpen slums of cyberspace

Retired in 2005 at age 58, no pension
REWahoo is offline   Reply With Quote
Old 05-12-2019, 07:29 AM   #10
Administrator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: lumpen slums of cyberspace
Posts: 29,830
Quote:
Originally Posted by Cessna152 View Post
.
Only sites like early-retirement.org which allow or use http connections are at risk. Any username and password you use when logging in to this site goes over the Internet in clear text. WiFi security may encrypt the hop from mobile device to the wireless access point, but doesn’t help for the remaining router hops to the destination unless each in turn uses link-layer or transport-layer encryption. Even with all that the destination isn’t authenticated.
From the page REWahoo linked.
Quote:
Originally Posted by Janet H View Post
The login pages here are secure (httpS) but as noted by many, the rest of the site is not. We store no financial info or other sensitive content here and we long ago changed login pages (where password data is passed) to meet current security standards.

The primary reason for not changing the rest of the site is that we have thousands of links in posts to offsite images and content that are not https. ALL those links would break. As the www updates it will be easier to make this change but for now we would rather retain that content then break it.
MichaelB is offline   Reply With Quote
Old 05-12-2019, 07:34 AM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
DFW_M5's Avatar
 
Join Date: Sep 2003
Location: DFW
Posts: 5,500
Quote:
Originally Posted by Car-Guy View Post
With security enabled on my personal wireless router (e.g. WPA2), sure.
Bingo, if you are not using WPA2, I would not call your home network secure.
__________________
Doing things today that others won't, to do things tomorrow that others can't. Of course I'm referring to workouts, not robbing banks.
DFW_M5 is offline   Reply With Quote
WiFi Security
Old 05-12-2019, 07:41 AM   #12
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 4,162
WiFi Security

When using Web browsers, it’s easy to tell if you’re on a secure connection either through the “https” URL/protocol displayed or some type of lock symbol shown by the browser.

I wonder (due to my lack of knowledge) about mobile apps. Are there standards in the underlying software that enforce security/encryption between the app and its connections to external systems?

For example, I just logged in to my Fidelity account using their app, which I expect is very secure and requires authentication through explicit password or other ID (touch, face), but see no indication on the app that the connection is secure.
__________________

steelyman is offline   Reply With Quote
Old 05-12-2019, 09:22 AM   #13
Thinks s/he gets paid by the post
mpeirce's Avatar
 
Join Date: Feb 2012
Location: Columbus area
Posts: 2,134
Quote:
Originally Posted by steelyman View Post
When using Web browsers, it’s easy to tell if you’re on a secure connection either through the “https” URL/protocol displayed or some type of lock symbol shown by the browser.

I wonder (due to my lack of knowledge) about mobile apps. Are there standards in the underlying software that enforce security/encryption between the app and its connections to external systems?

For example, I just logged in to my Fidelity account using their app, which I expect is very secure and requires authentication through explicit password or other ID (touch, face), but see no indication on the app that the connection is secure.
All iOS applications are currently required to use App Transport Security - which is built on https and enforces TLS 1.2 (1.3 was ratified in the last year, so I expect they will be moving to this level soon). This doesn't apply to websites in a browser, but apps downloaded via the App Store.
mpeirce is offline   Reply With Quote
Old 05-12-2019, 09:31 AM   #14
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 4,162
Quote:
Originally Posted by mpeirce View Post
All iOS applications are currently required to use App Transport Security - which is built on https and enforces TLS 1.2 (1.3 was ratified in the last year, so I expect they will be moving to this level soon). This doesn't apply to websites in a browser, but apps downloaded via the App Store.

Thanks! A quick Google search turned up more details on App Transport Security, of which I was formerly unaware. Apparently introduced in iOS 9 and MacOS v10.11.

As an Apple device user, I feel a bit more confident. All before brunch!!
__________________

steelyman is offline   Reply With Quote
Old 05-12-2019, 10:12 AM   #15
Thinks s/he gets paid by the post
 
Join Date: Apr 2010
Posts: 2,897
I do not know what secure is these days. It keeps changing as the black hats outsmart the latest white hat security fix.

We do not like accessing our finances when we travel but we really have no choice. We are of course as careful as we can be in using public wifi or ATMs. No issues yet after 8 years of frequent international travel. We never pay with a debit card when travelling. Either cash or credit card.
brett is offline   Reply With Quote
Old 05-12-2019, 10:17 AM   #16
Thinks s/he gets paid by the post
timo2's Avatar
 
Join Date: Jul 2011
Location: Bernalillo
Posts: 2,003
I did add a VPN to my phones for use away from the house. I have it set not to go on when using my home wifi or a cellular network. However, if I'm doing anything financial away from my house, I will turn the VPN on, even on a cellular network.
__________________
"We live the lives we lead because of the thoughts we think" Michael O’Neill

"We can cannot compel others to do our will" Norman Goldman
timo2 is offline   Reply With Quote
Old 05-12-2019, 11:10 AM   #17
Thinks s/he gets paid by the post
mpeirce's Avatar
 
Join Date: Feb 2012
Location: Columbus area
Posts: 2,134
VPNs seem like be a good idea except that there are many VPN's that are black hats.

I wouldn't trust a "free VPN" or even paid ones unless you trust the company offering it. And it's hard to know who to trust. You can trust your employer's VPN, but who has one of those!!!

Search (may I suggest DuckDuckGo) for "VPN scams" and read all about them.

Unless you are trying to hide your location (for Netflix say) a VPN doesn't really buy you much if the apps you are using are using good security practices. I would *hope* Fido, Vanguard, most banks, etc. do so.
mpeirce is offline   Reply With Quote
Old 05-12-2019, 11:22 AM   #18
Thinks s/he gets paid by the post
Gotadimple's Avatar
 
Join Date: Feb 2007
Posts: 1,996
When away from home and using free wi-fi (even the login kind), I use a VPN along with my browser to access email or the internet. The whole reason to use free wifi is to avoid data charges. On my phone, if I should need to access my bank, I use the bank's app, not my browser - with VPN turned off!

VPN hides the IP address, and banks will refuse entry to their sites if they can't see your location. Using their app removes the issue and the entire transaction is secured. The only other alternative to doing financial transactions when away from home is to use a phone with data turned on.
__________________
Only got A dimple, would have preferred 2!
Gotadimple is offline   Reply With Quote
Old 05-12-2019, 11:38 AM   #19
Moderator
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 5,517
https is good, but you still are trusting the WiFi hotspot. The attack vector is a man in the middle where you ask for https:/BofA.com, and it sends you to https:/B0fA.com and presents you with an identical login page. It's a fairly sophisticated attack, but not unheard of.
sengsational is offline   Reply With Quote
Old 05-12-2019, 01:24 PM   #20
Recycles dryer sheets
 
Join Date: Nov 2017
Location: Rapid City, SD
Posts: 185
Quote:
Originally Posted by sengsational View Post
https is good, but you still are trusting the WiFi hotspot. The attack vector is a man in the middle where you ask for https:/BofA.com, and it sends you to https:/B0fA.com and presents you with an identical login page. It's a fairly sophisticated attack, but not unheard of.
https is designed to avoid that type of man-in-the-middle (mitm) attack. It uses public/private certificates and keys. The browser asks BOfA.com to send a confirmation encoded with BofA.com’s private key. The BOfA.com guy doesn’t have BofA.com’s private key, so encodes using its own. When the browser then attempts to decode using BofA.com’s public key it wont decode correctly and the mitm attack will be detected.

One may ask how the browser got BofA.com’s public key and not BOfA.com’s public key - well a browser is pre-populated with a handful of public keys of central “certificate authorities” (CA) (https://en.wikipedia.org/wiki/Certificate_authority) that are trusted repositories of certificates/public keys of other sites, such as BofA.com. There are some techniques designed to minimize problems with tainted browsers containing subverted CA certificates or keys. One has to both subvert the CA keys in the browser and intercept and respond to all traffic appropriately to fake the user. Exceedingly hard to pull off.

Lots of material on the net explaining how some of this stuff works - but I haven’t run across any simple explanations.
__________________

Cessna152 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Android WiFi Experts? Wifi Auto Switches to Xfinity marko Other topics 5 02-11-2015 08:49 AM
A question about random wifi security haha FIRE and Money 16 08-27-2014 04:27 PM
Security on Municipal WiFi Service kaneohe Other topics 1 11-28-2009 07:37 PM
Improved WIFI While Traveling yakers Other topics 9 01-20-2008 05:26 PM

» Quick Links

 
All times are GMT -6. The time now is 12:21 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2019, vBulletin Solutions, Inc.