cerdan
join:2008-01-02 | How safe is my campus WiFi network?
The WiFi network at my school is unsecured but it requires login with the school's user ID and PW. How secure or unsecure is it if I do financial transaction over it with HTTPS? Thanks! |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T Midwest
| An HTTPS transaction is safe, providing that a bogus certificate is not being used.
If the campus network is unsecured, I would be a bit more worried about the network login information being stolen (unless that part is secured).
Some campuses use a unsecured WiFi, but require that you establish a VPN connection over that network before you can connect to anything. That's normally pretty safe.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.14 |
|
cerdan
join:2008-01-02 | How can you tell if it's VPN or not? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | The output of "ipconfig /all" would show a VPN adapter if you are using a VPN. |
|
cerdan
join:2008-01-02 | Is this what you mean by VPN adapter?
»www.isaserver.org/img/upl/2004dh···2251.gif |
|
docrice
join:2008-03-31
Fremont, CA
| A VPN adapter is essentially a virtual interface driver that's used to encapsulate your data within another encrypted framework (PPTP, L2TP, IPSec, SSL, etc.) and forward it onto a destination gateway where it's decapsulated and routed along its merry way. Unless your machine is managed by your school and / or there's some automation involved with a connection manager client, you'll know if you've initiated a VPN connection or not. Windows has a built-in PPTP and L2TP VPN client, but hardly anyone really uses these anymore as everyone's in the IPSec / SSL ballpark now (Cisco IPSec VPN, Cisco AnyConnect, Check Point SecureClient, Aventail Connect, Nortel Contivity, Juniper Secure Access SSL, NetScreen, etc.).
That said, your school's Wi-Fi campus access network might merely encrypt the login credentials, but everything else is clear. This is pretty typical at public hotspots as well (like T-Mobile locations) where manual or automated GIS logins are done through an SSL session, but all data after that is in cleartext. If you have an established SSL session with the bank directly, on the other hand, you're fine (assuming the certificate trust chain has not been compromised).
Some larger universities implement campus-wide credential provisioning in the form of user-specific digital certificates or passwords in order for you to enable 802.1X / EAP-TLS / PEAP / EAP-TTLS type authentication and subsequent WPA-based encryption on a dynamically generated session key. Those tend to be the best Wi-Fi security measures, although they're not the easiest to set up either. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
|  reply to cerdan
You also might consider using SSL enabled email if your provider/ISP has that feature. Mine does not so as a work around I use a Gmail account to receive/send email while at public hotspots, etc. In my case I setup Gmail to fetch personal email from my ISP. I do that while traveling. The screen shot details how I have Gmail setup to do that. The nice thing about this is I can access my email securely from anywhere via a web browser and reply with my normal ISP email address.
I would also make sure the Windows Firewall (or any software firewall your running on your laptop) is configured to block all incoming traffic while at a public hotspot. See the Laptop guidance firewall and network configuration for public wireless hotspots section on this page.
»theillustratednetwork.mvps.org/L···ity.html
Beyond all that there are a lot of threads about hotspot security including setting up a VPN or SSH connection back to a home PC and either accessing the internet through that or running Remote Desktop/VNC on a home PC and accessing the internet that way, ie. just like you were sitting in front of it. You just need to do a search.
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
Ravenheart
join:2006-02-10
Berkeley, CA
| I've had good luck using port forwarding over an SSH connection in public hotspots. Besides the security, it lets me send e-mail with my usual client to the SMTP server, avoiding port 25 issues.
With the Web, it came to me that my choices were to add a connection for every site I visited or to use a proxy server. (Did I overlook something?) Fortunately, I have an ISP that maintains a proxy server that's reasonably fast.
The one missing piece is FTP, but I can just FTP files from the command line of my ISP account and send files up/down with SFTP or Zmodem. |
|
