In a word…YES. You are secure when you are using a banks website even if you are using an open Wi-Fi network like many campgrounds offer.
The reason… Something called a secure socket layer. (SSL) Go to your bank online… Look up at the browser bar where the URL (website) is shown. Do you see the HTTPS:// ? At the end of the HTTP that S stands for SECURE. (You may also see a little padlock icon or something depending on the browser you may use.) This is telling you that your connection, from your computer to the bank’s server and back to you, is all secured using encryption.
In fact any site you may use, such as G-mail or even Facebook, you see with HTTPS is secure. What that means is that the information sent and received is protected by a “key” that your browser and their server setup between each other before anything else is sent between them.
So yes, you are secure when using your bank or other services even on an open Wi-Fi network as long as the site is HTTP’S’. I bring this up for people sometimes mistakenly think that Wi-Fi security is the protection. This is not the case. Wi-Fi security is only to protect the Wi-Fi connection between the computer and the access point or router. If a password is used to get on the park Wi-Fi, that password is only used to be able to connect to the Wi-Fi network, like a key giving you access through a door. It also does encrypt the data in the air, but ONLY between you and the access point you are connecting to. After that, and surely not on the Internet, it is not encrypted. However that is where HTTPS talked about above comes into play. HTTPS is fully encrypted from your computer on out and back. So, you are secure.
With that said, being on an open Wi-Fi network does come with a small risk of someone using a wireless “sniffer” to try to gather all the data packets you are sending to read no matter whatever it is you may being transmitting. But even with that, any time you are on an HTTPS website, even that “sniffed” data cannot be read.
Now all bets are off if you have gotten yourself a virus, malware, or spyware somehow on your computer, then not even HTTPS can help if someone is tracking your keystrokes. So please be sure your use computer is protected using some sort of anti male-ware or spyware program.
Care for someone else’s word on it? See this video provided by Google about HTTPS:
For how to have better Wi-Fi and Internet in your RV, see RV internet and RV Dedicated Wi-Fi
Hi David —
It is true that https traffic is encrypted and is extremely unlikely to be listened in on… But – a sniffer on the network can see what sites you are going to, and it can see everything you do on unencrypted sites.
One often overlooked weakness is that a lot of people use the same login ID and password for all the sites they visit. So a hacker sniffing a network will log the passwords used on regular insecure forums, and also log the secure sites visited – and then will try the passwords from the insecure sites to break into the secure sites.
The most important rule of internet security is to never ever use the same password on multiple sites. This is even more important than relying on https.
Thanks for sharing some good tips…
Yes, you are correct on UNENCRYPTED sites (http sites). But the topic was HTTPS and how any site that uses HTTPS are fine to use on when connected to an open WiFi network. The #1 thing I hear is “I use my MiFi to do my banking as the parks WiFi in not secure.” It is then I try to explain https and thought it was time to do it here for other RV’ers.
But yes, totally agree on password protection. To keep take of the passwords we use, we do not even use the browser to do it…we use 1Password to lock it down on our machine but with a password used at the machine, you have access to all your passwords. https://agilebits.com/onepassword So no need to remember all your different passwords all the time, just one, at the machine. :)
Take care keep safe and hope to run into you all on the road someday. (Well, not “run into”.) ;)
The warning I was trying to give was regarding using the same password on HTTP sites as on an HTTPS site. Hacking tools can’t listen in on HTTPS, but HTTPS does not hide what sites you visit from a sniffer. So the sniffer will log that you visited SecureBank, and that you then logged into an insecure forum with a given UserID/Password.
The hacker just needs to combine these two bits of data, and if you use the same password in both places you have essentially just given away your bank password – despite using HTTPS.
I am also 1Password fan – it and tools like it are essential for avoiding getting bitten by password reuse attacks, which are very common.
Ah yes, and that is a very good point and very good advise to the readers.
See…you can teach old dogs new tricks…and I am a proud card-carrying member of AARP!!! (Proof that I am actually old!). I will need all the valuable information that you give out for when I win a mega lotto and actually can get a coach for us an our pack…it will be a Tiffin of course! Meanwhile, I will just keep traveling vicariously with you and Brenda and your kitties!
Love and hugs….
I use a similar WIFI setup. The Rogue Wave kit appears to be a re-branded Ubiquiti Bullet. I opted to mount the Ubiquiti amp on a 16ft telescoping mast (which I deploy only while setup in camp). The elevation optimizes the line-of-sight (In one instance over the crest of a hill). I’ve connected to usable WIFI at a mile distance. Here’s my setup: http://ronswanderlust.blogspot.com/p/blog-page_8637.html
Outstanding Roland! And yes, it surely is a Ubnt Bullet, but with custom firmware replacing the AirOS the Bullet would come with from Ubnt. But like I said, outstanding job on getting it into the air! Congrats!
HTTPS is not bullet proof – and has vulnerabilities that can be exploited.
—Link Removed – Sorry—
Thanks Bob for the reminder that things can surely happen. But the link you provided, now removed, had nothing to do with https. Https was not even mentioned in the “How to hack” link. It even read… “In this “Hack Like a Pro” tutorial, I’ll show you a very simple way to conduct a MitM attack and capture unencrypted traffic“.
It was a way to get in between the user and a server with a tool like WireShark. Which surely can and is done. But that would not allow for the https encryption to be broken if it is already established. So in that case, they could see the traffic, but not be able to read it. (As was mentioned in the video.)
I personally still have no issue using an open Wi-Fi on an HTTPS site. But surely agree with Chris to be sure to use different passwords as much as you can as I would consider a password data grab a greater risk. But you are surely right to say that things are never bullet proof. Thanks!
interesting threads and thoughts, but in the end, missing the major problem with public hotspots: Four Words – Man-In-The-Middle. With this, yes, you CAN listen in on ‘encrypted’ traffic. ok, thats not technically correct, but bear with me.
These are simple to implement. all I need are two devices (they can even run on a single machine). The first acts as a hotspot for the unsuspecting victim (you). This also acts as a proxy, taking any requests from you, and getting them from the other end, then delivering that information to you. all of our routers already do that for us. They take our requests from our private network, then use the public network to get the data, and return the results to us on the private network. What happens here is that the router/hotspot REWRITES our private address and port to a PUBLIC address so we can surf the Internet. This only impacts the addressing of data flows, BUT…
a PROXY takes that request then goes of and gets that information FOR YOU, and ultimately sends it back to you. We businesses do this all the time. This allows us to capture ALL internet traffic. We use it for Caching (to “speed” your access, and minimize internet usage/costs by maintining a local copy of received data). We also use it for compliance monitoring. We can’t really read encrypted traffic, so what happens is that your HTTPS session REALLY ends on our proxy, which in turn reads your UNENCRYPTED REQUEST, and then establishes a new, separate HTTPS session between the proxy and wherever (Bank, Broker, China, hackers, etc). When the encrypted data is returned from your bank, we can then look at the UNENCRYPTED data (remember that session is between US and the Bank, Not YOU and the Bank). We do our compliance and data leakage analysis, and then send the results back to YOU on the HTTPS session between you and our proxy.
This is a GREAT thing to be able to do… if it’s good guys that are doing it. But the reason WHY good guys need to do it is because there are bad actors and malware that will extract our information from our machines and then use this HTTPS thing to phone home.
But its a terribly easy process. and we good guys KNOW that the bad guys are using it too.
Why not public/free wifi? Because YOU have no idea what is between you and the internet. That hotspot could be a malicious data-miner. If YOU own the hotspot/public IP, then YOU (should) know whats between you and the internet, dramatically reducing the risk of MITM.
(and a note for all the uber geeks.. yes, I know this is not terribly technically accurate, but I wanted to try to make it a little easier to understand) How do I KNOW this is true? because it’s what I do in my corp life. – amongst other stuff.
Yup, Man in the Middle is something that surely can make for issues anywhere. To make it more simpler… Fake Wi-Fi Access Point. Even though it is fake, you do not know it is fake as it still gives you internet access so you are not aware. But the talk here was not about bad people doing bad things, it was general in regards to HTTPS. One would think that Man in the Middle is more geared towards coffee shops and other public areas vs an RV Park. But you do not know what you do not know. Thanks WannaBe.
When ready to login to an https secured web page, simply click on the lock icon at the left end of the address line. The resulting popup window will indicate who the https certificate owner is and the name of the issuing authority. Man-in-the-middle attackers cannot easily fake this information. The attacker’s proxy site substitute certificate will either not reflect the name of the site you are logging onto or it will show an obscure certificate authority (e.g. something other than verisign, godaddy, etc.); or both.
Thank you kindly Ron. Great tip in this case if one feels they need to check when using a public Wi-Fi.
David I saw on your videos that you use a Mac. What virus program do you use if any?
Do not run one on my Mac.