- Why HTTPS alone won’t keep you safe on public WiFi
- How HTTPS works
- What is a DNS query?
- DNS leak
- DNS spoofing
- Punycode
- Use a VPN on public WiFi
- Richie Koch
- Безопасность подключения по https через публичный wi-fi
- Применение протокола HTTPS на сайтах означает, что вы больше не должны бояться публичного Wi-Fi
- Привет, HTTPS!
Why HTTPS alone won’t keep you safe on public WiFi
Posted on April 5th, 2019 by Richie Koch in Privacy & Security.
Most websites now use HTTPS to encrypt your connection and add an additional layer of protection to your data. But if you are on public WiFi, using HTTPS without a VPN means that some of your data will still be vulnerable.
Edit: An earlier version of this blog post could have been misunderstood as implying that TLS 1.2 has been broken. We have removed the section which can cause this confusion.
The Hypertext Transfer Protocol Secure, or HTTPS, encrypts the traffic between your device and a website, making it difficult for intruders to observe the information being shared. It also provides signatures, or HTTPS certificates, that allow you to verify that the site you are on is run by whom it claims it to be. HTTPS has become a standard security feature for nearly all websites.
If HTTPS encrypts your connection with a site, then isn’t public WiFi safe? Unfortunately, HTTPS does not encrypt all your data, like DNS queries. If you are using public WiFi without a VPN, you are putting yourself at risk.
How HTTPS works
HTTPS uses the Transport Layer Security (TLS) protocol to secure the connection between a web browser and a website. A protocol is simply a set of rules and instructions that govern how computers communicate with each other. The TLS protocol is the backbone of securing online connections. It’s what allows you to enter your login credentials, browse websites, or perform online banking without others seeing the contents.
TLS uses private-key cryptography. A key is simply a code for computers involved in message transmission, and a private key is one that is not open to the public. To ensure the integrity of their connection, your browser and the Internet server initiate a “handshake” by sharing a public key. Once the handshake is established, the server and browser negotiate private keys to encrypt your connection. Each connection generates its own, unique private key, and the connection is encrypted before a single byte of data is transmitted. Once the encryption is in place, intruders cannot monitor or modify the communications between the web browser and website without being detected.
TLS also supplies digital certificates that authenticate the credentials of websites and let you know that the data is from a trusted source (or a site who claims to be one). A digital certificate is issued by a certification authority.
This system still has certain vulnerabilities, as we will discuss below, but it is considered secure. The first vulnerability that using public WiFi without a VPN exposes you to is the fact that TLS does not protect domain name system (DNS) queries (yet).
What is a DNS query?
The domain name system translates human-friendly URLs into numerical IP addresses that computers can understand. For example, to visit our site, you type in the URL https://protonvpn.com, but your computer sees it as [185.70.40.231]. To find this number, your web browser uses what is called a DNS resolver, which is usually supplied by your Internet service provider. Think of this resolver as a sidekick who scurries around translating the URL of the site you wish to visit into its IP address.
Your DNS request is not encrypted. An intruder can observe your DNS queries and your DNS resolver’s responses to them. This leads us to the first attack you could suffer if you use public WiFi without a VPN: DNS leaks.
DNS leak
If someone were to monitor your DNS queries, they would have a list of all the sites you visited along with your device’s IP address. Given the weak security of most public WiFi hotspots, it would be relatively simple for an intruder to gain access to the network and then log your DNS queries. Your data could still be at risk even if there is no intruder because the resolver on the public WiFi could harvest your data itself.
DNS spoofing
A DNS leak allows an intruder to monitor your activity, but if an attacker spoofs your DNS requests, they can redirect you to a malicious site they control. Also known as DNS poisoning, this happens when an attacker pretends to be your DNS resolver. The attacker then spoofs the IP address for a target website and replaces it with the IP address of a site under their control. The URL would be the same as the site you were intending to visit, but the site would be under the control of the attacker. Modern browsers will generally alert users that they are on a site without HTTPS, and this attack won’t work for HTTPS sites that have a certificate.
However, with a variation of DNS spoofing, an attacker could send you to a site with a slightly different URL from the one you were intending to visit. Think “protomvpn.com” instead of “protonvpn.com”. Moreover, this type of fake site can use HTTPS and have a valid certificate. Your browser would show a green lock next to address, making it harder to detect.
Punycode
Unfortunately, with recent Punycode attacks, hackers have found a way to make two websites with the same URL and a valid HTTPS certificate. Punycode is a type of encoding used by web browsers to convert all the different Unicode characters (like ß, 竹, or Ж) into the limited character set (A-Z, 0-9) supported by the international domain names system. As an example, if a Chinese website used the domain “竹.com”, in Punycode, that would be represented by “xn--2uz.com”.
Intruders discovered that if you reverse the process and enter Punycode characters as a domain, as long as all the characters are from a single foreign language character set and the Punycode domain is an exact match as the targeted domain, then browsers will render it in the targeted domain’s normal language. In the example used in The Hacker News article linked above, a researcher registered the domain “xn--80ak6aa92e.com” which appeared as “apple.com”. The researcher even created this fake apple site to demonstrate how hard it is to tell the sites apart using URL and HTTPS information alone.
As the researcher’s example demonstrates, a Punycode site can implement HTTPS and receive a valid certificate, making it very hard for you to detect you are on a fake site. Only by examining the actual details on the HTTPS certificate can you differentiate between “xn--80ak6aa92e.com” and “apple.com”.
Fortunately, many browsers have already addressed this vulnerability and most would now show the address as xn--80ak6aa92e.com
Use a VPN on public WiFi
These are just some of the vulnerabilities you face when using an unsecured public WiFi network. Even if you visit a legitimate site with properly enforced HTTPS, it could contain images or scripts from sites not protected by HTTPS. An attacker could then use these scripts and images to deliver malware onto your device.
A trustworthy VPN can protect you from all of these vulnerabilities. A VPN encrypts your traffic and routes it through a VPN server, meaning that your Internet service provider (or the owner of a malicious WiFi hotspot) cannot monitor your online activity. This additional encryption will protect your connection from a TLS downgrade attack.
Thorough VPN services, like Proton VPN, also run their own DNS servers, so that they can encrypt and process your DNS queries. Proton VPN’s apps protect you from a DNS leak by forcing your browser to resolve DNS queries via our DNS servers. We even protect your DNS queries if you are disconnected. Our Kill Switch feature instantly blocks all network connections if you are disconnected from your VPN server, keeping your data from being exposed.
Proton VPN’s Free VPN plan offers everyone a free, simple way to protect their Internet connection against these attacks. With our free VPN service, you never have to use public WiFi without a VPN again.
Best Regards,
The Proton VPN Team
You can follow us on social media to stay up to date on the latest Proton VPN releases:
To get a free Proton Mail encrypted email account, visit: proton.me/mail
Richie Koch
Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.
Безопасность подключения по https через публичный wi-fi
Необходимо подключиться к публичному wi-fi, зайти в почту mail.ru и скачать файлы. Mail.ru делает редирект на https://mail.ru/
Это безопасно или нет, если подключение к wi-fi не шифрованное?
Если браузер пишет, что сертификат от mail.ru, то безопасно.
Но я на публичных wifi сижу через ssh до дома.
Вроде бы как могут украсть cookie и авторизоваться потом, так пишут в интернетах.
Судя по ответам, передача данных по протоколу https даже через незашифрованный канал wi-fi или специально созданный подставной — это зашифрованный поток данных, который не может быть расшифрован злоумышленником или это не рационально долго.
Да, я не технический специалист, поэтому прошу снисходительно отнестись к моему вопросу.
Может быть стоит использовать мобильный интернет? Подключение, кстати, с планшета с OC Android.
Человек, который будет все это делать, хороший, но в технологиях шарит еще меньше чем я, поэтому Tor или VPN тут невозможны.
У тебя дома статичный адрес?
Между публичным Wi-Fi и мобильным интернетом разницы большой нет, просто пользуйся HTTPS.
Т.е. зайти на mail.ru и одноклассники безопасно, тогда, наверняка, и банковские операции проводят через https, откуда тогда разговоры о краже данных кредиток и угонах аккаунтов соцсетей и т.д.?
Кредитки компрометируют. По-разному бывает. В большинстве случаев, сами пользователи где-нибудь их засвечивают. Редко когда какие-нибудь шлюзы взламывают. ЖД-кассы как-то поломали, ихний шлюз. Но это редкость.
Время ожидания ответа от сервера blog.kaspersky.ru истекло.
Применение протокола HTTPS на сайтах означает, что вы больше не должны бояться публичного Wi-Fi
Использование общедоступной сети Wi-Fi в кафе или на вокзалах уже не так опасно, как это было десять лет назад, поскольку многие сайты уже активно переходят на протокол связи HTTPS, а это значительно усложняет слежку за сетевыми коммуникациями и перехват данных в открытом виде.
Как отмечается в новом сообщении Electronic Frontier Foundation (EFF), прежние рекомендации «избегать использования общедоступного Wi-Fi и придерживаться сетей, защищенных паролем», большей частью уже не обязательны в наши дни. «Этот совет проистекает из первых дней существования беспроводного Интернета, когда большинство сообщений не было зашифровано. В то далекое время, если кто-то хотел отслеживать ваши сообщения, он просто перехватывал передаваемые вашим ПК или смартфоном на общественный роутер данные и читал всю вашу электронную почту.
Таким образом можно было украсть ваши пароли или считать файлы cookie, в которых хранится информация для входа на любой интернет-ресурс или просто подставить вам фишинговую ссылку, замаскированную под ваш любимый сайт. Именно поэтому использование общественных Wi-Fi точек без ввода пароля было связано с большим риском» — говорится в сообщении.
Привет, HTTPS!
Сравнительно быстрое внедрение протокола связи с применением шифрования HTTPS (Hypertext Transfer Protocol Secure) устранило этот недостаток общественных сетей Wi-Fi. По данным EFF, не менее 92% всех веб-сайтов в Соединенных Штатах в настоящее время используют HTTPS, в то время как другие страны также расширяют использование безопасных сертификатов.
«Они смогут видеть эти метаданные так же, как ваш провайдер мог видеть, когда вы просматриваете сайты, находясь дома. Если этот риск для вас приемлем, то вам не стоит беспокоиться об использовании общедоступного Wi-Fi », — подчеркивают в EFF. Вместе с тем,
ФБР недавно рекомендовало пользователям Интернета в США избегать использования общедоступного Wi-Fi для выполнения ряда операций, включая покупки в Интернете. Федералы сообщили, что общедоступный Wi-Fi может предоставлять личную информацию, в том числе информацию, касающуюся оплаты, которую вы делаете онлайн.
Читайте также: