Is there a way to use a secure wifi connection while on board?

[billc23]

1 hour ago, DaKahuna said:

 

 There is still no guarantee.  If you take the proper precautions you can have a reasonable degree of assurance. 

 

 I'll not bore you with technical details but if interested you can read for yourself. 

 

https://security.stackexchange.com/questions/262793/is-https-insecure-against-mitm-attacks-and-is-there-a-solution

I read the article and the answers seem, to me, to say HTTPS/TLS is all that is needed. Did you read the article that I linked?

Edited August 3 by billc23

[billc23]

22 hours ago, jwlane said:

What leads you to think it's not secure?

Perhaps because VPN companies blatantly lie about the dangers of public WiFi to sell their product. Many great uses for a VPN, but adding security to a secure connection is not one of them

[DaKahuna]

58 minutes ago, billc23 said:

I read the article and the answers seem, to me, to say HTTPS/TLS is all that is needed. Did you read the article that I linked?

 

Yes, I read your article.   Thank  you. 

 

[NMTraveller]

I would use a VPN and cellular data.  Public Wi-Fi is easily hacked.  

[gfkcruiser]

I use my phone with facial recognition to sign into an account.  I hope that is secure. I do not use pw’s.  

[odyssyus]

I concur with my fellow IT pro's that if a site is using HTTPS, then a VPN is not required for security.

 

The VPN is primarily used to get around geofencing issues, such as trying to stream your tv provider from outside the US (watch Caps hockey in Aruba in my case).  In addition, some banks will allow you to stop transactions from certain countries, which can block you if you are visiting a country that you have blacklisted.  VPN helps resolve that without having to change your security policies or call your financial institutions.

[Happy Rogue]

On 8/3/2024 at 2:01 AM, wrk2cruise said:

I personally would not connect to a bank on any public Wifi without using a VPN.  Celebrity does all it can to block VPN's on their ships.

Unless you have major reservations about someone knowing which bank you use, there's no reason to not trust https / tls.  Read the URL, make sure it matches your bank, move on.

 

The only real information "leaked" over a TLS channel is DNS names, payload size, and destination IP addresses.

[publicpersona]

10 hours ago, odyssyus said:

I concur with my fellow IT pro's that if a site is using HTTPS, then a VPN is not required for security.

 

Another IT pro here that says for all practical purposes, having an HTTPS connection is good enough for me. That said, it is subject to the man in the middle. Specifically, any entity that controls the certificates you are trusting from your device can decrypt your data.

 

Many organizations use services like ZScaler and similar for security. These organizations load certs onto devices so that you are forced to trust the security software. The data stream is decrypted, analyzed for security, and re-encrypted so that it is not obvious to client or host. I provide this illustration as an example of why https may not keep your data encrypted between your browser and the host like you think it does.

[NMTraveller]

So the last time that I connected to a compromised public Wi-Fi was at the LAX airport in January.  I did not figure out that it was compromised as I was jet lagged and had been traveling for over 24 hours straight.  Some of the signs were that it took me to a Southwest Airlines site that was http and not https.  I just used the site to get flight information.  It grabbed my booking number as first name,  last name,  and e-mail address and then I started receiving boatloads of spam in my inbox.

 

So I just prefer to avoid public Wi-Fi if at all possible. There are too many ways to get into a public Wi-Fi network.  Sometimes the default password will be set on the router.  Then you have rogue APs,  DNS spoofing, weak passwords that can be cracked in seconds, and a host of other techniques.

 

Cellular is more secure.

Edited August 4 by NMTraveller

[Jim_Iain]

23 hours ago, Rick&Jeannie said:

Two words....Sat phone!

 

One word....  Expensive.... LOL

[Jim_Iain]

19 hours ago, billc23 said:

The purpose of VPN is to hide from the public Wi-Fi network owner of what you are doing. HTTPS/TLS are for encryption and security. 

 

Actually most reputable VPN companies encrypt all information that is going over the VPN connection.  

 

Per NordVPN -

 

VPNs like NordVPN encrypt all your online traffic to scramble the data and keep it private. NordVPN uses the highest encryption standard available to VPNs today: 256-bit AES encryption.

[Happy Rogue]

21 minutes ago, Jim_Iain said:

 

Actually most reputable VPN companies encrypt all information that is going over the VPN connection.  

 

Per NordVPN -

 

VPNs like NordVPN encrypt all your online traffic to scramble the data and keep it private. NordVPN uses the highest encryption standard available to VPNs today: 256-bit AES encryption.

They are stating that https connections make additional encryption pointless, which is true.  Confidentiality of your data and attribution of your data are two different things.  VPN only adds confidentiality when you are using non-https sessions

[billc23]

1 hour ago, Jim_Iain said:

 

Actually most reputable VPN companies encrypt all information that is going over the VPN connection.  

 

Per NordVPN -

 

VPNs like NordVPN encrypt all your online traffic to scramble the data and keep it private. NordVPN uses the highest encryption standard available to VPNs today: 256-bit AES encryption.

Yes, they certainly do encrypt all your traffic to their site - but not afterwards - your data is only encrypted up their infrastructure. So if you are using http to go to a site, it's put on an encrypted tunnel as far as your VPN provider. Then it's generally just forwarded on in its pre tunneled format, which, if it’s http, is unencrypted. So no real security is in place but it does appears that you are sending your info from a different location. IMO, there is value in multi layered security and VPN’s can form part of that, but they largely miss-sell themselves to those that don't understand what is happening. And the articles on the VPN’s website may be misleading.

Yes, VPNs do help to anonymize your origin point - which is a benefit when traveling and  great for privacy. I say use HTTPS for security. Use VPN for privacy. Use VPN plus HTTPS for privacy and security.  Be sure to research your VPN because there are many bad actors out there that will sell your data or infect your device. What is the business model of that free VPN service???

 

I was answering the OP's question and  just using a HTTPS connection is fine without needing a VPN. Using a VPN and going to a HTTP site is a security risk. A password manager is also helpful because most will only put your user name and password into the correct URL derived screen. 

[NutsAboutGolf]

9 hours ago, NMTraveller said:

So the last time that I connected to a compromised public Wi-Fi was at the LAX airport in January.  I did not figure out that it was compromised as I was jet lagged and had been traveling for over 24 hours straight.  Some of the signs were that it took me to a Southwest Airlines site that was http and not https.  I just used the site to get flight information.  It grabbed my booking number as first name,  last name,  and e-mail address and then I started receiving boatloads of spam in my inbox.

 

So I just prefer to avoid public Wi-Fi if at all possible. There are too many ways to get into a public Wi-Fi network.  Sometimes the default password will be set on the router.  Then you have rogue APs,  DNS spoofing, weak passwords that can be cracked in seconds, and a host of other techniques.

 

Cellular is more secure.

 

You should have played the lottery too because you basically hit the jackpot by successfully connecting to LAX wifi (lol)

[DaKahuna]

Okay - I have been holding back but I would like to get this point across. 

 

If I can set up a rogue access point and act as a ships WiFi access point and convince you to connect to me instead of the real ships's access point, I can intercept all your WiFi traffic.  If I then see your are making https connections to a band, I can create a duplicate of your banks web site and if you are not paying attention and notice the certificate changes, I can spoof your bank and unencrypt your https traffic to your bank.  The hardest part is getting you to acccept the bogus certificate from my fake site.  If I do that then using that certificate I can unencrypt all of the traffic that flows between your computer and mine using that certificate. 

 

 Is it complicated yes but it is doable.  Can it be easily detected by someone who is cautious - yes, but can it fool a large number of people yes.  

 

 So, HTTPS / LTS is secure but not totally secure.  

 

 Is there a chance of this happening on a cruise ship -- very, very unlikely.  

 

 

 

Edited August 5 by DaKahuna

[DaKahuna]

5 hours ago, billc23 said:

Yes, they certainly do encrypt all your traffic to their site - but not afterwards - your data is only encrypted up their infrastructure.

 

 Correct.  A VPN only encrypts the traffic between the end point on your computer and the VPN providers enpoint.  After that it depends on whether your connecting being tunneled through the VPN is using a secure protocol or not. 

 

 

5 hours ago, billc23 said:

Yes, VPNs do help to anonymize your origin point - which is a benefit when traveling and  great for privacy.

 

 This is the primary reason to use a VPN - to hide your traffic from the provider of the WiFi service you are using, e.g. Celebrity / StarLink. 

 

 

5 hours ago, billc23 said:

Be sure to research your VPN because there are many bad actors out there that will sell your data or infect your device.

 

 I agree 100%.  Also if Privacy is really a major concern, also look for one that is know not to be cooperative with governments. 

 

5 hours ago, billc23 said:

I was answering the OP's question and  just using a HTTPS connection is fine without needing a VPN.

 

 Agree in 999,999 times out of 1,000,000 but it is not 100%.  

 

 

[billc23]

11 hours ago, DaKahuna said:

 Is it complicated yes but it is doable.  Can it be easily detected by someone who is cautious - yes, but can it fool a large number of people yes.  

 

 So, HTTPS / LTS is secure but not totally secure.  

 

 Is there a chance of this happening on a cruise ship -- very, very unlikely.

Thanks John! It is often the social engineering techniques and users bypassing warnings from their browser that get people into trouble. The logistics of a rough (evil) AP on a ship make it much more difficult to set up than at a hotel or coffee shop, but still possible. Nothing is totally secure, and the risk level of a compromise using a HTTPS connection over the ships WiFi is small. Too much misinformation about VPNs and what they accomplish.

 

Perhaps someday we will be on the same cruise and can discuss computer hacking... over a bowl of Captain Crunch!

[canderson]

1 hour ago, billc23 said:

Perhaps someday we will be on the same cruise and can discuss computer hacking... over a bowl of Captain Crunch!

I'll bring my whistle!

 

Thanks to the pair of you who provided the MITM and access point caveats. 

Edited August 5 by canderson
typoz

[DaKahuna]

1 hour ago, billc23 said:

Perhaps someday we will be on the same cruise and can discuss computer hacking... over a bowl of Captain Crunch!

 

 I'd prefer over an adult beverage but then again, I love talking hacking as it was my profession, for the good guys of course, for a number of years. 

 

 NDA's prevent me from disclosing a lot of details where theory was put into practice but a determined hacker is very hard to protect again if you are a specific target. 

 

[sunrise45]

Quick question, do the banking phone apps use https?  In other words would you be somewhat secure using your banking app connected  to the ship wifi?

[hegal]

6 minutes ago, sunrise45 said:

Quick question, do the banking phone apps use https?  In other words would you be somewhat secure using your banking app connected  to the ship wifi?

All banking apps use https. 

[DaKahuna]

14 minutes ago, sunrise45 said:

Quick question, do the banking phone apps use https?  In other words would you be somewhat secure using your banking app connected  to the ship wifi?

 

Sojme do and some done but all use some form of encryption and are just as secure as the banking website. Those that require multi-factor authentications, such as sending you a code to enter to verify are more secure than those that do not. 

 

[canderson]

2 minutes ago, DaKahuna said:

 

Sojme do and some done but all use some form of encryption and are just as secure as the banking website. Those that require multi-factor authentications, such as sending you a code to enter to verify are more secure than those that do not. 

 

The tricky bit there is that some folks forget that they have come to depend upon a text message for 2 factor authentication, and forget to either set up or learn how to use WiFi calling.  Those folks either need to set up email as their 2 factor or be prepared for a potential learning curve for WiFi calling aboard ship.

 

[Happy Rogue]

9 minutes ago, DaKahuna said:

 

Sojme do and some done but all use some form of encryption and are just as secure as the banking website. Those that require multi-factor authentications, such as sending you a code to enter to verify are more secure than those that do not. 

 

I'd challenge you to demonstrate a single banking app that doesn't use https

[hegal]

17 minutes ago, DaKahuna said:

 

Sojme do and some done but all use some form of encryption and are just as secure as the banking website. Those that require multi-factor authentications, such as sending you a code to enter to verify are more secure than those that do not. 

 

Mobile apps are more secure than websites. Apple iOS apps and Google Android app use https by default. An app would have to be granted an exception to be approved in their mobile app stores. Very rare and not going to happen for banking apps.