undefined | Better HN

0 pointstoomuchtodo11y ago0 comments

I've configured my Nexus 5 to auto-connect to any open "linksys" SSID. How would this be any different?

Don't rely on SSID for security. Rely on SSL/TLS and certificate pinning.

0 comments

bsimpson11y ago

It's not different. It's not even necessarily bad. It's just worth considering while evaluating this proposal.

psychometry11y ago

And what if you need to login to a site that isn't SSL-secured? There's nothing the end user (you) can do about that.

toomuchtodoOP11y ago

You should never be using a site without SSL if you're passing authentication information.

Now, while I understand this is out of an end user's control, that shouldn't cause us to throw the idea of a shared wireless network out the door. That should cause us to look at non-secure sites accepting credentials, and how to prevent that behavior in the first place.

INIT_611y ago

https://www.eff.org/https-everywhere

this site helps with this issue forcing sslany.

psychometry11y ago

Installing a browser add-on doesn't make websites lacking an SSL certificate magically acquire one. The fact is that there are still a lot of sites out there that don't have them.

userbinator11y ago

You use a VPN to tunnel to a trusted server and have it initiate the cleartext connection to the site, keeping the traffic between you and that server encrypted.

mkesper11y ago

Not easy as in everyone has access to a __trusted__ VPN tunnel server.

j / k navigate · click thread line to collapse

0 comments

bsimpson11y ago

It's not different. It's not even necessarily bad. It's just worth considering while evaluating this proposal.

psychometry11y ago

And what if you need to login to a site that isn't SSL-secured? There's nothing the end user (you) can do about that.

toomuchtodoOP11y ago

You should never be using a site without SSL if you're passing authentication information.

INIT_611y ago

https://www.eff.org/https-everywhere

this site helps with this issue forcing sslany.

psychometry11y ago

Installing a browser add-on doesn't make websites lacking an SSL certificate magically acquire one. The fact is that there are still a lot of sites out there that don't have them.

userbinator11y ago

You use a VPN to tunnel to a trusted server and have it initiate the cleartext connection to the site, keeping the traffic between you and that server encrypted.

mkesper11y ago

Not easy as in everyone has access to a __trusted__ VPN tunnel server.

j / k navigate · click thread line to collapse