Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is an unencrypted website safe when using a private network?


  • Please log in to reply
7 replies to this topic

#1 Arstone112

Arstone112

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 22 March 2011 - 05:25 AM

Hi there.

Say I am logging on to a website that does not provide encryption (even though it is a legit website), if I am using my private network and submitting info to that website such as my name, is there any cause for concern that it will be read by external persons? I just want to be sure. I don't use any public networks.

Thanks for your assistance

BC AdBot (Login to Remove)

 


#2 Baltboy

Baltboy

    Bleepin' Flame Head


  • BC Advisor
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:07:30 PM

Posted 22 March 2011 - 10:49 AM

I guess the besr answer to this question is that if the web site is not offering a SSL connection then the possibility exists that the data packets could be intercepted and the information contained in the packet could be stolen. So you will have to determine if this website(s) that you are accessing has information sensitive enough to require encryption.
Get your facts first, then you can distort them as you please.
Mark Twain

#3 Arstone112

Arstone112
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 23 March 2011 - 12:09 AM

I guess the besr answer to this question is that if the web site is not offering a SSL connection then the possibility exists that the data packets could be intercepted and the information contained in the packet could be stolen. So you will have to determine if this website(s) that you are accessing has information sensitive enough to require encryption.


Hey.

I appreciate your reply, but is there anyone else that can give a more definitive answer? I need a bit more certainty than just "I guess" :P

In my research I have heard that, when using a public network, it is NOT advised to send information over an unencrypted network, as it can be easily intercepted.

However, I have heard that when using a private network, there is no harm in sending information unencrypted, as long as you are the only one using the network.

Can anyone else provide some clarification as to the accuracy of these two statements?

Thanks.

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,250 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:05:30 PM

Posted 23 March 2011 - 03:47 AM

I assume by "private network" you mean some sort of virtual private network (a VPN.) If that's the case then your data has just as much chance of being intercepted as if you weren't using it at all.

Perhaps a text diagram will illustrate:

======> = Secure
------> = NOT secure

Your Computer=====VPN=====>VPN Server------Public Internet------>Unencrypted Website

As you can see, once your data leaves the VPN and goes out onto the public internet, it can be intercepted by anyone happening to be sitting between the VPN server and the website's server.

An HTTPS (SSL encrypted) connection would be protected for start to finish.

Data being sent to a publically addressable server (the website) from a non-local location (i.e. over the public internet) must either be encrypted for the entire journey (not just across your VPN but also across any other networks between you and the website) or it must be presumed to be interceptable. If this website is collecting personal, financial, or otherwise sensitive information then they NEED to use SSL. It is the only way to guarantee* data safety during transmission.



*Nothing is absolute; there are no guarantees: there are known attacks against SSL connections but they're a lot harder to do than simply sniffing unencrypted traffic.

#5 uByte

uByte

  • Members
  • 243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:08:30 PM

Posted 23 March 2011 - 01:02 PM

I agree with Andrew but wanted to clarify one thing. The "private network" is a network that is local and that doesn't traverse the internet (as routers themselves don't forward the packet). For instance if you were connecting locally to a server that you created on your local network then yes it is unencrypted but you don't care because the network would not be accessible on the internet. There are IP address that have been considered private and those are. 5.X.X.X (class a ), 10.X.X.X(class a ), 172.16.X.X (class B ), 192.168.X.X (class B ), (X is the actual subnet of the network in which can be anything).

But if you are connecting to a server that is on the net then you data or information can be sniffed by anyone in between your DSL/Cable modem and the server. An example is My linkhttp://spamgourmet.com/ this site allows you to login but it is not SSL or secure and so anyone that wanted to could see all the data going from my computer to the server if you wanted too and were using a program like wireshark.

I hope that clarifies this.

uByte

Edited by uByte, 23 March 2011 - 01:03 PM.


#6 Arstone112

Arstone112
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 23 March 2011 - 09:27 PM

By Private network I just meant a network that was not in a public place (coffee shops etc) but still connected to the internet.

How would someone get 'between your DSL/Cable modem and the server'? If it's so easy then why aren't all websites that submit personal information encrypted? :\ It's almost like selling a car without locks.

Thanks for any further clarification

Edited by Arstone112, 23 March 2011 - 09:34 PM.


#7 ITstudent2006

ITstudent2006

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:07:30 PM

Posted 23 March 2011 - 09:41 PM

How would someone get 'between your DSL/Cable modem and the server'? If it's so easy then why aren't all websites that submit personal information encrypted?


The opportunity to get "in between" your external Ip and the servers are bountiful. Think of how many hops you have to traverse before getting to your destination. When i do a tracert (trace route) on google.com it takes 10 hops to get there.

Now, you might be asking "what is a hop?" and "what is trace route?". I will explain.

Trace Route
Trace Route is a computer network tool for measuring the route path and transit times of packets across an Internet Protocol (IP) network.
Hop
Think of a Hop as a piece of equipment that re-routes your packets to it's destination.



As I stated above it took 10 hops to get to one of google's servers. Anywhere in between here and there someone could be poisoning the line and retreive my packets.

To answer your second question. Best practices would assume that all sites that require important information secure their site. However, there are many variables into doing this (cost, legitimacy, data required, etc..). Also, some personal information (Name, address, zip code, etc...) sometimes aren't worth securing. Hackers looking into gathering data aren't worrying about addresses and phone numbers so why try. They're going after SSN#, Credit Card #'s, routing numbers, bank account numbers, etc...

Obviously it would be smart of you to not use a site that requires SSN#, account info, etc... if it's not secure.

Edited by ITstudent2006, 23 March 2011 - 09:45 PM.

~si vis pacem para bellum~

#8 Arstone112

Arstone112
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 23 March 2011 - 10:17 PM

Thanks for your help. For a new member you gave the most helpful and informative answer.

I will protect my social security numbers among other sensitive data by continuing to make sure that i be careful that a website is not transmitting unencrypted information.

Bye and thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users