He 'just' typed in the URL bar and boom, MITM redirect to a malicious website (search 'yahoo' here).Ī VPN won't help IMHO: the attacker would be able to prevent you from connecting to the VPN, but, just like 'plain' HTTPS, could not decrypt the data. Unreliable.)įun (no) fact: That's how at least one activist got infected by Pegasus. on Chromium it does not work for HTTP links you might click, on Firefox it does but only in private mode. your browser silently attempts to upgrade HTTP to HTTPS, but this behavior heavily depends on the browser so I would not rely on it (e.g. the URL or link you clicked starts with - your browser is configured to force HTTPS connections and prevent HTTP ones Do note though that what I just said works only if (one of these): So as long as you don't tell your browser to continue you are fine (you won't be able to access that website if any via that WiFi network though). I have nothing to add about corporate-issued devices, great answer.Įven with "connect automatically" enabled, on public WiFi you will still end up with that warning in your browser in case there is an attack attempt, because the attacker cannot impersonate the legitimate website thanks to HTTPS. I haven’t tested, but you might be able to prevent this depending on the URIs that are defined and how they are matched, but I haven’t l tested to see if that’s included in the match.Ī feature I believe BW should include is one to disable autofill on non-HTTPS sites globally and allow on a per-site basis for those that aren’t important or that may be private and across a VPN. You won’t get those warnings so you’ll never know. You’re going to get a warning before that on intercepted connections. Bitwarden isn’t going to fill in passwords unless it matches the host and/or path first. The reason is that you’d be notified of an invalid certificate, whether it’s because the session was intercepted and the certificate name doesn’t match or because it was intercepted and the certificate isn’t issued by a trusted certificate authority (this obviously excludes corporate SSL decryption on corporate owned devices). u/Live-Ad-5129, if you are using Bitwarden to fill in your passwords on HTTPS sites, I would have zero worry. Trusting my opinion- that’s where you screwed up. Two community members whose opinion I would trust on these types of matters are /u/spider-sec and /u/Eclipsan (pinging them here in case they wish the weigh in). Disabling "connect automatically" for all WiFi networks is definitely a good idea if you use public WiFi. I think a VPN may help in these scenarios, but I'm not 100% sure. Once your network traffic is routed through a malicious WiFi router, you become very vulnerable to different types of attacks. If a corporate device, the IT department can remotely configure your device to automatically accept the SSL decryption without displaying any warning.Īnother issue with public WiFi is that if you have enabled "connect automatically" for any of your WiFi networks, then you are vulnerable to attacks in which a threat actor runs their own WiFi hotspot that impersonates your existing networks (thereby getting your WiFi adapter to connect automatically). Were you using a personal device or a corporate-issued device? If a personal device, you should have received some kind of warning about SSL certificates not matching, a certificate issuer not being recognized, a certificate being expired, etc., if anybody was doing SSL decryption. That depends on your level of paranoia, and how much trust you have in the people who run the corporate network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |