Internet best practices: web security

Based on my reading of this thread RVers could use some clear information on how to minimize risk online.   Using that topic as a jumping off point I plan on a short series of posts to help non-technical folks get the most out of the internet.  Alpha geeks can skip this series;  it’s not for you!  :-)

Due to the nature of RVing, we are more likely to use networks of unknown security, stability, or capacity as we move from place to place.  Let’s start with web security.

Web security

Before we start:  it is a common mistake to think the "the web" is the same as "the internet".  It's an easy enough mistake to make since _most of our internet tasks are done through a web browser_.  But the web is only a part of the greater internet.  You can think of the **internet as dialtone** for the internet services you really want:  webpages, email, streaming music, whatever.

There are different kinds of web security folks might be concerned about:

• sensitive information - your name, address, CC numbers, date of birth, SSN, etc.  This article is only about sensitive information security for the web user.

• privacy - your browsing habits, searches, etc.  I’m not addressing that.

• legal security - Chinese or North Korean people, for example, might need to hide their activities so they don’t get killed.  Or dissidents or outlaws might want to cover their tracks when they do their thing.  Not addressing that, either.

Understanding the threats

Here is where your sensitive information is at risk:

1. on your end (on your phone or PC); and

2. during transit to some other party (wifi, open wifi, mobile data, wired network, cable/dsl/fiber); and

3. on that other party’s end (on their servers, datacenters, or with their employees)

You alone are responsible for #1 and you have no control over #3.  That leaves us with #2, transit, and is actually what most people mean when they talk about web security.

Yes, in the early days of the public internet (mid-90s) people were submitting sensitive info from unsecured webpage forms.  This information was “sniffable” (able to be monitored) by others along the interent.  The technology to encrypt the browser-to-website connection existed but was expensive and unfamiliar to folks who weren’t cryptography hobbiests (cypherpunks).

Nowadays having a secured (SSL) website is easy and inexpensive to implement.  There are movements to secure every website, though I have personal reservations about the computational overhead of doing that.

What is important to know is that nowadays all reputable websites that use your sensitive information are secured with SSL.  The traffic between you and the site (#2 up there) is encrypted so securely that you don’t have to think about it.  You can access these sites over unsecured networks like open wifi with no detrimental effect.  Seriously.  Not kidding.

What to do

So how do you know the website is secured?  Your browser will tell you so, usually in the address line at the top.  Here are the things to look for:  the padlock and the http/https address or URL prefix.  The padlock is closed if transit is secure and open if it is not.  The address will be prefixed with https:// if the site is secure and http:// if it is not.  You can also press the (i)nformation icon to drill down to technical info if you want.

If those signs are present your communications are secure with that site.  Do your business confident that your communications are safe.

But I heard I need a VPN or mobile data to be secure!

Secured sites are already secured and other tools are not making them more secure.

Yes, VPNs have value but mainly in the privacy and legal senses mentioned above.  Or when sending non-sensitive data to unsecured sites over unsecured networks (see below).

Aha!  but what about unsecured sites?

Aren’t unsecured sites sniffable over open wifi and other networks?  Yes.

For example, the VanDweller Community Forums are not secured, and there’s not a huge reason for them to be secured.  Could someone along the route sniff your forum credentials as you log in?  Yes.  Could someone then impersonate you?  Yes. Would that be a big problem?  No, unless you do something (to quote A Few Good Men) “galactically stupid” like use the same password everywhere.  <– yeah, don’t do that

And it’s not like you are putting sensitive information on CheapRVliving, right? <– don’t do that, either

All together now….

Provide your sensitive information only to secured websites.  They protect your transmissions between you and them no matter what network your are using.

Have fun and be safe.