One way of thinking about a secure connection is to think about whom you have to trust to reach your destination, i.e. a website. There are multiple waypoints that can interfere with your Internet traffic and prevent you from connecting in a confidential manner.
- Local network, such as your home network or a wireless access point
- Internet service provider (ISP)
- Domain-name server (DNS)
- Target server (and its own DNS, ISP and home network)
Whomever controls your local network or Internet access, can intercept your Internet traffic, redirect you to compromised or counterfeit websites and can read all the transmitted data if sent in plain text (e.g. HTTP instead of HTTPS). You want to make sure that you are in a network you trust, the same is true for the ISP.
When you try to access a website via its domain name, e.g.
macrumors.com, you will also need to connect to a DNS to resolve the IP address of the target. This can of course be compromised as well (e.g.
macrumors.com could be pointed to another server). Usually, the DNS is set by your router or by your ISP, but you can define a server yourself if you do not trust your local network or ISP. Obviously, (1) and (2) still apply and your DNS of choice could be compromised as well.
Finally, there is of course the target server and itself will operate with a DNS, ISP and home network. This is obviously something largely beyond your control.
There are several ways to mitigate these attacks:
- Make sure that you are in a network you trust. Public networks, especially ones without a password, should be distrusted, as a rule of thumb. The same applies to an iPhone hotspot, if the device does not belong to you or if its Internet connection is dependent upon a local network. Hotspots that are provided by your ISP and to which you connect with provided credentials are a bit of a grey area, but they may be trustworthy.
- Make sure that when you connect to websites that you do so via HTTPS instead of HTTP and enforce SSL/TLS connections (e.g. in Mail, Contacts, Calendars) when available. Sometimes, websites do not default to HTTPS or mention this. http://www.apple.com and https://www.apple.com is an example, both sites will work, but only one is secured with HTTPS.
Often you can just try for yourself by changing the ‘http:’ in the address to ‘https:’ (your browser will usually tell you if the HTTPS connection could not be established without errors and you need to pay attention to this). HTTPS will make sure that the contents of your Internet traffic between the target server and yourself are encrypted, but it does not necessarily guarantee that you are connecting to the ‘real’ server. To that end, more and more websites let their identity be confirmed by a certificate authority as well. You can see this on https://www.apple.com, where you will see a green lock icon and the name of the website owner, in this case Apple Inc. Many banking websites offer this and should always make sure that this appears in your browser.
- Use a virtual private network (VPN) to protect yourself from compromised local networks and ISPs, e.g. when you are at Starbucks. When you connect tot a VPN server, it will create a tunnel between your computer and the VPN server and protect your traffic in between. The VPN server will then redirect your traffic to its destination. Obviously, you will need to trust your VPN as well and be aware that a VPN server also has an ISP and a DNS, which can be compromised. It is not a master key to secure networking, it just protects you from local threats by moving your traffic to another location.
There are other things you want to consider, but I think these are the most important aspects that most people will have to deal with.
