No, not a Mallninja story.  I just thought the subject was funny.

I need to access my bank account, and I have no access - without much asspain - to a properly secure network.

Here are my realistic options:

1) wi-fi connection to a VPN I know I can trust.

2) land based connection to a network I know is penetrated by governments, but is not likely to be penetrated by common criminals.

If I log in to the VPN in number 1, can the info I send over the wi fi network still be intercepted?  How secure am I, really?

#2 is my backup plan.  I think it's safer.   But, I really don't know.

Help me arfcom computer geeks, you're my only hope.

First, any connection you make to your bank using a browser is going to be over HTTPS. This is HTTP over SSL so in itself is as secure as the SSL implementation your browser and bank are using.

If you tunnel via VPN, then that is another level of security that encrypts all data between your system and the VPN host at the other end. So your HTTPS is encrypted twice in this case. [VPN packet [HTTPS packet [message]] You HTTPS payload removed from the VPN payload and forward to the final destination once it reaches your VPN host.

Your wifi may also be encrypted from your system to the wifi host depending on which type of protocol you logged in with. WPA uses dynamically generated per packet key, so it is reasonably secure. [wifi packet[vpn packet [https packet [ data ]]] At each step, the internal bits are forwarded. Your bank gets https packet [data] at its end and does whatever.

Each one of these links is as secure as the provider can make them.

If somebody hacks your bank, you bank will just have to fix it anyway. No need to be that paranoid about it.

Thanks bit the places I work, paranoia is sound policy.

My wifi connection is the weak link.  The ISP is Moldovan, for pete's sake.  

Does the HTTPS connection to the bank and VPN render the risk of a wi fi hack moot, or is that risk still there?

The contents of each packet are independently encrypted. So a hacker would have to break the encryption on you wifi packet to get an encrypted VPN packet. He would then have to break the VPN encryption and would still have a SSL encrypted HTTP packet inside that. Then he'd have to break the SSL to see the actual contents. And he'd have to do this for thousands of packets going by.

That's far too much work for the average hacker to break into your bank account to steal your $87 balance and why they'd rather break into Target's customer database instead.

Thanks again.

OK, I'm going to try to restate what you said in different words, to confirm understanding.

Even if the wi fi connection I am using is being actually run by people wanting access to by banking information, they would still have to overcome encryption due to the HTTPS: connection and the VPN to get it.  This is true even for the information packets that get sent to them from this end - such as those containing account numbers and passwords?

Do I have this right?

Yes.

Yep, the VPN would be from your endpoint, to the VPN endpoint you connected with and all traffic between those points is scrambled.  The purveyors of the potentially compromised WiFi would not have access to the data inside the packets of that VPN.   The SSL is additional icing on that cake that would generally be sufficient on it's own.   The entire point of SSL is to provide communications security over a completely untrusted network.  It has protections both for data security and identity verification so you know you are actually talking to the server you expected to talk to.

The bolded part is only true if he's using a relatively modern browser program.  Don't count on Windows XP and IE 8 to keep your stuff safe anymore.

 

You guys rock.

Thanks.

I had been googling to try to edumacate myself, and was only confusing myself more.

I have my own computers, but it's the wifi that was scaring me.

HTTPS should keep things safe but in your case I would go a step further and use a VPN for critical things such as banking access.  Browsers get holes punched in them all the time and considering your location a little paranoia is not a bad thing.  

If you have a home in the US you cold setup a VPN connection that way or pay for a VPN service, you wouldn't need much data/bandwidth as there is no reason to use the VPN for netflix etc.

VPN over SSH.   Its a pain in the ass to set up, but it does work and I've set it up in the past.

VPN traffic can be identified as such and blocked.   SSH not so much.  

Plus there is something cool about operating a tunnel within a tunnel.

You also need to make sure your VPN over wifi is not a split-tunnel.

This is my only contribution towards diffusing that bomb.
http://en.wikipedia.org/wiki/Split_tunneling