How Secure is HTTPS?

[Just Checking]

I just came back from Holiday in Europe. Almost immediately on returning I started receiving notifications from my MS Outlook accounts that someone was accessing accounts from locations other than normal. Evidently, two accounts had been accessed/hacked.

I made several stupid mistakes to cause this. First, I let the mobile device remember the password to the email accounts. I don't do this on my home, or work computers but, I did it on my mobile device. It was stupid.

Second, I allowed the mobile device to roam and seek out unsecured WiFi networks. I did this to be able to access the mapping funtion to figure out how to reach the locations I wanted. This was only stupid in that I did not turn off the auto updating feature of the email. Every time the mobile device connected to any network, it would update my email and send/receive information over an open network. The fact that I didn't turn this off was stupid in retrospect.

My connection to MS Outlook is through HTTPS which is supposed to be an encrypted link.

My question is, if HTTPS is supposed to be an encrypted secure link, how could the hacker have decrypted the password to the account to be able to access it? The device never left my possession and the passwords are not visible to anyone just trying to call it up and see it if they did have access to the device. They could not have watched me enter a password since it was already in the device.

I am trying to understand this better to prevent this from happening again.

 

[System Error Message]

depends on the certs. HTTPS uses certs so its up to you to check if the cert is valid for the site or not. It is still vulnerable to MiTM attacks but the middle man would require more CPU.

 

[Just Checking]

depends on the certs. HTTPS uses certs so its up to you to check if the cert is valid for the site or not. It is still vulnerable to MiTM attacks but the middle man would require more CPU.

Normally, I would think that Microsoft has valid and up to date certifications but, I have found that not to be true. Microsoft does implement more security on their email system then Gmail but I have found that they often have out-of-date certs. They go back and fix the problem when I have alerted them to the fact but, it is somewhat annoying to have to do that for a "premier" tech company.

MiTM is what I suspected happened. I don't know what kind of equipment the hacker was using. Just that it was good enough to penetrate the HTTPS encryption.

I was aware of all the concerns about public WiFi and the use of VPN's and proper encryption. I just didn't bother to implement anything because nothing bad happened before (probably since I don't use public networks). Live and learn. Hopefully, I caught the hack in time and the hackers didn't get any sensitive information.

 

[System Error Message]

well HTTPS is HTTP over SSL. you can make it even more secure by using over VPN but than theres still the other side to worry about. The way that HTTPS gets defeated is if you accept a connection from an impersonating host hence the certs and fingerprints however to impersonate things makes them quite visible so HTTPS is safe against people trying to monitor your traffic but not if they are acting as a proxy but while it is hard to detect someone monitoring your traffic it is easy to check if the path your traffic goes through.

 

[Just Checking]

well HTTPS is HTTP over SSL. you can make it even more secure by using over VPN but than theres still the other side to worry about. The way that HTTPS gets defeated is if you accept a connection from an impersonating host hence the certs and fingerprints however to impersonate things makes them quite visible so HTTPS is safe against people trying to monitor your traffic but not if they are acting as a proxy but while it is hard to detect someone monitoring your traffic it is easy to check if the path your traffic goes through.

A VPN tunnel is supposed to prevent that - Which is why I have now installed one on my mobile devices. Unfortunately, it was PPTP with encryption. In researching vulnerabilities I found that PPTP with the standard encrption schemes that accompany it are easily penetrated by software such as "CloudHacker" which is readily available.

I'm looking at other options such as "TunnelBear" and "CyberGhost" now. I am also checking out paid VPN proxy services. I am "late to the game" on this and madly trying to catch up.

 

[System Error Message]

No point looking at paid VPN because you can do the same thing yourself. Take a look at openVPN instead.

 

[sfx2000]

I just came back from Holiday in Europe. Almost immediately on returning I started receiving notifications from my MS Outlook accounts that someone was accessing accounts from locations other than normal. Evidently, two accounts had been accessed/hacked.

It happens - keep in mind that it's a server cert, not a client cert that is at risk...

I made several stupid mistakes to cause this. First, I let the mobile device remember the password to the email accounts. I don't do this on my home, or work computers but, I did it on my mobile device. It was stupid.

Happens sometimes - depends on your mobile device - iOS is kinda safe if not jailbroken, and Android has some certificate security issues depending on the release/device builds...

Second, I allowed the mobile device to roam and seek out unsecured WiFi networks. I did this to be able to access the mapping funtion to figure out how to reach the locations I wanted. This was only stupid in that I did not turn off the auto updating feature of the email. Every time the mobile device connected to any network, it would update my email and send/receive information over an open network. The fact that I didn't turn this off was stupid in retrospect.

In retrospect - good warning for all - let's practice Safe Hex ok - know what you're connecting to, and hotel networks are very vulnerable to script attacks by their very nature...

My connection to MS Outlook is through HTTPS which is supposed to be an encrypted link.

it generally is, but the server cert is the weak spot - but going into OWA or in Outlook, changing the DOMAIN/user pass can help a lot, if you're single sign-on, change the Windows PW, and this should change the Outlook/Exchange/OWA/ActiveSync passwords, and might also update your local certs for the DOMAIN/user as well...

My question is, if HTTPS is supposed to be an encrypted secure link, how could the hacker have decrypted the password to the account to be able to access it? The device never left my possession and the passwords are not visible to anyone just trying to call it up and see it if they did have access to the device. They could not have watched me enter a password since it was already in the device.

Somebody outside is attacking the outlook server, not your client or account...

I am trying to understand this better to prevent this from happening again.

You likely did little wrong - it's really up to the MS Active Directory and Exchange server admin to ensure that the certs are done correctly and passed down to the clients accessing that server...

Might want to submit a ticket/call to your IT staff - depending on how sharp they are, they might already know, but consider that they don't.

 

[RMerlin]

If your VPN needs are not very frequent, you could even look at a free service such as VPNBook. I use their free service for development/test purposes (tho I still ended up sending a Paypal contribution at one point to compensate for those nights where I'd connect/disconnect 6-8 times to test something )

 

[katherinewatsonus]

It is secure as what the currently going on, but in near future more secure things and concepts are arrive...