All wifi traffic can be "snorted". Encrypted or not. I play around as a former network engineer
and crack people's wireless routers for fun just to keep my skills sharp around my house, just to see what their passwords are. WEP is the easiest, takes half a day. WPA takes forever, could be weeks. But eventually they can all be cracked.
Same goes with SSL blowfish and all the other encryption schemes. What is on your side is time. If you are only online to access your bank account using SSL for 5 minutes, they may not get enough of a sample to be able to brute force their way to cleartext. They can still try, but they will get all sorts of misses and likely have to sort the wheat from the chaff themselves because they will have to analyze the data with different attempts at brute force keys.
4096-bit RSA can even be cracked, that is what I used to set up for VPNs that I would build for companies. Its just that the key size is so huge that it would take a very, very long time. Banks online often use 64 or 128 bit encryption which is a lot easier although they use a different method than RSA which is a bit tougher to nail per bit of key.
Most people access their bank website as follows:
1. open browser
2. type in www.bank.com
3. bank.com will redirect them to a HTTPS site and swap keys with them
4. they will connect using HTTPS on the encrypted connection
step 2 and step 3 provide the most vulnerability. Suddenly snorting traffic when someone is already connected to 128bit encryption is going to lead to a very long brute force attempt to figure out not only what is being transmitted, but what encryption method is used and at how many bits. But watching all the traffic and seeing that initial request of step 2 is half the battle- they can simply connect to that site and find out the encryption menthod.
Step 3 where the encryption handshake takes place is also a big weakness if someone is snorting long term over wifi. It doesn't exactly give away the keys to the gate but it does reveal excellent information which can be used to decrypt the message much quicker. How do you think that your computer can decrypt what the bank is sending you over HTTPS? Its because the bank sent you the keys and then you unlocked the door using the keys they gave you.
People place far too much trust in encryption schemes. The best way to protect yourself over wifi is to have a VPN built and setup with your own CA (certification authority). You connect via wifi and the first thing your system does is connect to the VPN (secret keys). Then all of your traffic to every website is encrypted because on the other end of that VPN is a proxy server of some sort sending everything to you encrypted to the maximum possible with the biggest key available. Nobody snorting will know that you did anything but request a connection on some nonstandard port to some nondescript IP or domain name, then everything turns to garble. There's no key exchange and most good VPN software
will encrypt with your main overarching encryption scheme and will encrypt the handshake using a non pre shared key with something good like blowfish until it knows that the tunnel is open. While this traffic could be snorted and eventually decrypted, as far as the snorter is concerned you could have just opened a media connection and were watching TV because until they brute force through it its all static.
However just connecting even to a WPA access point, connecting to your bank and then typing your password is actually hideously insecure. How did you get the WPA password? They could probably get it just as easily as you did. Then they wouldnt even have to bust the WPA password, they just snort all traffic and see what they can dig up in the clear. Your request for www.bank.com
and then the https traffic afterwards means they can attempt to bruteforce their way through that particular encryption scheme knowing it's probably worth something to them. Even if it takes them a week they could still drain your bank account, and if they're doing this as an income
source... they could make a killing by snorting everything.
Luckily however, most criminals who would sit around at a marina snorting traffic do not have the kind of computing power available to them to do more than one or two brute force attempts at a time and they arent using the kind of computing power to do it at all fast. An 8-core intel can do the job pretty good, but if you were in the business of cracking bank passwords over wifi you'd want a massively multiprocessor PC, say something Cell based normally used by companies like Pixar to make high definition animated movies. Criminals can make use of botnets to increase computing power but then they're dealing with the Russian mob
who will extract enough of a cut that it might not be worth it, and it still doesnt guarantee success, but the Russian Mob
certainly will ensure payment is guaranteed.
That said it is not without risks. A snorted file can be uploaded to someone who does have better computing capacity, or sold on the black market as network traffic made by rich people (boat owners are rich to criminals looking to get into this sort of game).
The safest method to do online banking on board is to use the data off your cell phone
. It's always encrypted with a pre-shared key (in the SIM card) and a phone
call looks the same to someone sniffing it as web data because they transport the packets in the same way. The sniffing gear
is not as easily available (snorting wifi is as simple as having a wireless network card in your laptop
, which everyone has) and different providers operate on different frequencies futher complicating matters for the would be identity theif.
So use your cell phone's roaming plan for your banking browse your porn off the marina wifi connection. Then if the identity theif does manage to decrypt your traffic all he'll get is a free woodie.
Putting faith that the bank has made their encryption unbreakable is as stupid as putting faith that the designer
of your boat made it unsinkable.