How secure is HTTP / HTTPS over 3G?

For HTTP, you rely on nobody being able to spy on your packets (or alter/drop/duplicate them) between your device (your smartphone or computer) and the target server. 2G and 3G offer some encryption, but only from your device to the nearest base station; encryption is "over the air". From the base station to the target server, there is no encryption (or, at least, nothing is standard-enforced), so you cannot assume that the data is protected. Besides, the 2G encryption is based on A5/1, which is known to be weak (and there are ways to force a given cell phone to switch back to A5/2, which is weak by design, and can be cracked in real-time). 3G uses KASUMI which, while academically weakened, is still beyond cracking with today's technology. However, I repeat, 2G/3G encryption is only against nearby adversaries, who limit themselves to the radio link between your device and the station. Don't use HTTP for transfers of valuable data.

HTTPS is HTTP-within-SSL. SSL has been designed to offer security (server authentication, confidentiality and data integrity) regardless of the transport medium. 2G/3G is irrelevant to the security of HTTPS. It depends on your browser / operating system (and, in particular, which certification authorities are accepted as "trusted roots"), not on the network.


If HTTPS is being used, regardless of what the carrier network is, the functionality is the same. So, even if someone can actually sniff data that you send over 3G, they would have to do the same amount of work they would have to do to decrypt it when they get the encrypted data on an ethernet cable. This currently cannot be done. Hence, to answer your question, using HTTPS is secure and it does not differ by country.

On the other hand, if a simple HTTP connection is used, per https://serverfault.com/questions/311873/can-3g-networks-be-packet-sniffed-analyzed then definitely anyone can see your credentials.


The HTTP or HTTPS protocol will be just as secure over 3G as with any other type of network (WiFi, wired, etc).

As ewanm89 points out, the 3G portion of the connection is only between your device and the phone network. Packets will still be sent between the phone network and the remaining servers along the path to the server you are trying to reach. If these packets are unencrypted then anyone along that route can potentially steal your credentials.

All things being equal, the country you are connecting from should not matter, unless a country were to take extreme measures such as blocking HTTPS.