[PLUG] wifi security

Tim Slighter tcslighter at gmail.com
Wed Feb 25 19:59:51 UTC 2009


Hmm, you are touching on some great ideas for wireless security, perhaps
if wireless devices can integrate certificate based
authentication...certificates that also use a pin (this as a layered
feature inside of the WPA cloud).  I am going to start combing through
the web to see if there are vendors out there providing wireless
solutions with two factor authentication.

This still does not fully address endpoint security though, as one is
still responsible for ascertaining security between their computer and
the target site.  But it would be a good starting point for mitigating
mitm attempts.

Tim wrote:
>> if you give your credit card to a site that uses ssl and you don't accept 
>> ssl certificates that don't fully validate, then you're as safe as you can 
>> get.  ssl provides end to end encryption (from your computer to the server 
>> a the other end) so anyone in between can see the bits, but not decode 
>> them.  but that is all predicated on the fact that the certificate is 
>> signed by an authority that your browser trusts.  if you see a warning 
>> that the certificate isn't valid for any reason, then you shouldn't trust 
>> it and shouldn't give sensitive information to that website.
>>     
>
> Joe hit the nail on the head.
>
> SSL/TLS can protect you perfectly well, in theory, regardless of how
> unsafe the network is.
>
> However, there are a number of gotchas in practice.  You need to ensure
> at least the following:
>
> - The site's certificate validates correctly, with no warnings
>   whatsoever, as previously mentioned.
>
> - The site is the one you think it is.  SSL's authentication only
>   attempts to guarantee that the system you're communicating with
>   matches the domain name it's hosted at.  If you're sending sensitive
>   info to a phishing site, such as paypa1.com, then you have no
>   protection.   Of course that applies to ALL transfers of sensitive
>   information, not just ones over an insecure wireless link.
>
> - You disable SSL version 2.  Recent versions of browsers have this off
>   by default.
>
> - The site you're communicating with sets the "secure" cookie flag on
>   all sensitive session cookies.  This is a pain to check sometimes.  If
>   you view the cookies for the site in firefox, there is a line
>   indicating what kind of connection they may be used for.  This should
>   indicate encrypted/secure connections only for all cookies.  If you
>   don't see this, then it is remotely possible that your session could
>   be hijacked by a man in the middle or a passive sniffer.
>
> - The site you're communicating with has a login form served over SSL.
>   Many major sites, for a long time, would serve their login form over
>   HTTP which posted to HTTPS pages.  This is really really unsafe when
>   it comes to man-in-the-middle attacks.
>
> - ... probably a handful of other things ...
>
>
> So, while I disagree with Tim and Carlos in their paranoia, you can see
> why one might think it's very unsafe to do these kinds of transactions,
> for the typical user, over an insecure wireless link.
>
> However, consider for a moment the issues with WEP and WPA-PSK.  If
> you're using a single password for a wireless network, then every user
> of that wireless network can still conduct man-in-the-middle attacks on
> you.  For all of the attacks listed above, these kinds of networks DO
> NOT PROTECT YOU.  
>
> The perpetual problem with secure protocols is not the protocols.  It is
> the authentication.  No one wants to deal with the hassle of giving
> every individual user a separate WPA password, so they don't.  Well that
> also means all users can muck with all other users of that network.
> SSL's PKI is weak and fragile, but it's still better authentication than
> a shared password amongst a bunch of random customers...
>
> tim
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
>   



More information about the PLUG mailing list