Using unprotected Wifi
in [Linux Networking]
|
Prev: WANTED TO BUY - NETWORKING, TELECOM EQUIPMENT & SOFTWARE - CISCO, NORTEL, LUCENT, JUNIPER, EXTREME, FOUNDRY, FUJITSU, MICROSOFT, ADOBE, SYMANTEC & MORE
Next: NFS boot: where are the mount options ?!?
From: Roy Smith on 27 May 2010 22:37 In article <87sk5c4zlb.fsf(a)mythtv.grymoire.com>, Maxwell Lol <nospam(a)com.invalid> wrote: > Tim Frink <plfriko(a)yahoo.de> writes: > > > Is there a way to use an unprotected WiFi in a safe way by transmitting > > all data in an encrypted way such that it can't be snooped? > > Well, https connections SHOULD be safe. Or at least some people will > say so. > > However, there are many man-in-the-middle tools like sslstrip, midler, > etc. that allow an attacker to intercept https. Not to mention commercial tools run by IT departments like BlueCoat > Would you be able to detect a faked certificate? Most people cannot. Especially since many sites have expired or otherwise bogus certificates and IT departments routinely tell their customers to "just click OK" when a browser puts up a warning.
From: Keith Keller on 27 May 2010 22:46 On 2010-05-28, Maxwell Lol <nospam(a)com.invalid> wrote: > > However, there are many man-in-the-middle tools like sslstrip, midler, > etc. that allow an attacker to intercept https. From http://www.circleid.com/posts/20090219_https_web_hijacking/ : "No one actually manually types in "HTTPS" or "HTTP" and they generally just type "gmail.com" for example and expect the web browser to magically re-route them to a secure sign-in." I type in https: if it's important enough. Of course, if an attacker runs the WAP your session is at risk of snooping or MITM no matter what. > Well, I do use ssh on the command line. It will detect a > man-in-the-middle attack. You could use ssh as a SOCKS proxy to a trusted sshd host. That should be relatively safe. --keith -- kkeller-usenet(a)wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
From: David Schwartz on 28 May 2010 01:16 On May 27, 6:09 pm, thunder <thunderTAKE...(a)gti.net> wrote: > I'm a little confused. I can understand your concern about "all data", > but not ssh. ssh is a "Secure Shell", and data *is* encrypted. He's concerned about his password. If a MITM hijacks his SSH connection, unless he verifies the SSH key, the MITM could get his password and then SSH in as him. Unfortunately, in my experience, SSH keys change so often due to upgrades and incompetence that nobody ever checks them. DS
From: Joe Pfeiffer on 28 May 2010 01:22 thunder <thunderTAKEOUT(a)gti.net> writes: > On Thu, 27 May 2010 22:25:00 +0000, Tim Frink wrote: > >> Hi, >> >> I have to use an unprotected wireless network (it's not administrated by >> me). When I understand it correctly, using this WiFi is not safe since >> all data (such as passwords that I type on my console when I use ssh >> ...) is transfered unencrypted, i.e., it can be basically read by >> anyone. >> >> Is there a way to use an unprotected WiFi in a safe way by transmitting >> all data in an encrypted way such that it can't be snooped? >> >> Best, >> Tim > > I'm a little confused. I can understand your concern about "all data", > but not ssh. ssh is a "Secure Shell", and data *is* encrypted. There's no encryption between his machine and the access point. If he does his own encryption (even ROT13 -- deliberately chosen as "little sister" security), it doesn't magically get unencrypted before going out the antenna. Several examples of doing his own encryption have been presented so far (the ones I've seen have been a VPN, SSL, and SSH) and are just as secure over the air as over a wire. The mistake in regarding wifi as insecure is in thinking anything else you do once you're off your own machine (or trusted infrastructure) is any better. -- As we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours; and this we should do freely and generously. (Benjamin Franklin)
From: Keith Keller on 28 May 2010 01:31
On 2010-05-28, David Schwartz <davids(a)webmaster.com> wrote: > > He's concerned about his password. If a MITM hijacks his SSH > connection, unless he verifies the SSH key, the MITM could get his > password and then SSH in as him. Unfortunately, in my experience, SSH > keys change so often due to upgrades and incompetence that nobody ever > checks them. Mine don't. :) I believe the default is to reject the connection if the key does not match the one on disk. If he does that, then he is fairly safe from MITM attacks perpetrated by the WAP admin or someone who has hacked the WAP. --keith -- kkeller-usenet(a)wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information |