Using unprotected Wifi
in [Linux Networking]
|
Prev: WANTED TO BUY - NETWORKING, TELECOM EQUIPMENT & SOFTWARE - CISCO, NORTEL, LUCENT, JUNIPER, EXTREME, FOUNDRY, FUJITSU, MICROSOFT, ADOBE, SYMANTEC & MORE
Next: NFS boot: where are the mount options ?!?
From: David Schwartz on 28 May 2010 07:14 On May 28, 2:51 am, unruh <un...(a)wormhole.physics.ubc.ca> wrote: > False. The estabilshment of the key is also protected. A approaches B > and assuming that the two have shared a public key before hand, can > verify that B is actually the intended recipient. Then the two exchange > a key in a protected matter. This is true in theory, but unfortunately not always true in practice. (See other places in the thread where the unfortunate reality of constantly changing host keys has created the practice of ignoring changed key warnings.) DS
From: Robert Nichols on 28 May 2010 20:08 On 05/28/2010 06:14 AM, David Schwartz wrote: > On May 28, 2:51 am, unruh<un...(a)wormhole.physics.ubc.ca> wrote: > >> False. The estabilshment of the key is also protected. A approaches B >> and assuming that the two have shared a public key before hand, can >> verify that B is actually the intended recipient. Then the two exchange >> a key in a protected matter. > > This is true in theory, but unfortunately not always true in practice. > (See other places in the thread where the unfortunate reality of > constantly changing host keys has created the practice of ignoring > changed key warnings.) For someone who is in the habit of ignoring key change warnings, concerns about unprotected WiFi should be the least of his worries. -- Bob Nichols AT comcast.net I am "RNichols42"
From: Joe Pfeiffer on 28 May 2010 22:31 unruh <unruh(a)wormhole.physics.ubc.ca> writes: > On 2010-05-28, Joe Pfeiffer <pfeiffer(a)cs.nmsu.edu> wrote: >> thunder <thunderTAKEOUT(a)gti.net> writes: >> >>> On Thu, 27 May 2010 22:25:00 +0000, Tim Frink wrote: >>> >>>> Hi, >>>> >>>> I have to use an unprotected wireless network (it's not administrated by >>>> me). When I understand it correctly, using this WiFi is not safe since >>>> all data (such as passwords that I type on my console when I use ssh >>>> ...) is transfered unencrypted, i.e., it can be basically read by >>>> anyone. >>>> >>>> Is there a way to use an unprotected WiFi in a safe way by transmitting >>>> all data in an encrypted way such that it can't be snooped? >>>> >>>> Best, >>>> Tim >>> >>> I'm a little confused. I can understand your concern about "all data", >>> but not ssh. ssh is a "Secure Shell", and data *is* encrypted. >> >> There's no encryption between his machine and the access point. If he >> does his own encryption (even ROT13 -- deliberately chosen as "little >> sister" security), it doesn't magically get unencrypted before going out >> the antenna. > > ssh IS "his own encryption" An ssh session is encrypted from end to end > including between his machine and the access point. Didn't I say that in my next paragraph? There had been several suggestions for ways to get an encrupted connection -- from Thunder's response, it appeared he may have been confused about the relationship between SSH and the unencrypted link. I was trying to clarify that there is no relationship (which is also true of the other suggestions people had made). >> Several examples of doing his own encryption have been presented so far >> (the ones I've seen have been a VPN, SSL, and SSH) and are just as >> secure over the air as over a wire. >> >> The mistake in regarding wifi as insecure is in thinking anything else >> you do once you're off your own machine (or trusted infrastructure) is >> any better. -- As we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours; and this we should do freely and generously. (Benjamin Franklin)
From: David Schwartz on 29 May 2010 16:53 On May 28, 5:08 pm, Robert Nichols <SEE_SIGNAT...(a)localhost.localdomain.invalid> wrote: > For someone who is in the habit of ignoring key change warnings, > concerns about unprotected WiFi should be the least of his worries. I think that's a pretty ridiculous attitude. If nothing else, it ignores the difference between blocking passive interception and blocking active attacks. There are many circumstances where it is much more important to block the latter than the former. (For example, cases where one is legal and the other is not and you are much more concerned by legal interception than illegal interception.) DS
From: Robert Nichols on 29 May 2010 19:22
On 05/29/2010 03:53 PM, David Schwartz wrote: > On May 28, 5:08 pm, Robert Nichols > <SEE_SIGNAT...(a)localhost.localdomain.invalid> wrote: > >> For someone who is in the habit of ignoring key change warnings, >> concerns about unprotected WiFi should be the least of his worries. > > I think that's a pretty ridiculous attitude. If nothing else, it > ignores the difference between blocking passive interception and > blocking active attacks. There are many circumstances where it is much > more important to block the latter than the former. (For example, > cases where one is legal and the other is not and you are much more > concerned by legal interception than illegal interception.) Passive interception does not offer the opportunity to present a fake host key that is a prerequisite for a MITM attack. The design of the ssh protocol assumes that an eavesdropper is able to monitor both sides of the conversation. If you know of a way to crack an ssh connection by passive interception, I'm sure the security community would be quite eager to hear about it. Anyone is welcome to passively monitor my ssh connections at any time, and that includes connections where I had no previous knowledge of the remote system's public host key. -- Bob Nichols AT comcast.net I am "RNichols42" |