Current wireless solutions in practice don't have something like https usage.
Where "anonymous" users can securely communicate with servers (that can be validated - if the users actually care).
If you have a WiFi network secured using a naive shared key method, anyone with the shared key can decipher the access of the other users. This might be fine in your house, but not good in some public cafe.
Seems the way around this with current WiFi technology is to let every user use an account - username and password. Apparently in this case even if users share the same username and password, using WPA2 or whatever (I can't be bothered to keep accurate tabs on below par crap;) ) they can't decrypt each others sessions. Not sure if this is 100% true given the track record;).
Assuming it's true, it would be much easier if Windows (and other O/Ses) would default to a standard username and password AND also check the cert of the AP (and issue warnings if it looks dodgy). You should be allowed to log in using a particular user account, or be prompted if the AP rejects the default.
Then people like Starbucks/BK/etc could use certs for their WiFi networks, and customer can have reasonably secured comms at least between themselves and the AP.
The WiFi Alliance should have copied the SSL _concepts_ and got the help of decent security people, rather than coming up with crap year after year (for how many years?).
WEP == Wired Equivalency Privacy, meaning that (if it were to work as designed) it is only designed to offer security similar to a wired network. In a wired network, you (conceptually) have control over who access it based on physical access control to the wire, but you can still see packets from other users (this used to be easier with hubs, it is still possible with switches, but takes a little more work). I'm not up to date on the various modes of WPA, but as far as I know, it was mostly designed to fi
The fact they were thinking that way (WEP) shows you how much they cared about security, and how ignorant/stupid they were. Wireless is definitely not the same as wired. As for wired security, you can configure decent switches so that clients can only see traffic from a "blessed" server (or network/port) but not each other (not even each other's broadcasts).
The problem as I mentioned is even if _public_ WiFi service providers want to provide better security, it's so _hard_ with the current WiFi technology an
I agree that WiFi doesn't live up to what it was intended to be, but the problem I was getting at is people expect it to provide a service that it was never designed to. They expect WiFi to provide VPN. It doesn't. It was never intended to.
My comment about DNS was that an SSL client needs more than the fact that the certificate was signed by a trusted CA, it also needs to know that the certificate was issued to the site the user is trying to connect to. It verifies this through the DNS name. Valid ce
Yes it was never designed for that. But I'm saying the design was crap, and still is crap. In other words WiFi is defective by design. I don't expect WiFi to provide VPN. It's just not nice to get broken stuff when it could have been avoided.
Back when WiFi was first starting out the technology was there (SSL was already around, they could have just copied the ideas), but the WiFi bunch gave us crap instead. To compound the problem they kept rolling out broken stuff to fix broken stuff.
Whats the point of encrypting my connection between my laptop on the Starbucks AP if its all in clear when it leaves the AP? (and also when ATT is scanning the whole thing in a backroom)
To help protect you from other people in the area, and also help protect companies providing the access.
What ATT does further upstream is between them and you.
What happens at the sites, affects the people running those sites too.
If someone sets up an AP and pretends to be Starbucks, it can create a fair amount of problems, even if it's not Starbucks fault. If it's too much hassle maybe Starbucks might just stop providing WiFi access.
Someone could still jam the network, but such attacks are more detectable.
Current wireless solutions in practice don't have something like https usage.
Where "anonymous" users can securely communicate with servers (that can be validated - if the users actually care).
Yes they do. It's called Opportunistic Encryption and you can get it for free on Linux (at least on Ubuntu) by just installing "openswan".
That's not implemented at the wireless solution level though. It's done with IPSEC.
If you install openswan on your computer at home and your laptop then you can contact your home computer securely without additional configuration.
You're addressing a totally different problem from what I'm talking about. Did you read the "Starbucks" bit? and the "current wireless solutions in practice" bit?
How would Starbucks provide a safer WiFi service for its customers? They most certainly can't tell patrons to install openswan etc.
The last I checked, Google/Yahoo don't support "Opportunistic Encryption", even Slashdot doesn't.
Anyone solely using Opportunistic Encryption obviously lives in a very isolated corner of the Internet compared to everyone
Anyone solely using Opportunistic Encryption obviously lives in a very isolated corner of the Internet compared to everyone else, if anyone tries to attack their computer/data it'll probably be by accident. There's no significant money to make by targeting such niches.
Don't worry about the money. Just install OE on any public servers and on your computer, and tell other people about it. That's all you can do. That, and try to make openswan OE work with windows OE (which is Kerberos-based, and probably only normally works in an AD environment.)
Problem with wireless (Score:4, Interesting)
Where "anonymous" users can securely communicate with servers (that can be validated - if the users actually care).
If you have a WiFi network secured using a naive shared key method, anyone with the shared key can decipher the access of the other users. This might be fine in your house, but not good in some public cafe.
Seems the way around this with current WiFi technology is to let every user use an account - username and password.
Apparently in this case even if users share the same username and password, using WPA2 or whatever (I can't be bothered to keep accurate tabs on below par crap
Assuming it's true, it would be much easier if Windows (and other O/Ses) would default to a standard username and password AND also check the cert of the AP (and issue warnings if it looks dodgy). You should be allowed to log in using a particular user account, or be prompted if the AP rejects the default.
Then people like Starbucks/BK/etc could use certs for their WiFi networks, and customer can have reasonably secured comms at least between themselves and the AP.
The WiFi Alliance should have copied the SSL _concepts_ and got the help of decent security people, rather than coming up with crap year after year (for how many years?).
Re: (Score:1)
Re: (Score:2)
As for wired security, you can configure decent switches so that clients can only see traffic from a "blessed" server (or network/port) but not each other (not even each other's broadcasts).
The problem as I mentioned is even if _public_ WiFi service providers want to provide better security, it's so _hard_ with the current WiFi technology an
Re: (Score:1)
Re: (Score:2)
I don't expect WiFi to provide VPN. It's just not nice to get broken stuff when it could have been avoided.
Back when WiFi was first starting out the technology was there (SSL was already around, they could have just copied the ideas), but the WiFi bunch gave us crap instead. To compound the problem they kept rolling out broken stuff to fix broken stuff.
Certificates do not hav
Re: (Score:2)
Re: (Score:2)
What ATT does further upstream is between them and you.
What happens at the sites, affects the people running those sites too.
If someone sets up an AP and pretends to be Starbucks, it can create a fair amount of problems, even if it's not Starbucks fault. If it's too much hassle maybe Starbucks might just stop providing WiFi access.
Someone could still jam the network, but such attacks are more detectable.
Re: (Score:2)
Current wireless solutions in practice don't have something like https usage. Where "anonymous" users can securely communicate with servers (that can be validated - if the users actually care).
Yes they do. It's called Opportunistic Encryption and you can get it for free on Linux (at least on Ubuntu) by just installing "openswan".
That's not implemented at the wireless solution level though. It's done with IPSEC.
If you install openswan on your computer at home and your laptop then you can contact your home computer securely without additional configuration.
Re: (Score:2)
Did you read the "Starbucks" bit? and the "current wireless solutions in practice" bit?
How would Starbucks provide a safer WiFi service for its customers? They most certainly can't tell patrons to install openswan etc.
The last I checked, Google/Yahoo don't support "Opportunistic Encryption", even Slashdot doesn't.
Anyone solely using Opportunistic Encryption obviously lives in a very isolated corner of the Internet compared to everyone
Re: (Score:2)
Anyone solely using Opportunistic Encryption obviously lives in a very isolated corner of the Internet compared to everyone else, if anyone tries to attack their computer/data it'll probably be by accident. There's no significant money to make by targeting such niches.
Don't worry about the money. Just install OE on any public servers and on your computer, and tell other people about it. That's all you can do. That, and try to make openswan OE work with windows OE (which is Kerberos-based, and probably only normally works in an AD environment.)