Wifi Security
Steven M. Bellovin
smb at cs.columbia.edu
Tue Nov 22 00:32:06 UTC 2005
In message <Pine.LNX.4.64.0511211400000.12605 at twin.uoregon.edu>, Joel Jaeggli w
rites:
>
>On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
>
><snip>
>>
>>> What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh
>>> tunneled traffic?
>>
>> no, we're not trying to do that, you dont really think that because its
>> encrypted it cant be decrypted do you?
>
>I do believe (reasonably so, I think) that if I'm going have a
>conversation with a second party whom I already trust, that a third party
>will have trouble inserting themself into the path of that conversation
>without revealing their presence..
>
><snip>
>
>> you dont have to break the code if the endpoints trust sessions with you and
>> share their encryption keys
>
>Successfully inserting yourself in the middle requires some
>social-engineering or really bad protocol design. The former can be
>mitigated through vigilance, the later falls into the realm of peer review
>and security research.
The problem is "vigilance", especially as applied to non-security aware
users. Here's a quick test: pick a bunch of smart, non-geek computer
users and ask them what a certificate is and what a certificate
authority is. Then inquire what they'd do when the web page they were
looking at had some text similar to what I posted yesterday.
You're absolutely right that sufficient vigilance -- coupled with good
user interfaces -- should be adequate. Note my qualifiers:
"sufficient", "good", "should be". Demonstrably, they're not. (A few
years ago, a company I know of deployed a browser+Java-based expense
voucher application. The login screen said "when you're asked if this
applet should have extra permissions, just click yes, even though the
pop-up warns that that could be dangerous". A security-clueful person
I know complained about the bad habits this was instilling. The answer
he got back was "we've checked it out; this application really is ok".
Talk about unclear on the concept...
That said, ssh (which you cited in another post) does a better job. It
gives a very big warning that stresses the danger. By contrast,
Firefox (and I think IE, though I'd have to find a Windows machine to
test that) tells you that various forms of certificate problems are
unlikely. The big thing ssh does is that it keeps a history -- it
binds the warning to your previous history. That's a much better
strategy than relying on ~80 CAs you've never heard of.
>
>If I may paraphrase the original posters question (Ross Hosman), it was:
>
>Do large wireless buildouts present a new security threat due to the
>potential to spoof AP's?
>
>The answer to that is no, this is a threat we live with currently. We have
>tools to mitigate the risks associated with it.
>
>You can say that consumers are stupid, and won't figure this out, and that
>may be true; however when it's starts to cost them losts money, they will
>sit-up take notice and buy tools to solve this problem for them, just like
>they do with any other security threat that goes beyond being an anoyance.
>probably said product will be blue, say linksys on it, and have the word
>vpn (among others) buried on the packaging someplace.
>
Given reports I've seen about public terminal usage, I'm much more
skeptical. See, for example, http://www.theregister.co.uk/2005/09/21/airport_pc_security_lax/
I frequently take the train to Washington; I've occasionally noticed
other PCs that appear to be looking for an access point. I've been
tempted to put my machine into host AP mode (or use my travel access
point -- these trains generally have AC power), run a dhcp server, and
see what passwords I get. But I've never been able to convince myself
that it would be legal, let alone ethical.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list