Wifi Security

Mon Nov 21 20:52:24 UTC 2005

On Mon, 21 Nov 2005, Randy Bush wrote:

>> As others pointed out (to me as well), for a _man in the middle_ attack
>> (e.g. impersonating www.paypal.com) it is necessary to play ARP games or
>> otherwise insert yourself in the flow of traffic.
>
> not really.  you just need to be there first with a bogus, redirecting,
> dns response.

That's right. Remember all they need to do is sniff wireless traffic for
dns request for "paypal.com" and then send a UDP packet back as an answer
(from closer location - might even be on the wireless network) that has 
faked its origin as if it came from dns server the user asked and has some
other address for paypal.

The good news is that if SSL is used (dns request is due to user going to 
https://www.paypal...) then it will not properly work because they can 
not fake SSL cert for paypal from verisign, so some kind of warning about 
cert being self-signed and not issued by known provider would probably be 
displayed, but many users will ignore such warnings.

But lets know imagine different situation and instead of paypal, lets
imagine user doing ssh to shell.mywork.com. Now lets imagine that dns
request has been sniffed and instead of getting real address for 
shell.mywork.com, you get an address for wireless ip address of someone
else nearby that has redirecting ssh server. That special ssh server
would provide its own cert pretending to be shell.mywork.com and would
internally do proxy to another ssh session that is actually going to
real shell.mywork.com. Ho do you like this scenario?

So just in case do remember that when you ssh from insecure wireless 
network node (even on NANOG conference) that you do it to the server
that you already previously did ssh to (and so have public key in
.ssh/known_hosts) and dont just assume that because its ssh you're safe.

-- 
William Leibzon
Elan Networks
william at elan.net