|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Wifi Security
In message <[email protected]>, "Patrick W. Gilmor e" writes: > >On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote: > >> So my question is pretty simple. You have all these major companies >> such >> as google/earthlink/sprint/etc. building wifi networks. Lets say I >> want >> to collect peoples information so I setup an AP with the same ssid as >> google's ap so people connect to it and I log all of their traffic. >> Most >> people won't check beyond the ssid to look at the mac address but even >> that could be spoofed. Is there anyway to verify a certain ap beyond >> mac/ssid, will there be in the future? How do these companies plan to >> mitigate this threat or are they just going to hope consumers are >> smart >> enough to figure it out? > >Why would you even need to set up an AP? Why not just sit and sniff >traffic? Gets you the _exact_ same information. > >And why worry about Google, etc., when Starbucks and airports have >been doing this for _years_? > >Lastly, most consumers are smart enough to know to use encryption >(the little pad-lock in their browser). Some aren't. Changing the >WiFi architecture is not going to save those who aren't. By setting up a fake AP, you can launch active attacks. Sure, people won't get the right certificate -- and they're not going to notice, especially if the (unencrypted) initial web splash page says something like "For added security, all SSL connections from this hotspot will use Starbucks-brand certificates. Please configure your browser to accept them -- it will protect you from fraud." --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
|