North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Wifi Security

  • From: Steven M. Bellovin
  • Date: Mon Nov 21 19:34:00 2005

In message <[email protected]>, Joel Jaeggli w
rites:
>
>On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
>
><snip>
>>
>>> What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh
>>> tunneled traffic?
>>
>> no, we're not trying to do that, you dont really think that because its
>> encrypted it cant be decrypted do you?
>
>I do believe (reasonably so, I think) that if I'm going have a 
>conversation with a second party whom I already trust, that a third party 
>will have trouble inserting themself into the path of that conversation 
>without revealing their presence..
>
><snip>
>
>> you dont have to break the code if the endpoints trust sessions with you and
>> share their encryption keys
>
>Successfully inserting yourself in the middle requires some 
>social-engineering or really bad protocol design. The former can be 
>mitigated through vigilance, the later falls into the realm of peer review 
>and security research.

The problem is "vigilance", especially as applied to non-security aware 
users.  Here's a quick test: pick a bunch of smart, non-geek computer 
users and ask them what a certificate is and what a certificate 
authority is.  Then inquire what they'd do when the web page they were 
looking at had some text similar to what I posted yesterday.

You're absolutely right that sufficient vigilance -- coupled with good 
user interfaces -- should be adequate.  Note my qualifiers: 
"sufficient", "good", "should be".  Demonstrably, they're not.  (A few 
years ago, a company I know of deployed a browser+Java-based expense
voucher application.  The login screen said "when you're asked if this 
applet should have extra permissions, just click yes, even though the 
pop-up warns that that could be dangerous".  A security-clueful person 
I know complained about the bad habits this was instilling.  The answer 
he got back was "we've checked it out; this application really is ok".
Talk about unclear on the concept...

That said, ssh (which you cited in another post) does a better job.  It 
gives a very big warning that stresses the danger.  By contrast, 
Firefox (and I think IE, though I'd have to find a Windows machine to 
test that) tells you that various forms of certificate problems are 
unlikely.  The big thing ssh does is that it keeps a history -- it 
binds the warning to your previous history.  That's a much better 
strategy than relying on ~80 CAs you've never heard of.
>
>If I may paraphrase the original posters question (Ross Hosman), it was:
>
>Do large wireless buildouts present a new security threat due to the 
>potential to spoof AP's?
>
>The answer to that is no, this is a threat we live with currently. We have 
>tools to mitigate the risks associated with it.
>
>You can say that consumers are stupid, and won't figure this out, and that 
>may be true; however when it's starts to cost them losts money, they will 
>sit-up take notice and buy tools to solve this problem for them, just like 
>they do with any other security threat that goes beyond being an anoyance. 
>probably said product will be blue, say linksys on it, and have the word 
>vpn (among others) buried on the packaging someplace.
>

Given reports I've seen about public terminal usage, I'm much more 
skeptical.  See, for example, http://www.theregister.co.uk/2005/09/21/airport_pc_security_lax/
I frequently take the train to Washington; I've occasionally noticed 
other PCs that appear to be looking for an access point.  I've been 
tempted to put my machine into host AP mode (or use my travel access 
point -- these trains generally have AC power), run a dhcp server, and 
see what passwords I get.  But I've never been able to convince myself 
that it would be legal, let alone ethical.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb