On Tue, Sep 30, 2014 at 7:16 AM, Stefan Sperling <s...@openbsd.org> wrote: > On Tue, Sep 30, 2014 at 02:37:08PM +0400, Vadim Zhukov wrote: >> Yes, I've seen that behaviour. And it actually bothers me - what if I >> get associated with untrusted network, and my already opened >> Ajax-enabled browser will start to transfer data via it without >> notification?.. This can be avoided by forcing some unlikely nwid in >> hostname.if, but this is not "secure by default". Or maybe I search >> for security in the wrong place, dunno... > > Why do you even already have an interface that is up when > entering an untrusted environment? > > How can you be sure that you're connecting to the right AP even > at home? The AP is usually not authenticated. I could come to your > house with a strong antenna AP and grab associations from anything > that attempts to use open wifi, no matter what nwid/bssid the devices > would want to use. If I managed to figure out your WPA key you'd have > to set up WPA enterprise and authenticate the AP to prevent a snooping > attack, or just forget about wifi offering any form of snooping protection > and use some kind of VPN (just like you would on the internet). > > I don't use netstart on laptops. I leave all interfaces down at > startup (empty hostname.if files) and always re-configure them > manually as needed. I make sure laptops always use a VPN (unless > I'm at home, so if someone figures out my nwkey and comes to my > place I'm owned). I don't care if the wifi is open or encrypted, > it just provides an uplink I can run VPN on top of. > My setup currently runs wifi interfaces and OpenVPN in rdomain 1. > Anything else is in rdomain 0 so there is no chance some random > appliation will leak traffic to the wifi link. > > Still, I would welcome a more convenient solution than this. > I'm just not sure we've found it yet. > > Can autonetd make use of IPsec and/or SSH-based VPNs (or even > OpenVPN if these other options can't manage to tunnel out)? > If it makes that easy to use, then we don't have to worry too > much about which wifi link is used as long as we can reach the > VPN server via that link. >
If openBSD auto connect to <open wireless spot> I will have to patch the kernel to use it. Auto connection to hotspot, especially the 'open' one is the worse thing ever. -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\
