2014-09-30 15:16 GMT+04:00 Stefan Sperling <s...@openbsd.org>: > On Tue, Sep 30, 2014 at 02:37:08PM +0400, Vadim Zhukov wrote: >> Yes, I've seen that behaviour. And it actually bothers me - what if I >> get associated with untrusted network, and my already opened >> Ajax-enabled browser will start to transfer data via it without >> notification?.. This can be avoided by forcing some unlikely nwid in >> hostname.if, but this is not "secure by default". Or maybe I search >> for security in the wrong place, dunno... > > Why do you even already have an interface that is up when > entering an untrusted environment? > > How can you be sure that you're connecting to the right AP even > at home? The AP is usually not authenticated. I could come to your > house with a strong antenna AP and grab associations from anything > that attempts to use open wifi, no matter what nwid/bssid the devices > would want to use. If I managed to figure out your WPA key you'd have > to set up WPA enterprise and authenticate the AP to prevent a snooping > attack, or just forget about wifi offering any form of snooping protection > and use some kind of VPN (just like you would on the internet). > > I don't use netstart on laptops. I leave all interfaces down at > startup (empty hostname.if files) and always re-configure them > manually as needed. I make sure laptops always use a VPN (unless > I'm at home, so if someone figures out my nwkey and comes to my > place I'm owned). I don't care if the wifi is open or encrypted, > it just provides an uplink I can run VPN on top of. > My setup currently runs wifi interfaces and OpenVPN in rdomain 1. > Anything else is in rdomain 0 so there is no chance some random > appliation will leak traffic to the wifi link. > > Still, I would welcome a more convenient solution than this. > I'm just not sure we've found it yet.
This is a very good point, indeed: if someone wants to be safe, he should start caring from the beginning. So we have the following use cases then: 1) Trusted networking, as in 802.1x auth (hello, wpa_supplicant). We search for trusted network and use it if possible. This will be possible if we'll move in the way I propose. 2) Secure tunneling: nothing gets out from interface except what needed for IPSec/OpenVPN/etc. tunnel. There is one corner case: web auth networks; I have some ideas there but lets postpone this case until some code arrive. With automatic interface addresses removal on de-association (I think this should be done always?), this case will be easy to have, too. 3) Everything else: false sense of security. Well, WPA2 will save you from kiddie attacks, and if it's all you really care of, then - fine, why not? You'd always compare price of attack and price of result. If attack price is enough high (ready-to-use fake BSSs aren't sold on every street, and compiling own one require valuable knowledge) and your data (photos of your new kitty) is not, you can sleep well. At least, today. And this already works here on my laptop. In conclusion: I see what could be improved now, excluding the patch from thread starting mail. I'll try to prepare new patches as soon as possible. > Can autonetd make use of IPsec and/or SSH-based VPNs (or even > OpenVPN if these other options can't manage to tunnel out)? > If it makes that easy to use, then we don't have to worry too > much about which wifi link is used as long as we can reach the > VPN server via that link. Yes, it could. You just tell it "run those commands on (de-)association, dude" - it could be ipsecctl, wpa_cli and so on. The idea is that we already have tools - we just need to make them play together without requiring extra attention from human. -- WBR, Vadim Zhukov
