On 6 Jun 2006, at 21:21, Spruell, Darren-Perot wrote:
> No. In the scenario Stuart was describing, there's no decryption to
> occur.
> The originally encrypted traffic is still safe, but when you pop in
> and say
> "hi, I'm such-and-such IP, honest", the WAP happily negotiates a
> new session
> key with you and encrypts traffic to you (that everyone thinks is
> going to
> the real such-and-such IP.) So confidentiality is still sort of in
> place,
> but not truly authenticated.
Ah, I see. That's OK for my needs. Frankly, if that sort of thing
is possible, then it renders the WPA protection somewhat pointless,
if the password is freely available. It's mainly to draw punters
into the hotspot area, and have them feel a little more comfortable
about using a public access point ("Hey, it's encrypted!"). Combine
that with the multiple subnet approach and I think it's already a
step above what most people would require for security.
The feeling I get from all this is that there's no way to properly
secure the network, but there's only so far I can go before the onus
is on the users to get off their asses and be a little more proactive.
It's not totally out of the question to extend the system such that
every-day, non-faffing around users can just put the password in and
go, albeit with the usual warnings about data security. It's then
reasonably easy to add a client download for a VPN of some sort, to
properly encrypt the end-to-end traffic between client and the
OpenBSD box. IPSec support is native in MacOS X, I'm sure it's not
enormously difficult to get it running on windows (hmm, how many
times have I said that...) Projects for another time I think.
> It's really just a LAN arp-spoofing attack with the same problems; the
> only good way to do what you would need for the security you're
> thinking of
> is end to end encryption, not link encryption. SSL/TLS/etc. for the
> protocols in use over the WLAN, not cleartext stuff.
The more layers of security, the better. Funny, how when the signal
is contained in a little wire, we feel happier about it and more
secure. As soon as it's being broadcast over RF, you begin to
realise that unencrypted data is no more secure in a CAT5 cable going
over the intar-webs than it is coming out of an antenna. The more
layers of encryption, the harder it is for malicious users. There's
only so much us sysadmins can do...
Gaby
--
Junkets for bunterish lickspittles since 1998!
http://www.playr.co.uk/sudoku/
http://weblog.vanhegan.net/
