> Hmm, you are touching on some great ideas for wireless security, perhaps > if wireless devices can integrate certificate based > authentication...certificates that also use a pin (this as a layered > feature inside of the WPA cloud). I am going to start combing through > the web to see if there are vendors out there providing wireless > solutions with two factor authentication.
Yeah, I'm not as familiar with the more advanced modes of WPA, such as EAP, but there are certainly much safer variants. It's just that you're highly unlikely to find that used at a coffee shop. It would be cool to see a WPA-PSK AP to be integrated with OpenID or at least with an interface that easily allows random, short-lived one-user passwords to be generated and used securely in an environment like that. > This still does not fully address endpoint security though, as one is > still responsible for ascertaining security between their computer and > the target site. But it would be a good starting point for mitigating > mitm attempts. The list of things I mentioned one needs to check are definitely a problem with software implementations. The fact that browsers even *give you the option* to accept an invalid certificate is a huge issue. If they had simply rejected these from day one, site admins would get their act together and get certs (via public CAs or ones users could install once). Session cookies distributed over SSL should just never be sent over non-SSL connections by browsers. But since they have been for historic reasons, site admins have expected this, they have to explicitly set the secure flag to be secure. At least SSLv2 is finally being phased out... SSLv3 has been available for what, 10+ years? I could go on and on, but yeah, it's definitely an end-point issue and a user education issue more than anything with SSL/TLS. If you know what you're doing, you can be perfectly safe, but most people don't. cheers, tim _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
