Jose wrote:
Saw an article by accident that kind of contradicts things that have been said here...
HERE
To my understanding of what has been posted here and the links you posted https encrypts the data so even if one set up a twin tower without WPA the server would never be able to get it.
But the guy seems to have some authority on the matter ... :-?
Journalists are often idiots, unfortunately.
A rogue AP is potentially a man-in-the-middle, and connecting to one lets its operator view traffic
not otherwise encrypted -- that is to say, TCP/IP never gave you any security on its lonesome, and WEP or WPA only gives you some measure of link-layer security to create a trusted path between yourself and the AP you're using. If you end up trusting the wrong guy, that's 'your problem.'
Again quoting Wikipedia, just because the author put it eloquently:
TLS runs on layers beneath application protocols such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example.
When you bend the OSI model to the real world, TLS is technically on the 'application layer' with everything else that rides atop TCP atop IP.
So... if you're actually connecting to your bank over TLS, you're pretty much fine no matter what link you use, that's the point of the protocol. However, a man in the middle could:
* Set up a man-in-the-middle attack that proxies TLS both ways; this would probably require you to be stupid and trust his certificate, which your browser will warn and complain about. At least, unless you or some monkey in the IT department disabled the warning because it was 'getting annoying' when working with machines with self-signed certificates. (Right process: Add certificate to browser. Wrong process: Trusting every machine to trust one machine.)
* Set up an AP down the street from a coffee shop that has users pay through their browsers for access, copying the appearance of their login and payment pages, probably just implementing it with no encryption so harried users won't see any obvious warnings. Of course, unlike the coffee shop's system, there's no reason to provide service after the details are phished, but a smart attacker could then route things through a single paid login via the real AP to avoid detection. Cheap price for him to pay, especially if he's paying with someone else's CC.
Neither of those compromise
encryption, though both do attack weaknesses in the human ability to understand and remain aware of
authentication protocols.
Here's an example of a fairly clever attack which has nothing to do with wireless:
http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.htmlThis 'worked' because the offending script was legitimately served by PayPal over TLS, probably embedded in the attacker's username or address string or somesuch. Note that the redirect for the actual attack pointed to a different server, so the URL would be a tipoff -- generally attackers mask these with a few thousand bytes of garbage arguments similar to the real ones PayPal or eBay use during a session.
"Users need to be wary of not using their WiFi enabled laptops or other portable devices in order to conduct financial transactions or anything that is of a sensitive personal nature, for fear of having disclosed this information to an unauthorised third party"?
No, users need to be wary of feeding sensitive details into any system where they don't understand how to authenticate the receiving party and security of the path.
---
Can I have $0.75 for this response? I'm supposed to be working and I've got no change for the soda machine. :-(
