[OpenWireless Tech] Securing Open Wireless
"Andy Green (林安廸)"
andy at warmcat.com
Thu Jul 28 10:29:23 PDT 2011
On 07/28/2011 06:19 PM, Somebody in the thread at some point said:
Hi -
>> Yeah I don't think the aim should be to authenticate the AP. The AP
>> should not be trusted at all because in fact, you don't know what's
>> going on in there and there can and will be malicious APs.
>>
>> In the VPN case, like SSL, the encrypted tunnel extends from the
>> client to the remote server, the AP is a conduit only for encrypted
>> content he can't decrypt. Then we don't have to care about snooping
>> at the untrusted AP, all he sees is encrypted mush to and from the
>> VPN server.
>
> VPNs are surely a nice solution too. But then the question which VPN endpoint
> do you connect to...
As I wrote earlier, if APs will let VPN traffic through, all that is
needed is for home routers to also provide OpenVPN or OpenSwan the same
way they provide dhcp server or other functionalities. Then the user is
using his own normal home internet connection as the VPN endpoint, made
resolvable by dynamic DNS management most of them already support, and
it doesn't cost him anything; and it's the user's own home IP that
appears in remote logs when using the other guy's AP.
>> he doesn't even know what sites you are visiting inside
>> the encrypted link since DNS can go down there as well.
>
> The AP operator will see the amount of data transfered and the timing. This
> may be enough to know which sites you are seeing. If you want to avoid this,
> you will need to add padding.
Well, he might be able to do that trick from a set of sites he has
profiled the timing of, but he can't do it generally; and he will be
pretty puzzled at my IMAP traffic on its own or interleaved with http or
https when it's all UDP 500 packets. So it's not a very worrying
possibility.
-Andy
More information about the Tech
mailing list