[OpenWireless Tech] Securing Open Wireless
Michael Blizek
michi1 at michaelblizek.twilightparadox.com
Thu Jul 28 12:13:52 PDT 2011
Hi!
On 18:29 Thu 28 Jul , "Andy Green (?????????)" wrote:
> On 07/28/2011 06:19 PM, Somebody in the thread at some point said:
>
> Hi -
>
> >>Yeah I don't think the aim should be to authenticate the AP. The AP
> >>should not be trusted at all because in fact, you don't know what's
> >>going on in there and there can and will be malicious APs.
> >>
> >>In the VPN case, like SSL, the encrypted tunnel extends from the
> >>client to the remote server, the AP is a conduit only for encrypted
> >>content he can't decrypt. Then we don't have to care about snooping
> >>at the untrusted AP, all he sees is encrypted mush to and from the
> >>VPN server.
> >
> >VPNs are surely a nice solution too. But then the question which VPN endpoint
> >do you connect to...
>
> As I wrote earlier, if APs will let VPN traffic through, all that is
> needed is for home routers to also provide OpenVPN or OpenSwan the
> same way they provide dhcp server or other functionalities. Then
> the user is using his own normal home internet connection as the VPN
> endpoint, made resolvable by dynamic DNS management most of them
> already support, and it doesn't cost him anything; and it's the
> user's own home IP that appears in remote logs when using the other
> guy's AP.
To do this we need to solve 2 tasks:
1) Convincing users to set up and use VPNs when connected to unsecure
networks.
2) Finding ways for people to set up APs in a safe+open way.
These 2 tasks will probably not assist each other until the very end.
> >>he doesn't even know what sites you are visiting inside
> >>the encrypted link since DNS can go down there as well.
> >
> >The AP operator will see the amount of data transfered and the timing. This
> >may be enough to know which sites you are seeing. If you want to avoid this,
> >you will need to add padding.
>
> Well, he might be able to do that trick from a set of sites he has
> profiled the timing of, but he can't do it generally; and he will be
> pretty puzzled at my IMAP traffic on its own or interleaved with
> http or https when it's all UDP 500 packets. So it's not a very
> worrying possibility.
Yes, there are probably more important things at the moment.
-Michi
More information about the Tech
mailing list