[OpenWireless Tech] Securing Open Wireless
Christopher Byrd
chris at riosec.com
Thu Jul 28 12:39:43 PDT 2011
On Thu, Jul 28, 2011 at 2:05 PM, Peter Eckersley <pde at eff.org> wrote:
> Reading your article I gather you mean all the Firesheep-style attacks the
> user is subject to if their OS sends HTTP requests while the VPN is being
> established.
That's part of it. Systems leak a lot of information before the VPN is
established, and most of it is protocols other than HTTP. You can also
use denial of service (DoS) attacks against the VPN connection (hoping
the user decides to use the open wireless without it), exploit the
client and establish a backdoor before VPN establishment (perhaps
using the DoS to give you more time), and inject cached content such
as DNS answers or HTML pages that continues to be used by the client
after the VPN is established.
> Nothing one does in WiFi protocols can make insecure HTTP (or HTTPS) websites
> secure. The effort required to implement the attack correctly may go up
> slightly, but even if the first hop is perfect attacks can still at minimum
> occur via DNS or via other routers anywhere along the path.
Of course nothing anyone does will make anything perfectly secure. I
do disagree that the effort would only "go up slightly" however.
Sniffing or compromising clients on unsecured wireless is easy, even
for non-technical users that just saw how to capture traffic or use
Firesheep on YouTube.
> For the purpose of an Open Wireless Movement, I think we should be clear that
> our aim is to defuse the "open wireless is insecure" argument by making open
> wifi as good as WPA2-PSK, or better. Beyond that, the problem needs to be
> addressed at other network layers.
WPA2-EAP-TLS without client authentication makes open wireless (WiFi
is a trademarked term...) more secure than WPA2-PSK, even without
server certificate validation. With server certificate validation it
is more secure still.
> Which EFF is also working on, of course: https://eff.org/https-everywhere
HTTPS-Everywhere encouraging HTTPS adoption is a good thing, although
I think that adoption of HSTS and DANE is more important in the long
term. However, not all web sites will adopt HTTPS, and not all
protocols on the Internet are HTTP.
- Christopher
More information about the Tech
mailing list