[OpenWireless Tech] Securing Open Wireless

Michael Blizek michi1 at michaelblizek.twilightparadox.com
Fri Jul 29 12:03:20 PDT 2011 

On 08:18 Fri 29 Jul     , Natanael wrote:
> Comments below:
> 
> Den 29 jul 2011 06.16 skrev "Michael Blizek" <
> michi1 at michaelblizek.twilightparadox.com>:
...
> > These portals will need to die at some point anyway. You have said
> yourself
> > what kind of cache poisoning attacks will became possible. Also these
> portal
> > are annoying and make some things hard or impossible - like mobile phones
> > transparantly using them.
> 
> Well, this is exactly why we these discussions.
> Why not create a standardized API for precisely that? (About the
> transparency thing.)
> There could be a way to tell clients that some things are allowed, some
> aren't and that there are certain terms and requirements.
> About the security, I think we can get that working anyway. And as said (or
> implied) before, these screens are ONLY for use when the AP owner want all
> users to use VPNs, only, and if they use two-way authentication with the
> VPNs then what's the big deal? What can anybody do that they couldn't
> before?

I think there is a lot of confusion here. If the AP owner wants to restrict
allowed data traffic, he can just configurate a firewall however he likes. An
API to announce what rules exist might make perfect sense. Tor does this too
and (I think) chooses an exit which allows the user traffic to pass. In the
same way a wireless client could choose a good AP. If all APs block the
requested traffic, the client could display an error instead of showing
"please wait" dialogs for a long time.

However what Christopher and I were talking about was something different.
Basically there are some APs which do not let you into the internet in the
"usual" plug-and-play way. Instead you have to open a browser and accept an
agreement first. This is not both annoying and very messy. For example, you
might just want to connect to your VPN. To do this you need to accept the
agreement first. But your VPN client - if configurated correctly - will not
allow you to connect to the page. If it does allow this or if you disable it,
the AP operator might be able to do nasty things like cache poisoning.

	-Michi

More information about the Tech mailing list