[OpenWireless Tech] The police came to the AP owner first, then sniffed the air to find real culprit
"Andy Green (林安廸)"
andy at warmcat.com
Thu Jan 3 06:57:45 PST 2013
On 03/01/13 22:30, the mail apparently from californiajack at tormail.org
included:
>> On 03/01/13 20:03, the mail apparently from californiajack at tormail.org
>> included:
>>>> On 03/01/13 15:08, the mail apparently from californiajack at tormail.org
>>>> included:
>>>>
>>>>>> solutions in parallel without spending so much energy knocking down
>>>>>> other people's ideas, more progress will be made. That's not to say
>>>>>
>>>>> These are old ideas, and knocking them down is as easy as knocking WEP
>>>>> down. They are suboptimal, and people should be made aware of the HUGE
>>>>
>>>> What do you mean by comparing VPN to WEP, that it is insecure like WEP?
>>>> It is not.
>>>
>>> VPN is a suboptimal solution like WEP. A (rather beautiful) hack, like
>>> WEP.
>>
>> Words like "suboptimal" and "hack" are not adding anything to
>> understanding the issues: they're, well, just, like your opinion, man.
>
> When your VPN concatenator no longer accepts your password you will
> understand why the VPN is suboptimal: not everyone can use one. It is a
> very complex setup.
There's nothing inherently complex about it, I can install openvpn on my
OpenWRT router and if someone hasn't already can make a local web
interface to cut and paste client certs around from inside my home
network to set it up on client devices as a one-off.
Any certs are selfsigned by the router / "VPN server", there's no
central coordination needed.
>> You haven't shown anything more optimal that delivers the same result
>
> EAP-TLS provides the same result. Actually, it provides something better
No, I mean the result that the AP operator can avoid liability for what
his clients are doing.
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
just provides for clientside certs, that is nice in terms of protecting
clients from each other, but it's not addressing liability.
> than IPsec: it provides link-level security. If you don't know what that
> means, then I really can't show anything more.
>
>> and I don't agree it is a hack layering the encryption like that.
>
> I think its a hack if you expect everyone to do what you have been
> provided by someone else: your corporate VPN.
>
> You can always disable RSN in my solution. You can always have your
> corporate VPN in my solution.
>
> In your solution, you can't. Because its a hack (an old hack.)
RSN as in "Robust Security Network" == WPA2? VPN encryption coverage
from client to his VPN server means the client doesn't need the
obfuscation from WPA any more. The AP operator may want it to restrict
users but you're missing something important about the topic at hand -->
...
>> Do you see now that might help encourage AP owners to allow VPN-only
>> connections from random clients? Or, do you have a better scheme that
>> delivers the same kind of result?
>
> I still don't know what you mean by "VPN-only". So no one should be able
> to use SSH? They shouldn't be able to use IPsec ESP? That isnt
> OpenWireless. If my grandma can't use SSH, or some other protocol, on her
> network because you decided that only VPN is allowed, that is a good
> indication your solution is a hack.
No the proposal is the same AP can at least use WPA at the same time, if
you have a PSK, meaning a single home router will do what people want
today, WPA2 for their local network, and offer this on the side. If you
want to run IPSec or anything else it can work out of its scope too.
The point is that if you associate without IPSEC / WPA / etc
credentials, it will accept your client unencrypted but won't route any
packet that is not UDP and part of a VPN connection action.
So there's at once a very open grant of use, that anyone can walk up and
use it without identity or credentials at all, but at the same time the
very strong restriction the usage is only to get them as far as their
VPN server / home router running a VPN server. From that point, they go
out on the internet "under their own name".
Because an encrypted VPN link is mandatory in that "default" mode,
clients are protected from each other and from a malicious AP... and the
AP operator is protected from whatever the clients are doing.
-Andy
More information about the Tech
mailing list