[OpenWireless Tech] Open Wireless encryption
dfine at sonic.net
dfine at sonic.net
Fri Jan 4 03:39:58 PST 2013
Let's acknowledge that clients always need to trust the AP unless there
is a third party trust anchor. Because any attacker can act as an AP,
trusting the AP is not a good approach. Examples of trust anchors would
be a VPN beyond the AP or an SSL Certificate Authority for services the
client uses.
At the same time, let's not confuse the two problems we're discussing:
1. Protecting AP operators from legal liability
I think this is a social problem for which there is not necessarily
a technical solution. We need strength in numbers, media and legal
support. AP operators can VPN their traffic to avoid scrutiny, but
that's not our department. Unless people here want to become VPN
operators (I don't).
2. Protecting clients.
People suggest EAP-TLS for that to protect client's traffic from
being sniffed. While that's cool, the client still has to trust the
AP operator. And anyone "resell" a legitimate AP's link to become
the MitM. That is, I'm the attacker and I connect to the internet
cafe's wifi and re-share it, controlling all the authentication
mechanisms along the way. EAP-TLS makes it harder though, and I
think that's pretty much an okay bar to set.
Who wants to have a meatspace discussion in San Francisco this month?
Happy New Year,
--DF
> On 04/01/13 04:36, the mail apparently from Christopher Byrd included:
>
> Hi -
>
>> - VPNs connections are easily blocked on attacker controlled
>> networks
>> (such as injecting TCP resets or dropping packets on evil twin APs).
>
More information about the Tech
mailing list