[86882] in North American Network Operators' Group
Re: Wifi Security
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Nov 21 10:28:09 2005
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: nanog@nanog.org
In-Reply-To: Your message of "Mon, 21 Nov 2005 09:47:21 EST."
<73345C98-EB2D-4DB5-A8BD-D23D77A51E49@ianai.net>
Date: Mon, 21 Nov 2005 10:27:38 -0500
Errors-To: owner-nanog@merit.edu
In message <73345C98-EB2D-4DB5-A8BD-D23D77A51E49@ianai.net>, "Patrick W. Gilmor
e" writes:
>
>On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
>
>> So my question is pretty simple. You have all these major companies
>> such
>> as google/earthlink/sprint/etc. building wifi networks. Lets say I
>> want
>> to collect peoples information so I setup an AP with the same ssid as
>> google's ap so people connect to it and I log all of their traffic.
>> Most
>> people won't check beyond the ssid to look at the mac address but even
>> that could be spoofed. Is there anyway to verify a certain ap beyond
>> mac/ssid, will there be in the future? How do these companies plan to
>> mitigate this threat or are they just going to hope consumers are
>> smart
>> enough to figure it out?
>
>Why would you even need to set up an AP? Why not just sit and sniff
>traffic? Gets you the _exact_ same information.
>
>And why worry about Google, etc., when Starbucks and airports have
>been doing this for _years_?
>
>Lastly, most consumers are smart enough to know to use encryption
>(the little pad-lock in their browser). Some aren't. Changing the
>WiFi architecture is not going to save those who aren't.
By setting up a fake AP, you can launch active attacks. Sure, people
won't get the right certificate -- and they're not going to notice,
especially if the (unencrypted) initial web splash page says something
like "For added security, all SSL connections from this hotspot will
use Starbucks-brand certificates. Please configure your browser to
accept them -- it will protect you from fraud."
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
