HotSpot Security
Kurt Ullman
to my bank which has SSL. Do I have any security concerns in this
scenario. The bank has me on SSL from the very first so even my password
is sent encrypted.
Todd H.
You still have the possibility of a man in the middle attack if you
aren't careful about verifying SSL certificate warnings.
You could unwittingly join someone's private access point on their
laptop in the cafe who set the BSSID the same as the cafe's official
access point. From there, a few attack scenarios are possible. One
is if you accepted an SSLv2 certificate from the bank, that version
has known crypto weaknesses and is crackable. Unlikely someone would
go through that effort though. Easier still, the access point owner
could shim in a proxy server between you and the bank and depending on
the settings of your browser and your own penchant for clicking
warning boxes to make them go away, many usrsr could be lured into
accepting the proxy's SSL certificate despite it not matching the
bank's domain name. Result: proxy owner sees all your traffic in the
clear. A third scenario, the access point owner redirects your bank
request to an error page or something that looks official enough, but
it's running on a web server on his laptop, and he grabs username
password from ya directly in a kind of phishing attempt.
So... if you are careful to verify certificates and have your web
browser config'd to not accept sslv2 certs I'd say yer secure enough.
Have your guard up.
Another worry is your workstation's external security posture. If
you're vulnerable to getting owned by someone on the local network
because of a lack of patching, or open shares or what not, you'll want
to protect against these so your local workstaiton doesn't get quickly
owned and fitted with keylogging software.
Best Regards,
--
Todd H.
http://www.toddh.net/
Kurt Ullman
wrote:
>
> So... if you are careful to verify certificates and have your web
> browser config'd to not accept sslv2 certs I'd say yer secure enough.
> Have your guard up.
So, if I get a certificate is expired or not what it is supposed
to be warning I just run in the opposite direction? Especially if they
aren't showing up at home.
>
> Another worry is your workstation's external security posture. If
> you're vulnerable to getting owned by someone on the local network
> because of a lack of patching, or open shares or what not, you'll want
> to protect against these so your local workstaiton doesn't get quickly
> owned and fitted with keylogging software.
>
> Best Regards,
Anything special with a MacBook, or should I go ask this question on
one of the Apple groups?
Thanks for all your help.
Kurt
Todd H.
> In article <84tzwfr...@ripco.com>, comp...@toddh.net (Todd H.)
> wrote:
>
>
> >
> > So... if you are careful to verify certificates and have your web
> > browser config'd to not accept sslv2 certs I'd say yer secure enough.
> > Have your guard up.
>
> So, if I get a certificate is expired or not what it is supposed
> to be warning I just run in the opposite direction? Especially if they
> aren't showing up at home.
Right.
> Anything special with a MacBook, or should I go ask this question on
> one of the Apple groups?
They do pretty well so long as you have been applying the loads of
patches apple's been issuing. There are low level wireless issues
with mac's and pc's as well that got a lot of press at the security
cons last year and I think those have been patched, though that's not
to say that 0day exploits on similar vulns aren't out there, your odds
of getting hit with one at a tpyical cafe are fairly low.
The security of SSL relies a lot of the user doing smart things with
security warnings, so be diligent. :-) So many folks just click to
make dialog boxes happy and don't read anything, and in that there are
problems. :-)
Kurt Ullman
wrote:
Thanks. I generally worry about certificate stuff even when I am home
and non-wireless directly into the modem. Paranoia runs VERY deep
outside the house. (g).