[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...

Khalid Baheyeldin kb at 2bits.com
Wed Nov 3 13:42:54 EDT 2010

On Wed, Nov 3, 2010 at 1:19 PM, Adam Glauser <adamglauser at gmail.com> wrote:

> On 03/11/2010 12:40 PM, Khalid Baheyeldin wrote:
>> To answer the original question on whether moving from no encryption/no
>> password to WPA/WPA2 ...
>> This comments says that it is very unlikely that Firesheep will affect
>> WPA networks, even with a shared key.
>> http://it.slashdot.org/comments.pl?sid=1851220&cid=34106546
>> <http://it.slashdot.org/comments.pl?sid=1851220&cid=34106546>
>> More specifically, it quotes this:
>> http://en.wikipedia.org/wiki/IEEE_802.11i-2004#The_Four-Way_Handshake
> I think Lori mentioned this earlier, but it seems that the session key* is
> not securely exchanged.  It seems that WPA-PSK and WPA2-PSK (aka -Personal)
> add the additional effort of capturing these handshake packets.  Firesheep
> may not automate this yet, but it perhaps it could.

I read the comment as saying "the individual keys are hard to sniff, making
Firesheep not practical (yet) for WPA networks".

I will leave those with more expertise to comment more here.

It seems that the -EAP (aka -Enterprise) versions of WPA use a proper
> key-exchange algorithm and aren't vulnerable to this attack**.  I don't know
> all the details, but it seems that using -EAP versions of WPA require
> setting up (or hiring) a RADIUS server.  This also seems to involve
> purchasing a certificate from a trusted authority.  I'm not sure, but it
> might also require extra settings on the client side.  Does anyone know?
> In any case, it seems that using WPA2-EAP is the way to go from a security
> standpoint, but is probably impracticable for most AP administrators.
> * more correctly, the "Pairwise Transient Key"
> **
> More detail here:
> http://superuser.com/questions/156869/can-other-people-on-an-encrypted-wi-fi-ap-see-what-youre-doing

Enterprise WPA/WPA2 is not practical for what Paul Nijjar wants, in addition
to being not easy to setup.

It requires a list of authorized people and having logins for each one.

In a public hotspot with no defined set of authorized people, one timer
people, it does not make sense.

Think about our KWLUG meeting place, coffee shops, The Working Centre,
Khalid M. Baheyeldin
2bits.com, Inc.
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20101103/f84907e1/attachment.html>

More information about the kwlug-disc mailing list