[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...

Khalid Baheyeldin kb at 2bits.com
Tue Oct 26 19:27:08 EDT 2010

On Tue, Oct 26, 2010 at 7:02 PM, Lori Paniak
<ldpaniak at fourpisolutions.com>wrote:

> On Tue, 2010-10-26 at 17:26 -0400, Chris Frey wrote:
> > On Tue, Oct 26, 2010 at 05:09:49PM -0400, Khalid Baheyeldin wrote:
> > > I am no expert on wireless encryption, but I think enabling WPA with a
> > > weak password is enough to protect against site login hijacking.
> >
> > Neither am I, unfortunately.  Does WPA2 turn wireless behaviour into
> > a switch based network vs. a hub based network?  i.e.  If you can
> > still use tcpdump to see other people's network activity after you've
> > connected using the public password, then things haven't gotten
> > much more secure.
> >
> > - Chris
> >
> Good question.  Since I'm not an expert either, I did a quick look on
> the interwebs. The conclusion is that if you know the passphrase and you
> capture the initial handshake of a WPA session, then you have access to
> the entire communication stream.  In a coffee-shop setting, I believe
> these conditions would be easy to fulfill.
> With a VPN link to an external (wired) server, it should be
> straightforward to have all traffic routed over the tunnel.  Of course
> the network performance hit is often substantial.
> Really, the architecturally sound method of solving this networking
> problem is for web sites to use SSL for sensitive communications.  I
> mean it's not like https is new tech.  What have people been waiting
> for?  This?

SSL requires that the site owner buys a certificate, which is an added
expense and effort to configure. It also requires that it be updated
manually every year. Yes, you can use self signed certificates, but major
browsers complain with a really scary
warning if you use those.

The other issue is that SSL on the server eats up a bit more CPU for the
encryption than plain text HTTP.

And it is one of these things that if everyone did it, all is well. If a few
major sites don't, then it is less than useful. Compare that to PGP keys for
signing emails. Only a few people use them.

Remember that HTTP is not the only traffic that you will do on a typical
desktop, or smartphone. If you are on IRC, or using Instant Messaging (e.g.
Jabber), then probably you are unencrypted too.

A VPN solves all this in one swoop, for an added performance penalty (a
little bit of CPU, plus the lag from/to the VPN) and perhaps added expense
too (either setup your own, or pay for a service).
Khalid M. Baheyeldin
2bits.com, Inc.
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20101026/db081781/attachment.html>

More information about the kwlug-disc mailing list