On Mon, 21 Nov 2005, Joel Jaeggli wrote:
On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:
<snip>
What do you learn by looking at someone's ipsec, ssl-wrappered, or ssh tunneled traffic?
no, we're not trying to do that, you dont really think that because its encrypted it cant be decrypted do you?
I do believe (reasonably so, I think) that if I'm going have a conversation with a second party whom I already trust, that a third party will have trouble inserting themself into the path of that conversation without revealing their presence..
this is assuming that you are talking to the second party and not in fact me sitting in the middle grabbing credentials, possibly by this stage already pretending to be that second party its also assuming you understand your certificates, keys and trust. i'd bet most users will click yes when presented with a 'do you trust this new key' message.
you dont have to break the code if the endpoints trust sessions with you and share their encryption keys
Successfully inserting yourself in the middle requires some social-engineering or really bad protocol design. The former can be mitigated through vigilance, the later falls into the realm of peer review and security research.
you forgot to include 'or user error'.. the protocol may be fantastic but if the user fails to notice a security alert or does something stupid it can be compromised. depending on how good you are you may be able to thwart all but the determined hacker, altho to be fair most people are not going to be a target once they employ basic security such as weak encryption. but if you are a target then its vital to be using strong trusted secuity and know your onions!
If I may paraphrase the original posters question (Ross Hosman), it was:
Do large wireless buildouts present a new security threat due to the potential to spoof AP's?
The answer to that is no, this is a threat we live with currently. We have tools to mitigate the risks associated with it.
mmmmmm.. i'd say yes. wifi is still pretty niche, its in the offices, its in airports and starbucks. once billy bob and his grandpa start using it tho you're bringing it to the masses who arent IT trained, who havent had a security brief, who are running windows thats not been patched for 2 years and who think 'billy' is reasonable for their password so the technology is the same, but the users are new
You can say that consumers are stupid, and won't figure this out,
okay "consumers are stupid, and won't figure this out" :-)
and that may be true; however when it's starts to cost them losts money, they will sit-up take notice and buy tools to solve this problem for them, just like they do with any other security threat that goes beyond being an anoyance. probably said product will be blue, say linksys on it, and have the word vpn (among others) buried on the packaging someplace.
i'm thinking beyond your corporate staff who are currently using these systems (and quite badly if my casual network sniffing in environments with supposedly clued individuals is anything to go by!) my 2-cents :0) Steve