Re: AT&T WiFi at McDonalds, etc

On Fri, 02 Nov 2007 18:11:04 GMT, John Navas
<spamfilter1@xxxxxxxxxxxxxx> wrote:

Ok, allow me to propose a dumb compromise. Just hang the WPA-RADIUS
login and password on the wall of the hot spot. Something trivial
like:
login: McDonalds
passwd: free-lunch
Each user now gets an encrypted session. It won't stop someone from
loggin in from the neighbors or the parking lot, but the wireless
sessions can't be sniffed and the keys can't be recovered. Of course,
this requires a local RADIUS server, but those are available.

That's a good suggestion (and not what I assumed you were proposing).
I nonetheless see some potential problems:

1. It's vulnerable to masquerading, and to malfeasance by the operator.

I don't see how. Each session has a unique WPA encryption key. In
order to do a man in the middle, session hijack, or AP impersonation,
the attacker would need to first crack the WPA key. Since it's not
stored in the clear anywhere except in the RADIUS server (argh, I
forgot to encrypt it in the SQL database), it can't be extracted and
has to be cracked.

2. You have to assume the RADIUS server is actually handing out unique
session keys,

Assumption, the mother of all screwups. Yeah, that's true. A very
quick Google search didn't show any vulnerabilities. I'll do some
more digging on the security sites tonite.

3. It's not universal -- only works on certain hotspots.

True. Frankly, I don't care if it's not universal. I'm trying to
give my customers some added security by making their hot spots sniff
proof. If the others want to follow my lead, I'm all for it.

4. Vulnerable to local wired network sniffing, unlike VPN.

True. I can't do anything about the real possibility that someone
might plug into the ethernet and try to sniff the traffic. However,
that's very difficult with an ethernet switched network. The router
traffic all goes directly to the internet. Another local computer
plugged into the switch sees nothing. Someone could substitute a
10/100 hub for the ethernet switch, but that's getting a bit far
fetched.

What I actually said was:

What you propose requires messing with authentication on the client
computer...

As in typing in a userid and password. Sorry for not being more clear.

You were clear enough, but used a bad choice of words. login and
password are authorization. 802.1x and RADIUS are authentication.

Fair enough -- I'd personally rather install and configure a VPN client
once that can then be used everywhere securely, but as always YMMV.

Which flavor VPN? PPTP, L2TP, IPSec, or SSL. IPSec can be a mess.
The others are very easy at the client end.

VPN is inherently more secure, and universal to boot.

I'll spare you my horror storied of VPN client compatibility. I
recently spent a fun afternoon trying to bludgeon the Cisco VPN client
3.7 into connecting to a Watchguard SOHO 10 router v5.0. No luck.
However, the new GreenBow IPSec client worked, so the customer is now
debating either replacing a $500 router and licenses, or paying
$45/seat. IPsec VPN may be more secure, but campatibility with
existing hardware is not one the strong points.
<http://www.thegreenbow.com/vpn.html>

I always use VPN when out and about -- don't you?

I wish you hadn't ask that. One one my laptops, I have 3 different
boot profiles, to handle 3 different IPSec VPN ships that refuse to
coexist in the IP stack. My other two laptops have nothing, mostly
because I don't use them at hot spots. I do use them at clients, but
most (not all) of those use WPA-PSK. My Windoze Mobile 2005 PDA can
probably use a VPN client, but I haven't even looked for one to use.

Incidentally, I finally bought a Canon S5-IS camera. I doubt it will
improve my photography, but it sure looks impressive. Anything with
that many buttons must be powerful.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@xxxxxxxxxxxxxxxxxxxxxx
# http://802.11junk.com jeffl@xxxxxxxxxx
# http://www.LearnByDestroying.com AE6KS
.