Re: Wi-Fi: Essential Checklist
- From: John Navas <spamfilter1@xxxxxxxxxxxxxx>
- Date: Tue, 02 Dec 2008 10:25:22 -0800
On Tue, 2 Dec 2008 06:33:25 +0000 (UTC), Sylvain Robitaille
<syl@xxxxxxxxxxxxxxxxxx> wrote in
<slrngj9lll.rvv.syl@xxxxxxxxxxxxxxxxxxxxxx>:
John Navas wrote:
While your point in valid in principle, in practice it's far more
difficult to snoop wired Internet traffic than open wireless traffic.
That really depends on which side of the network you're sitting on.
Where I sit, they're both equally trivial. Where the average
script-kiddie sits, perhaps you're right, but the really serious threats
are usually "on the inside", where, once again, they're equally trivial.
I respectfully disagree. Snooping of wireless traffic is orders of
magnitude more likely than snooping of wired traffic, and the really
serious threats aren't hard things like snooping of wired Internet
traffic -- they are relatively easy things like website compromise,
cross-site scripting attacks, and the like.
<http://www.theregister.co.uk/2008/04/16/mystery_web_compromise_unpicked/>
<http://www.channelregister.co.uk/2008/06/05/scansafe_web_malware_survey/>
<http://www.channelregister.co.uk/2008/07/30/websense_high_profile_website_malware_survey/>
Of course they're "vulnerable", in one form or another. I've taken
measures, however to reduce _known_ vulnerabilities to a minimum, to
limit the potential avenues of intrusion, and to increase the likelihood
that a compromise will be detected. That last one matters, and is what
permits me to not worry. Can undetected intrusion occur? Of course, at
least in theory. Is it likely? No.
It's actually likely. The vast majority of intrusions go undetected,
even by folks with serious expertise. Your assumption is unwarranted,
and probably giving you a false sense of security.
Only if your traffic isn't encrypted end-to-end by other means, which
means someone trying to sniff needs only to park himself somewhere
between the wired side of your wireless access point, and the sensitive
data's destination.
It's hard if not impossible to encrypt *all* traffic end-to-end.
When browsing websites that don't support HTTPS for all traffic, as most
don't, then traffic is unencrypted over the public Internet even when
using VPN -- since the remote VPN endpoint isn't at the remote website,
part of the Internet path is unencrypted. Thus I use VPN when at an
open public hotspot (very high risk), but not when I'm using a wired
connection (very low risk).
To be clear, I do protect the transmission of sensitive information
(passwords, bank account numbers, credit card numbers, social security
number, etc), but I don't know of any practical way for me to encrypt
*everything*. If you really do know how to do it, then please educate
me... ;)
But then even with end-to-end encryption you are still vulnerable to
compromise of and at the other end, which is a far more likely risk.
I worry much more about the security of businesses on the Internet than
I do my own security and wired Internet security, and with good reason.
One of a great many cases in point:
"This week also saw the personal information of almost 1,000 bank
customers lost by an employee of Bank of Ireland, after the data was
copied onto an unencrypted USB memory stick."
Consider the layers above the backbone. Your traffic does not pass from
personal wireless link, to backbone, to destination host. There are
other layers involved. The security of the data in transit is only as
good as the weakest form of security applied to it within the entire
end-to-end trajectory.
Sure, but I think you're worrying about the wrong problem. I don't take
precautions against struck by meteorites while walking around outside,
but I do take precautions against getting hit by cars. I might be
killed by a meteorite, but I won't get hit by a car while worrying about
meteorites. ;)
Actually it encrypts the traffic.
Encrypting the traffic (over a single short network link) has nothing to
do with the previous statement of protecting the computer from attack
over the wireless network.
Of course it does, since malware traffic can't be successfully injected
into the encrypted transmissions.
I disagree on both counts. Feel free to provide real evidence to back
up those contentions.
Try getting onto a WPA-secured network for which you don't know the
"key", and see "evidence" that it works well at providing access control.
Start examining some packet traces, of traffic over both the WPA-secured
wireless network, where you'll see that WPA works well at encrypting
traffic over that link, then the same traffic over the wired portion of
the network after it leaves the AP, and see WPA fall short. Need more
evidence than that?
Yes, I need real evidence that snooping of traffic over the wired
Internet is a *significant* (not just theoretical) risk, especially as
compared to other risks.
--
Best regards, FAQ for Wireless Internet: <http://wireless.navas.us>
John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
.
- Follow-Ups:
- Re: Wi-Fi: Essential Checklist
- From: Sylvain Robitaille
- Re: Wi-Fi: Essential Checklist
- References:
- Re: Wi-Fi: Essential Checklist
- From: Sylvain Robitaille
- Re: Wi-Fi: Essential Checklist
- From: John Navas
- Re: Wi-Fi: Essential Checklist
- From: Sylvain Robitaille
- Re: Wi-Fi: Essential Checklist
- Prev by Date: Re: WinXP wireless problem...
- Next by Date: Re: Wireless Disconnects
- Previous by thread: Re: Wi-Fi: Essential Checklist
- Next by thread: Re: Wi-Fi: Essential Checklist
- Index(es):
Relevant Pages
|
