undefined | Better HN

0 pointsmnw21cam12y ago0 comments

It would mean (for example) that your local coffee shop could MITM their clients connecting to the bank through their free wifi. Being in a privileged network position isn't that hard, with all the mobile devices flying around everywhere.

0 comments

8 comments · 4 top-level

thegeomaster12y ago· 3 in thread

Even worse, from what I've observed, such networks are often not secure even against a trivial ARP spoof attack, so anyone connecting to the coffee shop Wi-Fi could mount this attack.

e12e12y ago

Is there any reasonable way to make them secure against ARP spoofing? As I understand it, it would require individual login from all clients (some form of 802.1x)?

And even if you do protect against ARP spoofing via 802.1x -- you would still need some kind of shared secret/certificate scheme to avoid a fake access point? As anyone sitting next to you is likely to be able to provide a stronger signal than the hotspot...

Reminds me that I had an idea to wrap up some kind of hot-spot with an easy to use internet cafe style time-limited access software distribution and offer up to local businesses... I suppose these days providing a screen for qr-code sharing of details would be a viable option...

apendleton12y ago

To make them immune to the ARP spoofing in the general case is hard, but as I understand it, to make them immune to the specific case of clients other than the gateway impersonating the gateway (which is what people want to do for most MitM) is pretty straightforward. The access point is probably itself the gateway most of the time, so it knows the gateway's MAC (its own), and it can reliably refuse to forward ARP packets for other MACs claiming to be the gateway.

e12e12y ago

> it can reliably refuse to forward ARP packets for other MACs claiming to be the gateway.

I thought most wireless lans acted as an (shared medium) ethernet, that is, they allow clients to send packets directly client to client? That is, I thought [ed:naughty]-client could just broadcast ARP packets directly to the clients? Or does perhaps (ethernet) broadcast traffic go through the gateway?

None of this helps with a rouge AP, of course -- so it might be a bit academic.

2 more replies

ZoFreX12y ago· 1 in thread

Completely unscientific observation: More people in my local coffee shop are using phones than laptops, and more of those phones are Androids than iOS. I know anecdotally that the Chrome browser is very popular on Android. I would give even odds on there being more people to exploit with this than there were with goto fail.

PhantomGremlin12y ago

I use coffee shop WiFi when I access useless sites such as Drudge Report. However, it's not hard to either

a) switch to cellular on a phone before accessing something important like a banking site

or b) use something like Personal Hotspot together with a phone switched to cellular to allow a laptop to access something important like a banking site

That's what I do. I certainly don't trust random WiFi for sensitive communications.

IMO you're much safer relying on AT&T or Verizon to connect you to key sites via cellular service rather than thru WiFi. OTOH I know that in the past AT&T has automatically switched my iPad from cellular to WiFi when I was at a coffee shop that had service from them. So this may be a little tricky in practice.

reaperhulk12y ago

I'm not claiming that being in a position to MITM is super difficult, but in your given example it's unlikely that you'd be vulnerable since web browsers (outside of Chrome on Android) don't use OpenSSL. Additionally, there is a degree of sophistication required to attempt this attack that exceeds that of goto fail. So again, bad, but not as bad as goto fail.

jacquesm12y ago

That would be mostly limited to Konqueror (does anybody still use that?) and Google Chrome on Android.

Which other browsers use OpenSSL?

j / k navigate · click thread line to collapse

0 comments

8 comments · 4 top-level

thegeomaster12y ago· 3 in thread

Even worse, from what I've observed, such networks are often not secure even against a trivial ARP spoof attack, so anyone connecting to the coffee shop Wi-Fi could mount this attack.

e12e12y ago

Is there any reasonable way to make them secure against ARP spoofing? As I understand it, it would require individual login from all clients (some form of 802.1x)?

apendleton12y ago

e12e12y ago

> it can reliably refuse to forward ARP packets for other MACs claiming to be the gateway.

None of this helps with a rouge AP, of course -- so it might be a bit academic.

2 more replies

ZoFreX12y ago· 1 in thread

PhantomGremlin12y ago

I use coffee shop WiFi when I access useless sites such as Drudge Report. However, it's not hard to either

a) switch to cellular on a phone before accessing something important like a banking site

or b) use something like Personal Hotspot together with a phone switched to cellular to allow a laptop to access something important like a banking site

That's what I do. I certainly don't trust random WiFi for sensitive communications.

reaperhulk12y ago

jacquesm12y ago

That would be mostly limited to Konqueror (does anybody still use that?) and Google Chrome on Android.

Which other browsers use OpenSSL?

j / k navigate · click thread line to collapse