undoIT
join:2008-08-26
| Public Wi-Fi - Wireless Sniffing - SSL
I have a security question about using public internet at a wi-fi hotspot. Many coffee shops offer free public wireless internet access and usually it is not encrypted with WEP or WPA. If I visit a website that uses SSL (https) is it possible for somebody to sniff my username / password? Or, is the date encrypted before it is sent out over the airwaves?
--
Lenovo Coupons | Dell Coupons - Be a cheapskate and feel great! |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS | as per entering in bank info, the inputs username and password are encrypted. |
|
undoIT
join:2008-08-26 | but for sites that aren't encrypted, like social networking sites etc., the forms data could be sniffed right?
is there any way to encrypt all of the data you send while using public wireless even if the signal isn't encrypted? |
|
docrice
join:2008-03-31
Fremont, CA
| reply to undoIT
We've covered this topic before, but you could use existing VPN services or TOR (The Onion Router), the latter comes at the expense of performance unless it's a TOR network ran by a single organization (like the one ran by IronKey).
That said, there have been some recent developments even with SSL connections that could result in compromise, depending on how the site is set up. I won't go into the details here though. |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
| reply to undoIT
we are NOT talking about sites that are not encrypted. Your question was specifically about logging onto public wifi connections that offer SSL login. Of course if you then visit sites and give away information, that has nothing to do with the hosting venue or the login but your own poor security habits. |
|
undoIT
join:2008-08-26
edit:
August 26th, @10:28PM
| said by Anav  :we are NOT talking about sites that are not encrypted. Your question was specifically about logging onto public wifi connections that offer SSL login. A little confused now. Just to be clear, here is the situation:
Wireless router is not encrypted with either WEP or WPA at local coffee shop.
I visit a website with SSL, (https) and login into that website with my username and password. That info is encrypted right and could not be compromised?
Whereas, I visit a site that does not offer SSL, just regular http. Both username and password would be visible to sniffing software. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
|  said by undoIT : I visit a website with SSL, (https) and login into that website with my username and password. That info is encrypted right and could not be compromised? Whereas, I visit a site that does not offer SSL, just regular http. Both username and password would be visible to sniffing software. First question: That is correct. The information will not be compromised.
Second question: That is correct. The information can be compromised.
Here are links to recent threads on this often asked question, ie. hotspot security.
»Safe at public HotSpots??
»Security at Wireless Hot spots
»Secure Net Access in Hotel Room
Presuming your running Vista make sure any unsecured public hotspot network you connect to is configured as Public.
»Re: Network settings Public or Private in Vista for Home user?
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
undoIT
join:2008-08-26
| Thanks SoonerAl. I'm running Ubuntu Linux which has a firewall built-in and is generally much more secure than Windows.
One more question on this.
Example: I'm at home and log in to a website that does not offer SSL. Then I hibernate my laptop and go to the local coffee shop with public internet. The session has not expired for the website I logged into. I continue to use the website which I had logged into at home.
Is the password and username resent to verify the session once I start using the internet at the coffee shop even though I am already logged in? |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| said by undoIT :Thanks SoonerAl. I'm running Ubuntu Linux which has a firewall built-in and is generally much more secure than Windows. One more question on this. Example: I'm at home and log in to a website that does not offer SSL. Then I hibernate my laptop and go to the local coffee shop with public internet. The session has not expired for the website I logged into. I continue to use the website which I had logged into at home. Is the password and username resent to verify the session once I start using the internet at the coffee shop even though I am already logged in? I really don't know. Perhaps someone else can answer that. Personally I would just play it safe and presume anything in the unencrypted session is subject to interception and would take appropriate precautions.
I also use Ubuntu, on occasion at least, and like it very much when I do use it. Its certainly faster than Vista on my old Compaq Evo N610c laptop with a whopping 512 meg of RAM... 
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
docrice
join:2008-03-31
Fremont, CA
| reply to undoIT
I do not believe so (someone correct me if I'm wrong). Login sessions are based on cookie session identifiers. However, I guess it could be possible that the cookie is refreshed periodically and may cause background authentication using cached credential tokens. Whether the server-side would base this partially on your originating address, I'm not sure.
If the cookie is transmitted during SSL login or renegotiation, then you may be prone to some specific forms of attack. I won't elaborate here due to forum rules (and I don't want my post deleted), but I'll just say that there are avenues of exploitation in these areas.
If you're really curious what happens over your interface, sniff it and see what the traffic looks like. |
|
undoIT
join:2008-08-26
| said by docrice :If you're really curious what happens over your interface, sniff it and see what the traffic looks like. That is a good idea. Any recommendations for sniffing software? Or, is it against forum policy to post such info? |
|
docrice
join:2008-03-31
Fremont, CA | Wireshark. However, do note that promiscuous mode shouldn't be selected when capturing traffic. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T Midwest
| reply to undoIT
Is the password and username resent to verify the session once I start using the internet at the coffee shop even though I am already logged in? That depends on the site you are visiting.
As an example, with dslreports.com, the password and username are not resent. The userid, which is in essence a username equivalent, is sent. But the cookie authentication depends on a token that is sent, and matched with a database entry at dslreports.com. If somebody were to steal that cookie, they could access the site as you. But they could not change your password. And you could force logout that session, to deny them future access.
There is another site where I am a member, that actually does store the username and password in cookies, and a cookie stealer when using that site could potentially pickup your password.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1 |
|
watice
@rr.com
| reply to undoIT
just FYI, it's completly possible to sniff out https (ssl encrypted) connections using MITM (man in the middle) attacks. I simply route all of your https traffic to me (using arp poisioning or whatever the topology calls for), intercept all traffic from the webserver, send you a fake self signed cert, and once you accept it thinking the site is secure, everything you do goes through me first.. I've done this personally, it's actually quite simple with the introduction of several programs that automate most of the work for you.
Have a looksee here: »www.youtube.com/watch?v=Aak6-B3JORE
What to do to protect yourself? Make sure that the wifi spot you connect to has a decent admin. Things like static arp entries would help, but again this is something that needs to be done @ the admin level. I actually have an ssl sniffer set up on my router with open wifi for all, so all traffic, wifi or not, encrypted or not, gets logged and sent to me. I'm not using it to steal people's bank accounts or info, simply as a deterrent to show my neighbors the dangers of stealing my wifi signal =) |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| just FYI, it's completly possible to sniff out https (ssl encrypted) connections using MITM (man in the middle) attacks. I simply route all of your https traffic to me (using arp poisioning or whatever the topology calls for), intercept all traffic from the webserver, send you a fake self signed cert, and once you accept it thinking the site is secure, everything you do goes through me first. Yes, this is a risk.
My advice is to check certificates carefully if you are doing anything critical at an insecure or untrusted WiFi hotspot.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1 |
|
undoIT
join:2008-08-26 | Ok. I'm convinced. No more business away from home. |
|
undoIT
join:2008-08-26
| reply to watice
said by watice :
send you a fake self signed cert, and once you accept it thinking the site is secure, everything you do goes through me first.. If you had already accepted the SSL certificates using say Firefox at home then if somebody were attempting this, you would see a new prompt to accept the certificate while using the public internet correct? That would be a tell-tale sign that somebody is intercepting traffic.
In this case, you may be safe using SSL as long as you don't see any new prompts for certificates? |
|
watice
@rr.com
| said by undoIT :said by watice :
send you a fake self signed cert, and once you accept it thinking the site is secure, everything you do goes through me first.. If you had already accepted the SSL certificates using say Firefox at home then if somebody were attempting this, you would see a new prompt to accept the certificate while using the public internet correct? That would be a tell-tale sign that somebody is intercepting traffic. In this case, you may be safe using SSL as long as you don't see any new prompts for certificates? Right & right. Certs should expire tho, so if gmail issues you a cert for 365 days and you just so happen to see a new cert prompt on expiration day, and reject it, you may be rejecting a legit cert. You should be safe though as long as you use common sense. If it LOOKS shady it probably is. And again, not to dwell on the negative but this ONLY applies for encrypted traffic. Everything else flows across the network in plain text so it's easy to interpret. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to undoIT
said by undoIT :said by docrice :If you're really curious what happens over your interface, sniff it and see what the traffic looks like. That is a good idea. Any recommendations for sniffing software? Or, is it against forum policy to post such info? In addition to the suggestion by docrice Wireshark is included or there is a package available for installation in Ubuntu.
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
undoIT
join:2008-08-26 | Yeah. I saw that Wireshark is in the Ubuntu repos. Very cool! Going to have to give it a try. |
|
