Mixture, to clarify (for the benefit and partial reassurance of others):

Communicating over an usecured wifi LAN does not mean that SSL traffic (HTTPS) is unencrypted, but there is the possibility of a MITM attack, even against SSL.

The MITM attack requires the ability to observe and capture traffic on the network as a preliminary to the attack, the observation of itself is not a MITM attack.

It is indeed dangerous, and this is why SSL connections to corporate VPNs or online banking (for example) have moved to two-factor and / or mutual authentication to defeat the MITM vulnerability.

In this case, the MITM cannot supply the correct certificate or password and cannot spoof the connections.

But all unencrypted traffic is visible on an unsecured LAN, and access to the PC itself also becomes possible, both from the local LAN and potentially from the internet as well.

SD

Saab Dastard,

I feel I should clarify your clarification.

Yes, that's the theory and reason why SSL was invented. To provide a secure means of data transfer over unsecure networks.

HOWEVER

If your immediate upstream router is, unknowingly to you, providing SSL proxy functionality. Then there is the theoretical possibility of a man in the middle attack because your upstream router could imitate the SSL website.

There are also theorectically DNS based and other ways to at least partially achieve the same goal.

As an example of a form of SSL Proxy that does exist today. Corporate quality firewalls, such as those used by banks, will frequently be configured to intercept SSL requests, decrypt them, do security checks or read packets for load balancing purposes, and then re-encrypt data and pass it on.

It's a theoretically lot harder to do MITM with IPSec VPNs back to the office, specially certificate+two-factor based IPSec, ....because there are fewer avenues than SSL.

However I would still encourage reasonable caution when using untrusted networks, even though arguably you are in a better position than going all the way down the security chain and using untrusted PCs (e.g. internet café), which should always assumed to be full of viruses and spyware and never used for sensitive data.




Anyway....all this is getting too complicated and boring for PPRune.... so I suggest we put this topic to rest !

Really?

In that case virtually every large or medium sized company in the world is breaking the law*

I do wonder at the assertions made on here from time to time....


*jurisdiction unknown

Not unless it can somehow forge the SSL certificate, as issued to the genuine site by a trusted public root CA.

Absolutely right - I have implemented such solutions. But the point is that the proxy has the genuine certificate for the protected website!

SD

Saab,

Much as I'd love to mull over it and come up with a counter-argument, I'll stick to my original statement :



(Hint: at least one counter-argument is that there's probably a partial reliance on the fact that the victim is naive in the ways of technology).

banana9999,

Quote:
Originally Posted by ZFT
You think you’ve got problems! Proxy servers are also illegal.


I can assure you that under the 2007 Computer Crimes Act, proxy servers are illegal in THAILAND.

Before hide your ip-address you can check the ip-address in the site IP-Details.com : Find your IP address Information after hide your ip-address whether it was hide or not you can check out it that site you know the software working or not..

A while ago I tried a kind of "distributed anonymiser" system called Tor. It splits your traffic across multiple proxy servers rather than a single proxy.
It works, but performance is a problem. Note that it doesn't remove the need to encrypt your traffic, that's up to the server you're talking to. So (for example) it doesn't make an electronic banking session any safer in itself, but it can hide knowledge of that session from 3rd parties such as governments.

Only if you are daft enough to walk around with your Bluetooth switched on. It's already happening.

bnt,

re: Tor
It does have its weaknesses.

And even if we were to assume it was perfect.... there are a multitude of other options available to those who really want to keep an eye on what you are up to. Many of them are not particularly high-tech or complex either.

I therefore repeat my original statement from August 2008....

Yes, you can make yourself a lot harder to track down. But those with enough weapons at their disposal will make light work of any obstacles you set.

mixture:

Absolutely no issue with having a SPAN/mirror port collect traffic.

The issue is the sheer volume - keeping 90 days worth of traffic in our office in the UK would mean terabytes of storage to be managed. We've not got enough room for all the disks. The only winners are the storage vendors

No, you're more literate than me, you even know what an I.P.address is !

The Nr Fairy:

Slightly confused about the context of your reply....

I assume you are referring to "Data Retention (EC Directive) Regulations 2008", if so I'll PM you ....

Actually, no - the post from end of August 2008 I was replying to, but didn't realise that till just now

Either way the point was that even though technically it's straightforward to comply with regulation requiring the retention of 90 days worth of data from a collection point of view, the storage of the data is nigh on impossible, unless someone comes up with a REALLY dense storage medium.

Going even more off the original point, my view is that if the government wants stuff intercepted then it should damn well have to go to a court to get it organised. Random trawling is ineffectual, the cost falls eventually on the consumer rather than those who want the data in the first place, and the potential for abuse is rife.

The Nr Fairy,

Yes, I was quite surprised to see this thread rise from the dead ! Quite curious that probationer jeeva chose to make a post to this thread his first one on PPRuNe ..... (welcome jeeva ! )

I'll resist your dangling carrot in relation to having a rant ....

Well according to that (and all the other sites that make the same claims) I'm about 200 miles away from my house.
All the sites give a guess and a bad one at that. The closest one has ever got to mine is about 80 miles......

There is always the possibility of this happening to you.

ASFKAP,

Depends on the jurisdiction .... but I would guess in your average Westernised country it would probably not be seen as breaking the law if they were not connecting to the other WiFi dishonestly or with the intent of avoiding paying for their own connection.

Aaah.... but assuming the person who operates the network is a moron, how do you know a savvy individual is not logged into or tampered with the network. It's not exactly difficult to monitor information transmission, and requires even less savvy if unencrypted transmissions are taking place from your browser.


Would suggest you look for ways of changing which network is used by default.

I would hope your PC is using HTTPS connection to the Bank, and that the security on that is sufficient that the bloke watching stuff going through his router can't decipher it anyway.

My laptop and my phone know they aren't allowed to connect to any WiFi network that they haven't been officially introduced to.

Ref. Keef.....
Oh how nice it is to be in a cloud of innocence....

SSL is indeed secure.... as long as you keep your wits about you.

Have a little think about how your average Phishing attack works.

Think about the extra options control over the local router gives you, especially against computers running DHCP to get their IP/DNS details. There is a lot of scope for very realistic looking attacks.

With encrypted communications, it's not necessarily about communications interception (although that of course is the jackpot) .... it's about finding ways to gain keys to the castle. Once you have the keys, you can go take a look around at your own leisure.