Penetration Testing mailing list archives
Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects
From: debiantech <debiantech () gmail com>
Date: Thu, 04 Mar 2010 18:23:16 -0700
I got 2 cents for this thread, maybe more like 10 centsThis type of system is a great "scam" IMHO for IT companies to lock their local business clients into a monthly fee for authenticating to a single radius account hosted in their off-site shops. I'll almost guarantee the coffee shop does not have the Radius or whatever authentication server in their shop minus the possibility of what somebody said about openwrt's captive portal capabilities. I've seen this locally with motels and have been approached by a few and when I told them they were paying $150/month for their "host" to authenticate a single username and password that could be handled in other easier, cheaper methods on site, they were less than happy to say the least. This could also open up a unethical method to generate revenue on-demand by simply "breaking" the authentication server, waiting for a call, and then going to the wireless location for a $100+ service call in order to "fix" the issue.
on the other hand...I have seen a few "wireless ISPs" that use this method of authentication on a national level, one in particular I worked for. I could see this system to be somewhat useful in this situation when you want to implement a method to sell wireless time, take a credit card for payment, and then open the wireless up to their use with a dynamic username and password. This is also similar to what Qwest has recently done with AT&T wireless which is hosted in several nationwide bookstores, coffee shops, and fast food chains, namely McDonalds and Starbucks. Although I have never messed with it I believe you can buy air time from the AT&T system as well.
The point is there are uses for this type of system although as was stated before, you simply cannot trust a network you do not know and with wireless multiply that anti-trust by at least two. Even if you were connected to an encrypted wireless access point (say wpa2-psk), that encryption only works on the data flying through the air. If that access point traverses a wired network before reaching the outside world, who knows who can listen to the post access-point packets, especially in a hotel/motel type setup where stations for connecting your laptop to a wired port along with the wireless is pretty normal as well. The simple point is, just because the wifi is encrypted doesn't man you should trust the network. If you didn't set it up, or have no working knowledge of what is there, assume the worst. As is stated over and over with questions like this, the only way you can attempt any type of relatively secure connection on a network like this is to direct your traffic via a tunnel to a trusted outside host first.
Chip Panarchy wrote:
Hello I have noticed recently that most cafés which offer Free WiFi do so, not with a Wireless Encryption Method (WEP, WPA, WPA2, LEAP etc.) but with a Forced-Proxy Redirect. (usually https with 128-bit encryption) (I'm sure there's a better way of saying 'Forced-Proxy Redirect'...) What are the Security implications of using the Forced-Proxy Redirect method rather than a Wireless Encryption Method? Does the traffic still get tunnelled securely? What are the advantages & disadvantages when comparing these two Design choices? Please alleviate my concerns. Thanks in advance, Chip D. Panarchy ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Chip Panarchy (Mar 03)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Tim (Mar 04)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Zaki Akhmad (Mar 04)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Jon Janego (Mar 04)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Malick Sy (Mar 04)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Cedric Blancher (Mar 04)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Malick Sy (Mar 08)
- Re: RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Cedric Blancher (Mar 11)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Cedric Blancher (Mar 04)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects debiantech (Mar 08)