Re: Wifi Security

["Steven M. Bellovin" <smb () cs columbia edu>]

In message <73345C98-EB2D-4DB5-A8BD-D23D77A51E49 () ianai net>, "Patrick W. Gilmor
e" writes:
> On Nov 21, 2005, at 9:42 AM, Ross Hosman wrote:
>
> > So my question is pretty simple. You have all these major companies  
> > such
> > as google/earthlink/sprint/etc. building wifi networks. Lets say I  
> > want
> > to collect peoples information so I setup an AP with the same ssid as
> > google's ap so people connect to it and I log all of their traffic.  
> > Most
> > people won't check beyond the ssid to look at the mac address but even
> > that could be spoofed. Is there anyway to verify a certain ap beyond
> > mac/ssid, will there be in the future? How do these companies plan to
> > mitigate this threat or are they just going to hope consumers are  
> > smart
> > enough to figure it out?
>
> Why would you even need to set up an AP?  Why not just sit and sniff  
> traffic?  Gets you the _exact_ same information.
>
> And why worry about Google, etc., when Starbucks and airports have  
> been doing this for _years_?
>
> Lastly, most consumers are smart enough to know to use encryption  
> (the little pad-lock in their browser).  Some aren't.  Changing the  
> WiFi architecture is not going to save those who aren't.

By setting up a fake AP, you can launch active attacks.  Sure, people 
won't get the right certificate -- and they're not going to notice, 
especially if the (unencrypted) initial web splash page says something 
like "For added security, all SSL connections from this hotspot will 
use Starbucks-brand certificates.  Please configure your browser to 
accept them -- it will protect you from fraud."

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb