Penetration Testing mailing list archives
Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects
From: Jon Janego <jonjanego () gmail com>
Date: Thu, 4 Mar 2010 11:26:15 -0600
Chip, As with most things... "it depends". However in general, the connection isn't to be considered "secure". Authentication and encryption in hotspot situations you mention is all handled on the application layer and can vary widely based on the implementation. The most simple hotspot setup just uses a web-based authentication form to store a cookie on your machine and then directs traffic through their internet connection after that. It would be possible, of course, to setup an IPSEC or SSL VPN tunnel on the machine automatically, but that would require an extra layer of software that most cafes and hotels wouldn't (or couldn't) implement for their customers. All the traffic is therefore hypothetically wide-open to any other client associated with the network and only protected on the application layer. Of course, your mileage may vary depending on the particular implementation details of the network. Generally speaking, though, any open "free wifi" network should be considered excessively untrusted and dirty. You can protect yourself, however, by tunneling through a secure VPN once you associate to the network. Hope this helps, Jon On Wed, Mar 3, 2010 at 6:19 AM, Chip Panarchy <forumanarchy () gmail com> wrote:
Hello I have noticed recently that most cafés which offer Free WiFi do so, not with a Wireless Encryption Method (WEP, WPA, WPA2, LEAP etc.) but with a Forced-Proxy Redirect. (usually https with 128-bit encryption) (I'm sure there's a better way of saying 'Forced-Proxy Redirect'...) What are the Security implications of using the Forced-Proxy Redirect method rather than a Wireless Encryption Method? Does the traffic still get tunnelled securely? What are the advantages & disadvantages when comparing these two Design choices? Please alleviate my concerns. Thanks in advance, Chip D. Panarchy ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Chip Panarchy (Mar 03)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Tim (Mar 04)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Zaki Akhmad (Mar 04)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Jon Janego (Mar 04)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Malick Sy (Mar 04)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Cedric Blancher (Mar 04)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Malick Sy (Mar 08)
- Re: RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Cedric Blancher (Mar 11)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Cedric Blancher (Mar 04)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects debiantech (Mar 08)