Penetration Testing mailing list archives
Re: RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Tue, 09 Mar 2010 08:26:05 +0100
Le vendredi 05 mars 2010 à 10:31 +0100, Malick Sy a écrit :
Not sure what you mean Cedric, please rephrase, remember we are talking wireless hotspots not paranoid banks, so we probably don't want to start with the EAP/PEAP/ encrytpion saga.....WPA/WPA2 (802.11x) also require supplicants (Yes Windows ships wirth one) but this is all a nightmare....captive portals are deployed in airports, hotels, conference centres all over the world....I think they are quiet advantageous to the people using them
They are advantageous because people are lazy. Period. Windows has a native supplicant supporting PEAP, OSX too, and they are pretty much transparent for the end-user, asking for a login/password. As for deployments, T-Mobile has been deploying hotspots providing PEAP authentication for instance. Now, you can argue you need a first step to retrieve access credentials, and that will be achieved using a web access, and starting from there, there is no reason for switching from one open wireless network to another. That I can hear. But tons of hotspots, in "airports, hotels, conference centres all over the world" accept mobile phone operator creds you can directly get on your GSM for instance. Captive portals, from a user security standpoint, suck. From an administrator point of vue too: one can spoof anyone, you loose imputability. Moreover, you have to deploy often complex webapss that are blatantly vulnerable. Because so many people are using a poor solution, from a security standpoint again, does not mean it is a good solution and you have to use it. You can think slightly out of the box, considering your context. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Chip Panarchy (Mar 03)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Tim (Mar 04)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Zaki Akhmad (Mar 04)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Jon Janego (Mar 04)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Malick Sy (Mar 04)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Cedric Blancher (Mar 04)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Malick Sy (Mar 08)
- Re: RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Cedric Blancher (Mar 11)
- RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects Cedric Blancher (Mar 04)
- Re: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects debiantech (Mar 08)