Euro cops on free Wi-Fi not-so-hotspots: For pity's sake, don't use them for email

Re: SSL Man in middle attack

Except for unpatched iOS device not checking that the certificate actually match the URL

That's not how the iOS SSL/TLS bug works.¹

how would that attack works without pre-installing a new trusted root cert on the device?

I can't be bothered to watch the video, but the SSL/TLS X.509 PKI is leakier than a sieve.

Have you seen how many trusted roots the typical device has? Froyo comes with, like, 57, according to one dump I found online. Do you trust all of the organizations that hold the private keys for those roots to perform due diligence when they receive a CSR?

Or maybe they mean "a MITM attack if the user clicks through a warning".

I suspect they were talking about Why Eve and Mallory Love Android, though. That paper identifies a host of Android apps that misuse the SSL/TLS APIs and consequently have all sorts of vulnerabilities.

SSL/TLS is only as secure its implementations, applications, and PKI. And none of those are in good shape, generally speaking. About the best you can hope for with SSL/TLS is that it increases the work factor enough to make adversaries look elsewhere.

¹And I've never seen a certificate specify a URL as a component of the DN or subjectAltName, though it's certainly possible; but in any case, that's not what SSL/TLS check the certificate against. They check it against the FQDN.

Re: Smartphones

As for a VPN connection, I'm seeing more home-grade routers support the ability... EXCEPT...they only work in Bridge Mode (TAP). Wouldn't you know it? Most smartphones and the only ONLY accept VPNs in Tunnel Mode (TUN). Make routers take Tunnels or smartphones accept bridges and perhaps more people will be inclined to use them by default.

Re: Smartphones

In Android settings; WiFi; Advanced: turn off Auto network switch, Scanning always available.

my 'Droid will still auto connect to known & trusted WiFi (like my home network) but not to anything else (it will ask)

If anyone's too dumb to sort out their settings, just turn the frigging wifi OFF when you're not actually using it (saves battery life a little too)

And if they're dumb enough to connect to "Free WiFi Here", then hell mend 'em.

Re: Smartphones

"At least for me the issue comes with the phone when travelling -- it's always checking for email when there is a network connection, so ends up doing so also on wi-fi hotspots even if the idea was only to read the news at the airport. There really ought to be a setting for the trust level to the network."

Its also probably broadcasting your name all over the place too regardless. The smartphones I can see while doing a packet dump on wifi's in most hotels I've visited certainly do.

Re: No shit Sherlock

" (I can see what you are typing - those asterisks do not fool me)"

I fool everyone.

Everybody thinks my passwords are long and complicated to remember - but the truth is the only thing I have to remember is just how many times to press Shift-8.

Re: SSL?

http://codebutler.com/firesheep/

Re: SSL?

"I don't understand - what can they do if I go to natwest.com and hit log in? Doesn't that keep me on SSL the whole time?"

SSL is only secure if someone is trying to listen in to your data sent to another party on an already established connection. Its of no use if someone *pretends to be* that party when you initiate the connection.

Re: SSL?

You have to assume it is possible for someone other than The Royal Bank of Scotland to get an SSL certificate for natwest.com. That sort of thing has happened in the past.

I would ordinarily say if you limit your use of public WiFi points to basic web surfing (news sites and the like), there would be little to worry about, but then you hear those stories about hotspots being hijacked and any new connections being probed by malcontents for direct penetration points (since by logging in you obtain an IP hackers can use to probe your device directly---part of the spec).

Actually no, a driver has no need to know about basic car maintenance. The only thing he's going to want to know is how to fill the wiper fluid. The rest is handled by his mechanic, unless he doesn't have the means to pay for one. If that is the case, then he'll learn to do everything he can on his own, forced to do so by his own budget. That will be his deciding criteria. As for driving safely, you're likely to get as many opinions on that as people you ask. In the end, people drive the way they want until one day something bad happens and a judge tells them they were wrong.

People act the same with computers, because computers are tools, nothing more. And when you know how to hammer a nail, you know enough about hammers. That is how people think.

Using a computer is not like driving a car, computers are way more complex - but the computer industry as a whole (with Microsoft proudly leading the way) has been trying for decades to make people forget that they are using a complex bit of kit. They have largely succeeded, which is why Joe User knows nothing about computers in general, or his smartphone in particular.

Joe User just fires up his personal computing platform, goes to his trusted social site and TRUSTS THEM to manage stuff properly. I know, it's unbelievable that anyone would actually trust The Zuck (bitch!), but there you have it, people do that.

As for your "they deserve" comment, I am quite sure that if you ever need a lawyer and get one with that attitude, you'll be part of the whiners and bitchers as well.

Or are you going to say that you know your Civil Law code down to the last article ?

IPv6 should sort a lot of this out.

You forgot the joke icon.

IPv6 doesn't appear likely to sort much of anything out in my lifetime, but even if it does achieve significant penetration, it most certainly will not solve confidentiality, authentication, or non-repudiation issues with Internet use. I suppose it'll help a bit with integrity.

Re: Privacy for anyone anywhere ..

Using TOR makes it more likely that your connections will be intercepted, not less. Anyone can run a TOR endpoint.

There's a fascinating talk on YouTube about using SSLStrip to intercept connections. The speaker tested his examples on a TOR endpoint. https://www.youtube.com/watch?v=MFol6IMbZ7Y

Re: How insecure is HTTPS over a public Wi-Fi hot spot?

HTTPS is secure enough to guard against your average snoop, but not really if the snoops are the government.

However, you have to be carefull, because a lot of HTTPS pages have content embedded that is NOT secured with HTTPS. You can spot this by looking at the padlock in the address bar.

Also relying on HTTPS alone is dangerous because while surfing you might forget to check it and find yourself logged in someeher without https (and then it's too late).

So your best bet is to ALWAYS use a VPN (especially when on a wifi hotspot).