-
-
-
- Austria (27)
- General (16)
- HowTo (122)
- IT Security (129)
- Linux (127)
- Networking (65)
- Other (3)
-
- CDemu - a free, gpl cd/dvd-rom device emulator for linux
- heatpumpMonitor - Monitoring a Stiebel Eltron LWZ
- ignis backup tool - the heat-strengthened backup tool
-
- December 2021 (2)
- September 2019 (1)
- May 2019 (1)
- April 2019 (1)
- January 2019 (1)
- October 2018 (1)
- August 2018 (1)
- February 2018 (1)
- September 2017 (1)
- August 2017 (2)
- May 2017 (1)
- April 2017 (1)
- February 2017 (1)
- January 2017 (2)
- December 2016 (1)
- November 2016 (2)
- October 2016 (1)
- September 2016 (1)
- August 2016 (1)
- July 2016 (2)
- April 2016 (1)
- March 2016 (3)
- February 2016 (4)
- January 2016 (2)
- December 2015 (2)
- November 2015 (2)
- September 2015 (2)
- July 2015 (5)
- June 2015 (4)
- May 2015 (2)
- February 2015 (1)
- January 2015 (4)
- December 2014 (1)
- November 2014 (5)
- October 2014 (4)
- September 2014 (1)
- August 2014 (4)
- July 2014 (3)
- June 2014 (5)
- May 2014 (5)
- April 2014 (1)
- March 2014 (2)
- February 2014 (3)
- January 2014 (5)
- December 2013 (2)
- November 2013 (3)
- September 2013 (3)
- August 2013 (2)
- May 2013 (4)
- April 2013 (1)
- March 2013 (1)
- February 2013 (3)
- December 2012 (3)
- November 2012 (3)
- October 2012 (1)
- September 2012 (2)
- June 2012 (1)
- May 2012 (1)
- April 2012 (1)
- March 2012 (1)
- February 2012 (1)
- January 2012 (1)
- December 2011 (4)
- November 2011 (1)
- August 2011 (1)
- March 2011 (1)
- October 2010 (1)
- May 2010 (3)
- January 2010 (1)
- September 2009 (1)
- August 2009 (5)
- July 2009 (5)
- June 2009 (4)
- May 2009 (1)
- April 2009 (1)
- January 2009 (1)
- December 2008 (6)
- November 2008 (6)
- October 2008 (2)
- September 2008 (11)
- August 2008 (4)
- July 2008 (7)
- June 2008 (2)
- May 2008 (7)
- April 2008 (5)
- March 2008 (9)
- February 2008 (15)
- January 2008 (11)
- December 2007 (3)
Bruce Schneier is wrong about unencrypted WLAN!
January 12, 2008
Bruce is right with many statements but his last one (Steal This Wi-Fi) is just populist and tries to provoke people. People with an understanding in this topic will see that and take it the right way, but not the ones who have a default setup of a access point / router running at home. They heard in the media that they have an insecure setup at home, and hopefully thought about changing that – but now a security expert tells them that’s not needed. He is simplifying the whole topic and is forgetting some important points.
Most users which have an unencrypted WLAN also have insecure PC at home. What is easier for them to do? Make a Windows System secure besides activating the automatic updates or login onto his router and change the password and configure the WLAN to be encrypted with 20 char long password?
Sure this still leaves the attack vector via malicious websites and emails but it is a start and a drive by attack is now much more complicated. Would a security computer help? Sure, but is it realistic?
Bruce also writes about his dear neighbors, which may need his internet access. Some thoughts about this. Not all neighbors are your friends, just talk to your friends – ask them if all there neighbors are their friends? If you like your neighbors, why not make an encrypted WLAN and tell them the password and share the costs of the internet connection with them. That helps all – except the ISP 😉
But lets look more at his technical points. He says that he is as secure at his unencrypted WLAN at home as at a public hotspot. Public access points normally allow no direct communication between clients. In infrastructure mode all traffic even between 2 clients need to be relayed by the access point and in a public access point setup it just makes no sense to activate this feature. Due the limited address space with IPv4 almost all public access points will provide only local IP addresses which are then masqueraded to one global IP address. Due to this facts it is possible to sniff the packet from and to the clients it is not possible initiate a direct communication to a client.
But still I would not do my e-banking via a public hotspot. Sure I trust my notebook and the CAs I’ve installed and I think the current version of SSL is secure. But still I would not do it. Call me paranoid, but it is different to do something like this at home or at a public hotspot.
I believe in layered security. Bruce writes in this commentary that one layer of security is enough (the one of his PCs). I can’t believe that he really means that. If you want to provide yourself with plausible deny ability then use 2 separate WLANs. One that is unencrypted and provides only access to the internet and one thats encrypted with WPA and at least a 20 char long password, as a passive dictionary attack is possible on WPA . Within this network you and your family can work within a first line of defense. That is a similar setup as FON provides, which he mentions in his commentary. So why should someone like Bruce use the unencrypted network for himself?
Besides these technical points someone needs to look also at the legal ones. He writes about the situation in the US, which is quite different from the laws in Europe. e.g. a German court ruled that the owner of a WLAN is required to make and keep it secure (german)
And I won’t talk about the problems you get into if the police raids your home, even if they don’t find something and to the gossip this leads in your village.
2 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
36 queries. 0.064 seconds.
Another Option when surfing over public hotspots would be to set up an own server with a vpn, which provides internet access. Then you can go from the public hotspot to your own vpn, and you are at least sure that the hotspot provider won’t sniff your net-accesses.
Comment by Richard — January 12, 2008 #
Finally someone who doesn’t believe in all what Mr. Schneier postulates.
Actually I’ve been waiting for some time now that at least some people realize that a Schneier can also be wrong, at least in some sense.
A poor lock is better than none. If you don’t have the technical capability or knowledge of securing your wlan with WPA or even better with WPA2, WEP protection is better than none and helps you (at least in most parts of Europe) at least in court.
Great entry!
Comment by Markus — January 13, 2008 #