Your wondering is not a question.
UK Government Set To Kill Wi-Fi Hotspots
- Thread starter Keltik THC
- Start date
Your wondering is not a question.
Don't know about mobile broadband (as I assume it connects straight to the phone network so people cant use cheap electronics to intercept the signal?), but public wifi isn't hard to gather info from even if it uses a https site. If the guy is just using outlook and it isn't connecting to a secure server then hitting send/receive will send the username and password in plain text.
If someone has a laptop set up for a man in the middle attack (MITM attacks mean ALL data passes through the attackers laptop as they act as the gateway) then if you are connected to the same wifi spot then they can easily get the username and password using a simple sniffer. It doesn't mean they can then go and get access to the laptop's hard drive (unless the guy uses the same username and password and doesnt have a firewall turned on!) but they can access the email using the details.
If the guy uses webmail and goes to a http site then it's just as easy to capture website passwords and also https ones two. One method involves "spoofing" the SSL certificate but the end user will get a certificate error saying "The site doesn't appear to be using a genuine certificate" but most users just click to continue and because everything looks normal they just think it was a problem with the website itself. Another method is SSL redirection where the MITM attack actually converts the HTTPS page to a HTTP page so it isn't encrypted then the traffic is sniffed that way. The end user will not see any certificate errors, but if they are keeping an eye out they will notice the site doesn't show as secure or have a https start to it anymore. This is a lot easier to miss as most people just type in an address and don't check for a padlock as some sites don't show a padlock until you enter your details.
More expensive networking gear can detect ARP cache polluting to stop MITM attacks, but there are other ways to do it too (DHCP spoofing, etc). In some ways I wish I had never started the ethical hacker course (but alas it was done through work for a security role) as it showed me how easy it was, but it also showed how important using VPNs, etc are when using a public wifi spot for work stuff and also just how un-secure the average piece of computing equipment is.
Personally I don't know why all websites don't use internet banking style logins that require you to only type a few letters of the password in rather than the full thing. If this was common practice, then the whole username/password being sent in full issue wont be a mahor problem as it currently is for all webemail sites that i know about. If you were only required to type in 3 characters randomly of your password (say 1st, 7th and 3rd) then the MITM attacks wouldn't be as effective as they would only capture random characters.
Permabanned
- Joined
- 28 Dec 2009
- Posts
- 13,052
- Location
- london
the "public security" is just an excuse to control the internet.
This is actually a bad idea. It is very hard to store passwords securely that allow for selected character authentication. For example, standard full passwords you can just store a one way hash of the string. How do you do it if you want to validate by a random choice of 3 characters? You need to store a large number of hashes for all possible 3 character subsets out of the whole password, which obviously can be easily brute forced. Banks only get away with it because they have physical security on their sides, personally I still dont think it's a sensible scheme.
.What problem exactly would that solve?
- Joined
- 16 Dec 2008
- Posts
- 1,124
Im afraid not, this would only work if the key that was assigned to you was verified by your identity.. although they already have plans afoot to only allow internet access once you have swiped your finger into the fingerprint reader that most laptops have now a days, this would mean everything you do would be tied to you biometric National Identity.
Haggisman understands what this means:
Although in future this will be shortened to:
'please just scan your Biometric National ID Card over the RFID card reader for your WEP key'
This is exactly it.
I'm of the opinion that for example selling CDs with bits of data for £14.99 is no longer viable, as in you don't make much money from it any more, the way to solve your business problems is not by creating legislation to outlaw MP3, you embrace them, as the business sector has finally started doing.
Generally speaking instead of creating more and more legislation criminalising more and more people the government should encourage business to combat copyright infringement in other ways, people i know have said that the only reason they pirate is that its the only way to get a hold of hard to find films - most of them are also members of companies like Love Film and receive DVDs legitimately on a weekly basis - they just refuse to pay £14.99 for a bit of plastic that they will watch once, maybe twice over the space of 5 years.
Although we know that this will not happen for a while as:
A) The government enjoys criminalising as many people as possible, it means more money, more people in jail, more power and control etc.
B) The business lobbyists think they will loose money as they enjoy charging people £14.99 for a plastic disc that cost them 2 pence to manufacture.
The problem is an unsustainable business model not the internet.
Last edited:
Soldato
- Joined
- 10 Apr 2004
- Posts
- 13,497
The day my iPhone/MacBook Pro gets a finger print reader will NEVER come.
Stupid idea
Why is the government so useless?
You seem very certain of that, and it flies in the face of what we seem to be heading towards.
A totalitarian benefit state.
- Joined
- 16 Dec 2008
- Posts
- 1,124
The day my iPhone/MacBook Pro gets a finger print reader will NEVER come.
Stupid idea
Why is the government so useless?
It doesn't have to be hard fitted, it can be a USB adapter.
I hope it never happens but these plans do exist, its the most obvious way of linking identity with your Internet usage.
can you clarify please as by simply posting a link it isn't all that clear what point you are trying to make?
can you clarify please as by simply posting a link it isn't all that clear what point you are trying to make?
The point is that it is secure, a laptop makes a secure connection to the server by https which can't be intercepted.
So basically all public hotspots will have to be like bt openzone etc.
To be fair, you either hold the business responsible for any criminal activities happening on their infrastructure or force them to secure themselves properly.
As long as this doesn't apply to consumers, I don't think its too bad.
To be fair, you either hold the business responsible for any criminal activities happening on their infrastructure or force them to secure themselves properly.
As long as this doesn't apply to consumers, I don't think its too bad.