|
Posted by Anonymous on September 14, 2007, 12:35 am
If you were Registered and logged in, you could reply and use other advanced thread options
> >> >When using the Internet via WiFi at a public place such as a
> >> >library or cafe, it is conceivable that the people running the
> >> >router could be capturing all of your transmissions and therefore
> >> >could be recording your name, account numbers, etc.
> >>
> >> Use ssh.
>
> >This doesn't really add anything over a simple SSL connection.
>
> What simple ssl connection? Wireless access points do not have simple
> ssl connections.
Nor do they have SSH connections, however either one will make
sniffing public access points a fruitless undertaking from the POV of
that sort of attacker. The advantage to HTTPS/SSL is that it's end to
end, and ultimately available to users with modern software. They don't
have to do anything in fact but be attentive to some hard to miss
warnings.
SSH on the other hand is normally employed as a "tunnel" for other
traffic in this scenario, and that protection end precisely at the point
the SSH server converts encrypted traffic to plaintext. Everything
between the SSH server and a final destination is 100% out in the open.
You do seem to be confused about connections, access, and which security
measures address the various problems associated with "doing business"
over the net.
> >> But the greater danger is taht they have put trojaned files onto
> >> the computers. Thus you cannot really trust the puttyssh they
> >> installed
>
> >The scenario is using public APs not kiosks. You're using your own
> >software and machine.
>
> Fine. That was not clear.
It wasn't only clear, it was specifically stated.
> >As long as you're not foolish enough to disable security warnings,
> >and pay attention to them, there's nothing at all dangerous about
> >using sensitive Internet services from WiFi access points. It's
> >safer than handing your credit card to the flunkie behind the
> >counter when youpay for that double mocha latte. Your local library
> >or Starbucks is no more
>
> Untrue. The danger is localised then. It is that flunky who could
> subvert your credit card. You know who he is. In the case of a net
> break it could be someone in Bulgaria or Tibet. That is absolutely no
> comeback making the potential cost of buggering you zero in that
> case, while it is high in th ecase of your flunky.
Again, you seem confused regarding the identification of threats and
how to mitigate risks. An SSL connection secures traffic between
you and a vendor. Only two parties are privy to details like account
numbers, names, credit card info passwords, etc. When you physically
hand your credit card to a teller you're introducing a third party, so
in reality your statement about localization is exactly the opposite of
fact because you've increased your potential points of failure by 100%.
And that doesn't even take into consideration other casual observers
like the other customers in line waiting to pay for their double mocha
late fix. ;)
> >or less trustworthy than your ISP, and your home broadband connection
> >can be "sniffed" by your neighbors as easily as your wireless
> >connection at the AP in many cases.
>
> Not if you run some decent encryption on your home machine.
Wrong.
An SSH server or other encrypted "proxy" on your home machine leaves
egress traffic twisting in the wind. Everything is secured up to that
point, but between your home machine and XYZ-Corp all your data is
free for the taking.
Of course the typical scenario is tunneling SSL/encrypted traffic
through that encrypted SSH connection to your home server, so the
traffic is secure either way. In other words, the SSH/proxy tunnel adds
nothing significant to the equation in the context being discussed.
> >That's why end to end encryption exists folks, to make that sniffing
> >an
>
> End to end needs two ends. Most web sites have only one end, yours.
> The other end is open.
Complete nonsense.
SSL encrypted connections are true end to end encryption. Data is
encrypted before it leaves either end, and not decrypted until it
reaches its destination, regardless of which way it's flowing.
Please do some basic research.
> >exercise in futility. The only thing a onlooker can learn is where
> >you do your business, and contrary to what someone posted things
> >like Tor not only add a layer of encryption similar to SSL/HTTPS,
> >they also remove that piece of information from the equation. An
> >HTTPS connection made through the Tor network is 100% secure no
> >matter where you are or what you're doing when they're use properly.
>
> >> for example, or even the keyboard, since that could be captured.
> >> If it is your own computer, then use ssh, and do not use web
> >> browsers.
>
> >Huh?
>
> >Then how in the heck are you going to actually do anything?
>
> You think people cannot do any thing without web browsers?
Of course they can. But here again you're completely ignoring context.
A vast majority of net traffic is web based, and almost all of the rest
can be easily secured with an "S" version of a given protocol.
SSH is very useful for a lot of things. I use it every single day in
fact to administer remote machines, tunnel sensitive traffic into local
networks (Webmin, router administration, etc.), and simply proxy
traffic that would otherwise be rejected like the connection to the ISP
news server I used to read your posts. :) But for secure connections to
things like your Citibank or Amazon account for example, it's utterly
useless.
None of those types of services run their own SSH servers as far as I'm
aware, in fact doing so would constitute an additional security risk.
So if you're connecting to those types of services insecurely (non-SSL
connections) through an SSH server you're being nothing but a very
misguided fool. And if you are tunneling SSL/TLS encrypted traffic
through a home SSH server you're not adding any significant security to
any transactions you might be making.
The notable and already stated exception of course is the fact that
you're obfuscating where you do business from observers at the AP. For
most people this isn't any concern at all. It's simply not a State
secret that you buy books from Amazon, or bank at Wachovia. If that IS
a priority then by all means use the proper tools to mitigate that
risk. But don't waste time and/or lull yourself into a false sense of
security by misapplying perfectly good tools to the *wrong* job.
| 
XML site map