Thread: Security on the client side while using hotspots
View Single Post
Old 06-12-2005   #21 (permalink)
Thorn
Did you do the math?
 
Thorn's Avatar
 
Join Date: Apr 2002
Location: Villa Straylight
Posts: 10,039
Quote:
Originally Posted by odoyle81
I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.



thanks for the help (note the sarcasm)
Wrong.

This has NOTHING to do with wireless. While it is true that the wireless makes it easier to sniff and capture the traffic, don't think for a momemnt that it's safer on the wired side. The hotspot or ISP or anyone between you and the site could sniff if on the wire.

Don't confuse a standard security issue with a wireless security issue.

Quote:
Originally Posted by odoyle81
VPN or SSL...

I understand that VPN is the best solution, but I don't want to run another computer at my house just for VPN when I'm on the road if SSL is good enough. (especially since VPN would really slow everything down).

My question is basically about whether cookies send usernames and passwords encrpyted or as hash values and does this pose a signifigant security risk if used in an open wireless environment without VPN. From what I understand, SSL is good enough without VPN (that is, even if someone captured the SSL packets, they'd have a hell of a time doing anything with it).
Define "good enough"? You're the only one who can make that determination.

Frankly, some stuff I do, I don't give the hind end of a rat if anyone sees it. Other stuff that I am more concerned about, I encrypt on the drive before it ever gets near the wire, and it never goes wireless. That's adequate for those purposes, but would not stand up to any scrutiny by anyone who stole the drive and used sector tools to examine for the pre-encrpyted state. That is an acceptable risk in this case.

Define your risk, and then you can determine if something is "good enough."

Quote:
Originally Posted by odoyle81
Does the same hold true for these sites that automatically log you in using cookies (for example gmail, amazon, del.icio.us)? Or is using cookies to be avoided at all costs on the road?
First, it depends on whether they are encrypted sites or not. (Duh.) Most cookies are plaintext for the username. Some, which are not usng SSL or the like, use a plaintext password, too. Go back and search Google. Hell, for that matter, just start examining your own cookies. You can see all sorts of things like usernames, hashes, passwords, expiration dates, etc.
__________________
Thorn
"Lawyers should never marry lawyers. This is called inbreeding. It produces idiot children and more lawyers."
Thorn is offline   Reply With Quote