Security on the client side while using hotspots - Page 2

odoyle81 · 06-12-2005

so all cookies hash passwords using md5?

Can I verify this by looking at the cookie and if I don't see the password in plain text, then it is probably hashed or not present?

So I would assume this is relatively secure since it would be hard to get the ascii password from the hash (if for example someone captured the packet with the cookie). So the password itself would not be compromised. However, couldn't that person use the hash value to create their own cookie and login to the site as you?

Sorry if it was a stupid question. I know how to google search but I looked around and mostly found general information about cookies and privacy, not specific information about cookies and security..

I hope I can "stay out of trouble" in the future...

wrzwaldo · 06-12-2005

Next time rather than hijack somebodys thread why not create your own?

odoyle81 · 06-12-2005

I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.

thanks for the help (note the sarcasm)

streaker69 · 06-12-2005

Quote:

Originally Posted by odoyle81

I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.

thanks for the help (note the sarcasm)

If you're using your machine at a public hotspot that does not use encryption, they will surely have every single packet that you send. That's why you should never send any private information over unencrypted AP's without secondary encryption methods, like VPN.

odoyle81 · 06-12-2005

VPN or SSL...

I understand that VPN is the best solution, but I don't want to run another computer at my house just for VPN when I'm on the road if SSL is good enough. (especially since VPN would really slow everything down).

My question is basically about whether cookies send usernames and passwords encrpyted or as hash values and does this pose a signifigant security risk if used in an open wireless environment without VPN. From what I understand, SSL is good enough without VPN (that is, even if someone captured the SSL packets, they'd have a hell of a time doing anything with it).

Does the same hold true for these sites that automatically log you in using cookies (for example gmail, amazon, del.icio.us)? Or is using cookies to be avoided at all costs on the road?

Thorn · 06-12-2005

Quote:

Originally Posted by odoyle81

I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.

thanks for the help (note the sarcasm)

Wrong.

This has NOTHING to do with wireless. While it is true that the wireless makes it easier to sniff and capture the traffic, don't think for a momemnt that it's safer on the wired side. The hotspot or ISP or anyone between you and the site could sniff if on the wire.

Don't confuse a standard security issue with a wireless security issue.

Quote:

Originally Posted by odoyle81

VPN or SSL...

I understand that VPN is the best solution, but I don't want to run another computer at my house just for VPN when I'm on the road if SSL is good enough. (especially since VPN would really slow everything down).

My question is basically about whether cookies send usernames and passwords encrpyted or as hash values and does this pose a signifigant security risk if used in an open wireless environment without VPN. From what I understand, SSL is good enough without VPN (that is, even if someone captured the SSL packets, they'd have a hell of a time doing anything with it).

Define "good enough"? You're the only one who can make that determination.

Frankly, some stuff I do, I don't give the hind end of a rat if anyone sees it. Other stuff that I am more concerned about, I encrypt on the drive before it ever gets near the wire, and it never goes wireless. That's adequate for those purposes, but would not stand up to any scrutiny by anyone who stole the drive and used sector tools to examine for the pre-encrpyted state. That is an acceptable risk in this case.

Define your risk, and then you can determine if something is "good enough."

Quote:

Originally Posted by odoyle81

Does the same hold true for these sites that automatically log you in using cookies (for example gmail, amazon, del.icio.us)? Or is using cookies to be avoided at all costs on the road?

First, it depends on whether they are encrypted sites or not. (Duh.) Most cookies are plaintext for the username. Some, which are not usng SSL or the like, use a plaintext password, too. Go back and search Google. Hell, for that matter, just start examining your own cookies. You can see all sorts of things like usernames, hashes, passwords, expiration dates, etc.

odoyle81 · 06-12-2005

thanks alot Thorn. I appreciate you actually addressing the point of my post

It is true that you can capture packets on wired connections but I think it takes more effort and dedication (read: malicious intent) than someone sitting in a coffeeshop running ethereal in promiscuous mode. Its much more of a concern when using wireless. I don't think people would target my line specifically - I'm not important. I found this thread in which the original post describes my issue precisely, and I thought I could post here and hope for a quick answer instead of having to learn all the basics of cookie management. My bad.

I finally found a program that allowed me to view cookies from opera (the browser that I use). I couldn't find any plain text passwords so they must all be hashed.

You're right I didn't define "good enough", but I agree with you - most of the stuff I do, I don't really care if someone else sees it. Basically making it somewhat time consuming to actually do anything with the packets I send will probably influence anyone listening to move onto easier targets. So for me, SSL for banks and email is "good enough", and as long as I don't send personal data in the open, the weekend cracker will be deterred, and as I'm not a target for a dedicated cracker, I'll be fine.

Thanks

G-WISP · 02-23-2006

If your running a Samba, You can setup client and server SSL certificates, While that helps in a normal wireless connection, it dont work with open zones.
Maybe some one would write a Mac to mac encoder to make things work, but with mac hacking this wouldnt really go far. With that said there are programmes out there that monitor Mac hackers and alert you to the change or tamper. its called 'HotspotDK'
If your running VPN then compression server and client software will help.

MikeP928 · 02-23-2006

Quote:

Originally Posted by G-WISP

If your running a Samba, You can setup client and server SSL certificates, While that helps in a normal wireless connection, it dont work with open zones.
Maybe some one would write a Mac to mac encoder to make things work, but with mac hacking this wouldnt really go far. With that said there are programmes out there that monitor Mac hackers and alert you to the change or tamper. its called 'HotspotDK'
If your running VPN then compression server and client software will help.

Responding to 8 month old posts is usually a waste of time, yours for posting and then a lot of ours checking new posts.

MikeP

nashr · 02-24-2006

My current list of web-based proxies.

http://www.ohmyproxy.com/
https://proxify.com/

These are apparently all the same service:
http://www.safeforwork.net/
http://www.vpntunnel.net/
http://www.vtunnel.com/

Caveat: I'm not sure if these actually hide the entire session, or if they just obscure the URL to sniffers. I haven't done the research, and don't have the time. Use at your own risk.

chevyn8 · 02-25-2007

http://www.torrify.com/software_torpark.html
The free version is slow but functional. Haven't tried the pay versions. The Public Library network I manage filters such sites as 'the cloak' and 'anonymizer', since they are used to get around our Porn filter. Those won't work on our wireless hotspot, torpark does. VPN is always a good idea if you have the ability to use one. Anything of importance should be SSL. Use webmail instead of just pop. Firewall on. Connect to a known ssid, ask if needed.

Airstreamer · 02-26-2007

Quote:

Originally Posted by chevyn8

http://www.torrify.com/software_torpark.html
The free version is slow but functional. Haven't tried the pay versions. The Public Library network I manage filters such sites as 'the cloak' and 'anonymizer', since they are used to get around our Porn filter. Those won't work on our wireless hotspot, torpark does. VPN is always a good idea if you have the ability to use one. Anything of importance should be SSL. Use webmail instead of just pop. Firewall on. Connect to a known ssid, ask if needed.

Unless it's SSL, it's still 'in the clear.'

02-24-2006	#25 (permalink)
nashr Uber Geek Join Date: Aug 2002 Location: Virginia Posts: 1,624	My current list of web-based proxies. http://www.ohmyproxy.com/ https://proxify.com/ These are apparently all the same service: http://www.safeforwork.net/ http://www.vpntunnel.net/ http://www.vtunnel.com/ Caveat: I'm not sure if these actually hide the entire session, or if they just obscure the URL to sniffers. I haven't done the research, and don't have the time. Use at your own risk. __________________ Help! I've been Simpsonized!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

06-12-2005	#16 (permalink)
odoyle81 Registered Member Join Date: Jun 2005 Posts: 5	so all cookies hash passwords using md5? Can I verify this by looking at the cookie and if I don't see the password in plain text, then it is probably hashed or not present? So I would assume this is relatively secure since it would be hard to get the ascii password from the hash (if for example someone captured the packet with the cookie). So the password itself would not be compromised. However, couldn't that person use the hash value to create their own cookie and login to the site as you? Sorry if it was a stupid question. I know how to google search but I looked around and mostly found general information about cookies and privacy, not specific information about cookies and security.. I hope I can "stay out of trouble" in the future...

06-12-2005	#17 (permalink)
wrzwaldo I amuse you? Join Date: Dec 2003 Posts: 9,141	Next time rather than hijack somebodys thread why not create your own?

06-12-2005	#18 (permalink)
odoyle81 Registered Member Join Date: Jun 2005 Posts: 5	I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data. thanks for the help (note the sarcasm)

06-12-2005	#20 (permalink)
odoyle81 Registered Member Join Date: Jun 2005 Posts: 5	VPN or SSL... I understand that VPN is the best solution, but I don't want to run another computer at my house just for VPN when I'm on the road if SSL is good enough. (especially since VPN would really slow everything down). My question is basically about whether cookies send usernames and passwords encrpyted or as hash values and does this pose a signifigant security risk if used in an open wireless environment without VPN. From what I understand, SSL is good enough without VPN (that is, even if someone captured the SSL packets, they'd have a hell of a time doing anything with it). Does the same hold true for these sites that automatically log you in using cookies (for example gmail, amazon, del.icio.us)? Or is using cookies to be avoided at all costs on the road?

06-12-2005	#22 (permalink)
odoyle81 Registered Member Join Date: Jun 2005 Posts: 5	thanks alot Thorn. I appreciate you actually addressing the point of my post It is true that you can capture packets on wired connections but I think it takes more effort and dedication (read: malicious intent) than someone sitting in a coffeeshop running ethereal in promiscuous mode. Its much more of a concern when using wireless. I don't think people would target my line specifically - I'm not important. I found this thread in which the original post describes my issue precisely, and I thought I could post here and hope for a quick answer instead of having to learn all the basics of cookie management. My bad. I finally found a program that allowed me to view cookies from opera (the browser that I use). I couldn't find any plain text passwords so they must all be hashed. You're right I didn't define "good enough", but I agree with you - most of the stuff I do, I don't really care if someone else sees it. Basically making it somewhat time consuming to actually do anything with the packets I send will probably influence anyone listening to move onto easier targets. So for me, SSL for banks and email is "good enough", and as long as I don't send personal data in the open, the weekend cracker will be deterred, and as I'm not a target for a dedicated cracker, I'll be fine. Thanks

02-23-2006	#23 (permalink)
G-WISP Registered Member Join Date: Feb 2006 Location: Gloucester UK Posts: 6	If your running a Samba, You can setup client and server SSL certificates, While that helps in a normal wireless connection, it dont work with open zones. Maybe some one would write a Mac to mac encoder to make things work, but with mac hacking this wouldnt really go far. With that said there are programmes out there that monitor Mac hackers and alert you to the change or tamper. its called 'HotspotDK' If your running VPN then compression server and client software will help.

02-25-2007	#26 (permalink)
chevyn8 Registered Member Join Date: Feb 2007 Posts: 1	http://www.torrify.com/software_torpark.html The free version is slow but functional. Haven't tried the pay versions. The Public Library network I manage filters such sites as 'the cloak' and 'anonymizer', since they are used to get around our Porn filter. Those won't work on our wireless hotspot, torpark does. VPN is always a good idea if you have the ability to use one. Anything of importance should be SSL. Use webmail instead of just pop. Firewall on. Connect to a known ssid, ask if needed.