Security on the client side while using hotspots

HotSpot here, HotSpot there. All you need to know about HotSpots

Postby odoyle81 » Sun Jun 12, 2005 9:43 am

so all cookies hash passwords using md5?

Can I verify this by looking at the cookie and if I don't see the password in plain text, then it is probably hashed or not present?

So I would assume this is relatively secure since it would be hard to get the ascii password from the hash (if for example someone captured the packet with the cookie). So the password itself would not be compromised. However, couldn't that person use the hash value to create their own cookie and login to the site as you?

Sorry if it was a stupid question. I know how to google search but I looked around and mostly found general information about cookies and privacy, not specific information about cookies and security..

I hope I can "stay out of trouble" in the future...
odoyle81
Mini Stumbler
 
Posts: 5
Joined: Sun Jun 12, 2005 8:20 am

Postby wrzwaldo » Sun Jun 12, 2005 10:41 am

Next time rather than hijack somebodys thread why not create your own?
wrzwaldo
 
Posts: 8995
Joined: Sun Dec 14, 2003 12:43 pm

Postby odoyle81 » Sun Jun 12, 2005 11:13 am

I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.



thanks for the help (note the sarcasm)
odoyle81
Mini Stumbler
 
Posts: 5
Joined: Sun Jun 12, 2005 8:20 am

Postby streaker69 » Sun Jun 12, 2005 11:17 am

odoyle81 wrote:I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.



thanks for the help (note the sarcasm)


If you're using your machine at a public hotspot that does not use encryption, they will surely have every single packet that you send. That's why you should never send any private information over unencrypted AP's without secondary encryption methods, like VPN.
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
User avatar
streaker69
 
Posts: 11867
Joined: Thu Jul 08, 2004 10:09 am
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Postby odoyle81 » Sun Jun 12, 2005 11:43 am

VPN or SSL...

I understand that VPN is the best solution, but I don't want to run another computer at my house just for VPN when I'm on the road if SSL is good enough. (especially since VPN would really slow everything down).

My question is basically about whether cookies send usernames and passwords encrpyted or as hash values and does this pose a signifigant security risk if used in an open wireless environment without VPN. From what I understand, SSL is good enough without VPN (that is, even if someone captured the SSL packets, they'd have a hell of a time doing anything with it).

Does the same hold true for these sites that automatically log you in using cookies (for example gmail, amazon, del.icio.us)? Or is using cookies to be avoided at all costs on the road?
odoyle81
Mini Stumbler
 
Posts: 5
Joined: Sun Jun 12, 2005 8:20 am

Postby Thorn » Sun Jun 12, 2005 12:14 pm

odoyle81 wrote:I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.



thanks for the help (note the sarcasm)

Wrong.

This has NOTHING to do with wireless. While it is true that the wireless makes it easier to sniff and capture the traffic, don't think for a momemnt that it's safer on the wired side. The hotspot or ISP or anyone between you and the site could sniff if on the wire.

Don't confuse a standard security issue with a wireless security issue.

odoyle81 wrote:VPN or SSL...

I understand that VPN is the best solution, but I don't want to run another computer at my house just for VPN when I'm on the road if SSL is good enough. (especially since VPN would really slow everything down).

My question is basically about whether cookies send usernames and passwords encrpyted or as hash values and does this pose a signifigant security risk if used in an open wireless environment without VPN. From what I understand, SSL is good enough without VPN (that is, even if someone captured the SSL packets, they'd have a hell of a time doing anything with it).

Define "good enough"? You're the only one who can make that determination.

Frankly, some stuff I do, I don't give the hind end of a rat if anyone sees it. Other stuff that I am more concerned about, I encrypt on the drive before it ever gets near the wire, and it never goes wireless. That's adequate for those purposes, but would not stand up to any scrutiny by anyone who stole the drive and used sector tools to examine for the pre-encrpyted state. That is an acceptable risk in this case.

Define your risk, and then you can determine if something is "good enough."

odoyle81 wrote:Does the same hold true for these sites that automatically log you in using cookies (for example gmail, amazon, del.icio.us)? Or is using cookies to be avoided at all costs on the road?

First, it depends on whether they are encrypted sites or not. (Duh.) Most cookies are plaintext for the username. Some, which are not usng SSL or the like, use a plaintext password, too. Go back and search Google. Hell, for that matter, just start examining your own cookies. You can see all sorts of things like usernames, hashes, passwords, expiration dates, etc.
Thorn
Stop the TSA now! Boycott the airlines.
Thorn
 
Posts: 10340
Joined: Sat Apr 13, 2002 3:00 am
Location: Villa Straylight

Postby odoyle81 » Sun Jun 12, 2005 2:08 pm

thanks alot Thorn. I appreciate you actually addressing the point of my post :)

It is true that you can capture packets on wired connections but I think it takes more effort and dedication (read: malicious intent) than someone sitting in a coffeeshop running ethereal in promiscuous mode. Its much more of a concern when using wireless. I don't think people would target my line specifically - I'm not important. I found this thread in which the original post describes my issue precisely, and I thought I could post here and hope for a quick answer instead of having to learn all the basics of cookie management. My bad.

I finally found a program that allowed me to view cookies from opera (the browser that I use). I couldn't find any plain text passwords so they must all be hashed.

You're right I didn't define "good enough", but I agree with you - most of the stuff I do, I don't really care if someone else sees it. Basically making it somewhat time consuming to actually do anything with the packets I send will probably influence anyone listening to move onto easier targets. So for me, SSL for banks and email is "good enough", and as long as I don't send personal data in the open, the weekend cracker will be deterred, and as I'm not a target for a dedicated cracker, I'll be fine.

Thanks
odoyle81
Mini Stumbler
 
Posts: 5
Joined: Sun Jun 12, 2005 8:20 am

Postby G-WISP » Thu Feb 23, 2006 7:06 am

If your running a Samba, You can setup client and server SSL certificates, While that helps in a normal wireless connection, it dont work with open zones.
Maybe some one would write a Mac to mac encoder to make things work, but with mac hacking this wouldnt really go far. With that said there are programmes out there that monitor Mac hackers and alert you to the change or tamper. its called 'HotspotDK'
If your running VPN then compression server and client software will help.
G-WISP
Mini Stumbler
 
Posts: 6
Joined: Tue Feb 21, 2006 2:05 pm
Location: Gloucester UK

Postby MikeP928 » Thu Feb 23, 2006 6:22 pm

G-WISP wrote:If your running a Samba, You can setup client and server SSL certificates, While that helps in a normal wireless connection, it dont work with open zones.
Maybe some one would write a Mac to mac encoder to make things work, but with mac hacking this wouldnt really go far. With that said there are programmes out there that monitor Mac hackers and alert you to the change or tamper. its called 'HotspotDK'
If your running VPN then compression server and client software will help.


Responding to 8 month old posts is usually a waste of time, yours for posting and then a lot of ours checking new posts.

MikeP
Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote.
-- Benjamin Franklin, 1759
User avatar
MikeP928
 
Posts: 1122
Joined: Wed May 01, 2002 8:09 pm
Location: Florida Panhandle

Postby nashr » Fri Feb 24, 2006 5:22 am

My current list of web-based proxies.

http://www.ohmyproxy.com/
https://proxify.com/

These are apparently all the same service:
http://www.safeforwork.net/
http://www.vpntunnel.net/
http://www.vtunnel.com/

Caveat: I'm not sure if these actually hide the entire session, or if they just obscure the URL to sniffers. I haven't done the research, and don't have the time. Use at your own risk.
Help! I've been Simpsonized!
User avatar
nashr
 
Posts: 1585
Joined: Fri Aug 09, 2002 6:12 am
Location: Virginia

Postby chevyn8 » Sun Feb 25, 2007 6:52 pm

http://www.torrify.com/software_torpark.html
The free version is slow but functional. Haven't tried the pay versions. The Public Library network I manage filters such sites as 'the cloak' and 'anonymizer', since they are used to get around our Porn filter. Those won't work on our wireless hotspot, torpark does. VPN is always a good idea if you have the ability to use one. Anything of importance should be SSL. Use webmail instead of just pop. Firewall on. Connect to a known ssid, ask if needed.
chevyn8
Mini Stumbler
 
Posts: 1
Joined: Sun Feb 25, 2007 6:34 pm

Postby Airstreamer » Mon Feb 26, 2007 8:52 am

chevyn8 wrote:http://www.torrify.com/software_torpark.html
The free version is slow but functional. Haven't tried the pay versions. The Public Library network I manage filters such sites as 'the cloak' and 'anonymizer', since they are used to get around our Porn filter. Those won't work on our wireless hotspot, torpark does. VPN is always a good idea if you have the ability to use one. Anything of importance should be SSL. [color="Red"]Use webmail instead of just pop.[/color] Firewall on. Connect to a known ssid, ask if needed.

Unless it's SSL, it's still 'in the clear.'
"But when we disarmed They sold us and delivered us bound to our foe,
And the Gods of the Copybook Headings said: "Stick to the Devil you know.""

- Rudyard Kipling
User avatar
Airstreamer
 
Posts: 2703
Joined: Sun Nov 07, 2004 9:26 pm
Location: A little North of Reason

Re: Security on the client side while using hotspots

Postby FredMurry » Sun Jul 29, 2012 8:40 am

On any wifi, at the marina, a coffee shop, a hotel or even at home you should use
strong encryption. Systems based on a password or pass phrase are vulnerable. Use
encryption based on a certificate. Https proves the website is valid but can still
be attacked. The Port Defender Network uses double certificate validation and is
much stronger. The Port Defender Network also directs all of your Internet
communications through a protected, encrypted port. There are also private,
members only, websites providing social networking, email, chat and other
services.

http://portdefender.net
FredMurry
Mini Stumbler
 
Posts: 1
Joined: Sun Jul 29, 2012 8:37 am

Previous

Return to HotSpots

Who is online

Users browsing this forum: No registered users and 2 guests

cron