Page 2 of 2

PostPosted: Sun Jun 12, 2005 9:43 am
by odoyle81
so all cookies hash passwords using md5?

Can I verify this by looking at the cookie and if I don't see the password in plain text, then it is probably hashed or not present?

So I would assume this is relatively secure since it would be hard to get the ascii password from the hash (if for example someone captured the packet with the cookie). So the password itself would not be compromised. However, couldn't that person use the hash value to create their own cookie and login to the site as you?

Sorry if it was a stupid question. I know how to google search but I looked around and mostly found general information about cookies and privacy, not specific information about cookies and security..

I hope I can "stay out of trouble" in the future...

PostPosted: Sun Jun 12, 2005 10:41 am
by wrzwaldo
Next time rather than hijack somebodys thread why not create your own?

PostPosted: Sun Jun 12, 2005 11:13 am
by odoyle81
I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.



thanks for the help (note the sarcasm)

PostPosted: Sun Jun 12, 2005 11:17 am
by streaker69
odoyle81 wrote:I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.



thanks for the help (note the sarcasm)


If you're using your machine at a public hotspot that does not use encryption, they will surely have every single packet that you send. That's why you should never send any private information over unencrypted AP's without secondary encryption methods, like VPN.

PostPosted: Sun Jun 12, 2005 11:43 am
by odoyle81
VPN or SSL...

I understand that VPN is the best solution, but I don't want to run another computer at my house just for VPN when I'm on the road if SSL is good enough. (especially since VPN would really slow everything down).

My question is basically about whether cookies send usernames and passwords encrpyted or as hash values and does this pose a signifigant security risk if used in an open wireless environment without VPN. From what I understand, SSL is good enough without VPN (that is, even if someone captured the SSL packets, they'd have a hell of a time doing anything with it).

Does the same hold true for these sites that automatically log you in using cookies (for example gmail, amazon, del.icio.us)? Or is using cookies to be avoided at all costs on the road?

PostPosted: Sun Jun 12, 2005 12:14 pm
by Thorn
odoyle81 wrote:I'm not hijacking a thread.. this concerns wireless security as I want to use my laptop at hotspots but want to be sure that if anyone is using a sniffer they can't capture my private data.



thanks for the help (note the sarcasm)

Wrong.

This has NOTHING to do with wireless. While it is true that the wireless makes it easier to sniff and capture the traffic, don't think for a momemnt that it's safer on the wired side. The hotspot or ISP or anyone between you and the site could sniff if on the wire.

Don't confuse a standard security issue with a wireless security issue.

odoyle81 wrote:VPN or SSL...

I understand that VPN is the best solution, but I don't want to run another computer at my house just for VPN when I'm on the road if SSL is good enough. (especially since VPN would really slow everything down).

My question is basically about whether cookies send usernames and passwords encrpyted or as hash values and does this pose a signifigant security risk if used in an open wireless environment without VPN. From what I understand, SSL is good enough without VPN (that is, even if someone captured the SSL packets, they'd have a hell of a time doing anything with it).

Define "good enough"? You're the only one who can make that determination.

Frankly, some stuff I do, I don't give the hind end of a rat if anyone sees it. Other stuff that I am more concerned about, I encrypt on the drive before it ever gets near the wire, and it never goes wireless. That's adequate for those purposes, but would not stand up to any scrutiny by anyone who stole the drive and used sector tools to examine for the pre-encrpyted state. That is an acceptable risk in this case.

Define your risk, and then you can determine if something is "good enough."

odoyle81 wrote:Does the same hold true for these sites that automatically log you in using cookies (for example gmail, amazon, del.icio.us)? Or is using cookies to be avoided at all costs on the road?

First, it depends on whether they are encrypted sites or not. (Duh.) Most cookies are plaintext for the username. Some, which are not usng SSL or the like, use a plaintext password, too. Go back and search Google. Hell, for that matter, just start examining your own cookies. You can see all sorts of things like usernames, hashes, passwords, expiration dates, etc.

PostPosted: Sun Jun 12, 2005 2:08 pm
by odoyle81
thanks alot Thorn. I appreciate you actually addressing the point of my post :)

It is true that you can capture packets on wired connections but I think it takes more effort and dedication (read: malicious intent) than someone sitting in a coffeeshop running ethereal in promiscuous mode. Its much more of a concern when using wireless. I don't think people would target my line specifically - I'm not important. I found this thread in which the original post describes my issue precisely, and I thought I could post here and hope for a quick answer instead of having to learn all the basics of cookie management. My bad.

I finally found a program that allowed me to view cookies from opera (the browser that I use). I couldn't find any plain text passwords so they must all be hashed.

You're right I didn't define "good enough", but I agree with you - most of the stuff I do, I don't really care if someone else sees it. Basically making it somewhat time consuming to actually do anything with the packets I send will probably influence anyone listening to move onto easier targets. So for me, SSL for banks and email is "good enough", and as long as I don't send personal data in the open, the weekend cracker will be deterred, and as I'm not a target for a dedicated cracker, I'll be fine.

Thanks

PostPosted: Thu Feb 23, 2006 7:06 am
by G-WISP
If your running a Samba, You can setup client and server SSL certificates, While that helps in a normal wireless connection, it dont work with open zones.
Maybe some one would write a Mac to mac encoder to make things work, but with mac hacking this wouldnt really go far. With that said there are programmes out there that monitor Mac hackers and alert you to the change or tamper. its called 'HotspotDK'
If your running VPN then compression server and client software will help.

PostPosted: Thu Feb 23, 2006 6:22 pm
by MikeP928
G-WISP wrote:If your running a Samba, You can setup client and server SSL certificates, While that helps in a normal wireless connection, it dont work with open zones.
Maybe some one would write a Mac to mac encoder to make things work, but with mac hacking this wouldnt really go far. With that said there are programmes out there that monitor Mac hackers and alert you to the change or tamper. its called 'HotspotDK'
If your running VPN then compression server and client software will help.


Responding to 8 month old posts is usually a waste of time, yours for posting and then a lot of ours checking new posts.

MikeP

PostPosted: Fri Feb 24, 2006 5:22 am
by nashr
My current list of web-based proxies.

http://www.ohmyproxy.com/
https://proxify.com/

These are apparently all the same service:
http://www.safeforwork.net/
http://www.vpntunnel.net/
http://www.vtunnel.com/

Caveat: I'm not sure if these actually hide the entire session, or if they just obscure the URL to sniffers. I haven't done the research, and don't have the time. Use at your own risk.

PostPosted: Sun Feb 25, 2007 6:52 pm
by chevyn8
http://www.torrify.com/software_torpark.html
The free version is slow but functional. Haven't tried the pay versions. The Public Library network I manage filters such sites as 'the cloak' and 'anonymizer', since they are used to get around our Porn filter. Those won't work on our wireless hotspot, torpark does. VPN is always a good idea if you have the ability to use one. Anything of importance should be SSL. Use webmail instead of just pop. Firewall on. Connect to a known ssid, ask if needed.

PostPosted: Mon Feb 26, 2007 8:52 am
by Airstreamer
chevyn8 wrote:http://www.torrify.com/software_torpark.html
The free version is slow but functional. Haven't tried the pay versions. The Public Library network I manage filters such sites as 'the cloak' and 'anonymizer', since they are used to get around our Porn filter. Those won't work on our wireless hotspot, torpark does. VPN is always a good idea if you have the ability to use one. Anything of importance should be SSL. [color="Red"]Use webmail instead of just pop.[/color] Firewall on. Connect to a known ssid, ask if needed.

Unless it's SSL, it's still 'in the clear.'

Re: Security on the client side while using hotspots

PostPosted: Sun Jul 29, 2012 8:40 am
by FredMurry
On any wifi, at the marina, a coffee shop, a hotel or even at home you should use
strong encryption. Systems based on a password or pass phrase are vulnerable. Use
encryption based on a certificate. Https proves the website is valid but can still
be attacked. The Port Defender Network uses double certificate validation and is
much stronger. The Port Defender Network also directs all of your Internet
communications through a protected, encrypted port. There are also private,
members only, websites providing social networking, email, chat and other
services.

http://portdefender.net