[kwlug-disc] Firesheep: Open WiFi cookie stealing for the masses ...

Khalid Baheyeldin kb at 2bits.com
Wed Nov 3 13:42:54 EDT 2010


On Wed, Nov 3, 2010 at 1:19 PM, Adam Glauser <adamglauser at gmail.com> wrote:

> On 03/11/2010 12:40 PM, Khalid Baheyeldin wrote:
>
>> To answer the original question on whether moving from no encryption/no
>> password to WPA/WPA2 ...
>>
>> This comments says that it is very unlikely that Firesheep will affect
>> WPA networks, even with a shared key.
>>
>> http://it.slashdot.org/comments.pl?sid=1851220&cid=34106546
>> <http://it.slashdot.org/comments.pl?sid=1851220&cid=34106546>
>>
>> More specifically, it quotes this:
>>
>> http://en.wikipedia.org/wiki/IEEE_802.11i-2004#The_Four-Way_Handshake
>>
>
> I think Lori mentioned this earlier, but it seems that the session key* is
> not securely exchanged.  It seems that WPA-PSK and WPA2-PSK (aka -Personal)
> add the additional effort of capturing these handshake packets.  Firesheep
> may not automate this yet, but it perhaps it could.
>

I read the comment as saying "the individual keys are hard to sniff, making
Firesheep not practical (yet) for WPA networks".

I will leave those with more expertise to comment more here.

It seems that the -EAP (aka -Enterprise) versions of WPA use a proper
> key-exchange algorithm and aren't vulnerable to this attack**.  I don't know
> all the details, but it seems that using -EAP versions of WPA require
> setting up (or hiring) a RADIUS server.  This also seems to involve
> purchasing a certificate from a trusted authority.  I'm not sure, but it
> might also require extra settings on the client side.  Does anyone know?
>
> In any case, it seems that using WPA2-EAP is the way to go from a security
> standpoint, but is probably impracticable for most AP administrators.
>
> * more correctly, the "Pairwise Transient Key"
> **
> More detail here:
> http://superuser.com/questions/156869/can-other-people-on-an-encrypted-wi-fi-ap-see-what-youre-doing


Enterprise WPA/WPA2 is not practical for what Paul Nijjar wants, in addition
to being not easy to setup.

It requires a list of authorized people and having logins for each one.

In a public hotspot with no defined set of authorized people, one timer
people, it does not make sense.

Think about our KWLUG meeting place, coffee shops, The Working Centre,
...etc.
-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20101103/f84907e1/attachment.htm>


More information about the kwlug-disc mailing list