Does an encrypted web page stop a hacker from eavesdropping on a wireless transaction?

[imported_NOTORIOUS]

Does an encrypted web page stop a hacker from eavesdropping on a wireless transaction?

For example lets say a person trades stock through someone elses wireless router but the web page is 128 bit encrypted. Will that stop a hacker from reading your communication and also possibly stealing your password?

 

[dclive]

Originally posted by: NOTORIOUS
Does an encrypted web page stop a hacker from eavesdropping on a wireless transaction?

For example lets say a person trades stock through someone elses wireless router but the web page is 128 bit encrypted. Will that stop a hacker from reading your communication and also possibly stealing your password?

That's the point of encryption - on an unknown network it allows data from both parties to be encrypted and unreadable.

That still isn't smart, because whatever you do that isn't encrypted (ie the rest of the Internet) will be visible, but it's a start. Better to turn on encryption/security on your wireless router - limit it by MAC address (to stop the kiddies) and turn on WPA2 (to stop the more serious people).

 

[IEC]

Using an unencrypted wireless network is not exactly secure...

Optimal security on a wireless network requires using MAC authentication and the highest level of encryption you can use.

 

[BehindEnemyLines]

If I am correct, it should be relatively safe. However, if you visit a genuine encrypted site (say your online bank) but Internet Explorer or Firefox displays a warning on MISMATCH certificate. It's a warning that an unknown (probably untrusted) authority issued the certificate. ALWAYS DENY such connection unless you are absolutely sure it's legitimate.

 

[kamper]

Originally posted by: dclive
limit it by MAC address (to stop the kiddies) and turn on WPA2 (to stop the more serious people).

What's your logic here, that the kiddies will get past wpa2? Should you disable ssid broadcast to keep the suckier-than-kiddies out?

 

[dclive]

Originally posted by: kamper

Originally posted by: dclive
limit it by MAC address (to stop the kiddies) and turn on WPA2 (to stop the more serious people).

What's your logic here, that the kiddies will get past wpa2? Should you disable ssid broadcast to keep the suckier-than-kiddies out?

I don't expect anyone to get past WPA2; I have yet to see a good exploit. It's been a year or so since I looked; have you seen any?

It's not hard to get past MAC address limitations...but that should stop the kids.

Disabling SSID broadcasting might stop the grandmas, but any script kiddie will get right past that.

 

[kamper]

But if the kids can't get past the encryption, why bother with the hassle of mac filtering?

 

[Zugzwang152]

I don't visit the what's the best antivirus/security suite, how do i remove xxxxxx from my computer, etc. threads, but I think this is the first almost-threadcrap flame war in the security forum!

 

[dclive]

I don't think so - kamper raises a good point. The answer is that you try to do security in layers, so that even if someone breaks one layer, he still has more layers to go through.

 

[kamper]

Sorry for going off topic, especially as this isn't exactly the first time this has come up. However, mac address filtering isn't really security, it's just an annoyance for a hacker, but probably more of an annoyance for you as the user. The only situation could possibly help is when somebody has released an automated hack for whatever encryption you're using, something so easy that kiddies who can't spoof macs can use. But the correct response to that isn't to rely on mac address filtering, it's to unplug the access point until you can put a better encryption scheme in place.

I don't know about you, but if I had something important enough on my network that I didn't trust wpa2 to protect, my second layer would be something that was difficult to circumvent. Now I will try not to threadcrap again...

 

[dclive]

I don't disagree on your message; MAC address filtering is just a simple start.

 

[Oakenfold]

Guys this is great discussion. I wouldn't consider it threadcrapping. These are the kinds of questions that fuel learning for all. Now with that being said. I'm going to ask a question of my own:

1. If enabling mac filtering and disabling ssid's is so worthless why are they used, why are they options to begin with (i.e. if they are so easily bypassed (and I think we know the answer to this) why are they there to begin with)?

 

[dclive]

To stop the casual people and for layered security.

 

[lxskllr]

Originally posted by: Oakenfold


1. If enabling mac filtering and disabling ssid's is so worthless why are they used, why are they options to begin with (i.e. if they are so easily bypassed (and I think we know the answer to this) why are they there to begin with)?

To stop people like me I use unsecured wireless all the time when I'm out. I don't feel like jumping through hoops to do it though. If it isn't easy, I just drive a block down the street to find one that is.

 

[kamper]

I'd argue that somebody once implemented them because they mistakenly thought it was a good idea and nobody has had the guts to remove them because using them is "common sense" (<-- sarcastic tone). It's right up there with stealthing your ports. But hey, I'm cynical like that.

 

[Oakenfold]

Originally posted by: dclive
To stop the casual people and for layered security.

But we have some forum members that feel layered security is not worthwhile. Are they wrong? I am not disagreeing with you. Just encouraging discussion. Is there another answer than for layered security?

Originally posted by: lxskllr
To stop people like me I use unsecured wireless all the time when I'm out. I don't feel like jumping through hoops to do it though. If it isn't easy, I just drive a block down the street to find one that is.

Absolutely, but that's for un-encrypted wifi. We've gotten a little OT from the OP's request but it's good discussion and the OP's question has been answered by Dclive.

Originally posted by: kamper
I'd argue that somebody once implemented them because they mistakenly thought it was a good idea and nobody has had the guts to remove them because using them is "common sense" (<-- sarcastic tone). It's right up there with stealthing your ports. But hey, I'm cynical like that.

It's an interesting notion. I suppose what this comes down to is a matter of preference, those that prefer layered security or the cynical view as Kamper puts it. Is either one right or wrong? The goal (network security) either way is achieved isn't it?

Personally the auditor in me goes with the layered approach but Kamper makes an excellent point, one that I felt deserved this forum's input.

 

[kamper]

I've got nothing against layered security. It's major flaw, though, would seem to be that it can be easily used as justification for all kinds of ineffective measures and security by obscurity. You want more layers for wireless security? Segregate your wireless network from the rest of your network and make sure you don't expose anything on it that you can afford to have hacked. Eg. don't have open shares or do all sorts of unencrypted, local network type stuff and use decent host based firewalls. Another interesting method is to actually leave your wireless network completely open but don't route out of it until individual hosts authenticate to the router using something like authpf. Alternatively, only allow traffic from the wireless network to a vpn server and have all your wireless hosts join a vpn to be able to connect out. All of this is actually effective and can be done at the same time as wireless encryption.

The other interesting thing about a wireless network is that, of course, it's only a tiny portion of the entire network that you use when you talk to, say, your banking website. You can encrypt your wireless traffic all you want, but once that traffic leaves your home and hits the public tubes, you have no reason to believe that someone won't sniff it out there. Sure, it's way more likely that someone is going to eavesdrop on your open wireless connection, but if you actually care about the security of the entire connection, you must use end-to-end, host-based encryption which is, as far as we know, very safe as long as you trust the server. Therefore wireless encryption is only useful to a) protect services that you want to allow open local access to but not internet access (like maybe windows file shares), b) stop people from leeching your bandwidth and c) provide an extra layer for a tiny portion of the journey between you and the bank website.

If there are good arguments against (real) layered security, I'd like to hear them. And btw, the use of the term "cynical" referred to the social stigma that has allowed mac filtering to survive, not any actual technology.

 

[gsellis]

While the rest of the discussion is good, it points more to securing the endpoints. That is a mute point if "someone else's wireless network" is Starbuck's.

To the original post, yes, using an HTTPS/SSL web page encrypts the traffic from wireless evesdropping of that data. You should use that type of connection whenever possible to do anything that you don't want some random person to know about.

 

[dclive]

Originally posted by: gsellis
While the rest of the discussion is good, it points more to securing the endpoints. That is a mute point if "someone else's wireless network" is Starbuck's.

It's only moot if someone's mute.