[liberationtech] HTTPS by default campaign launch today

[Jacob Appelbaum]

On 11/09/2010 10:44 AM, Mehdi Yahyanejad wrote:
> I fully support the call for Yahoo, Facebook and Twitter to add https and
> setting their default to https. However, there is also a simple solution for
> Starbucks or other places offering public wireless to protect their users.
> Most wireless routers come with the option of *Access Point Isolation. *With
> AP isolation enabled, wireless devices can't talk to each other and as a
> result won't be able to monitor the traffic within the network.
> Firesheep/Wireshark doesn't work with AP isolation enabled.
> 
> You can even enable it for your on your home wireless router. The benefit is
> that if someone hacks into your network won't be able to steal your
> passwords using Firesheep. The downside is that you won't be able to see the
> itunes of the other people in your network or print to your wireless
> printer.
>

If the data isn't encrypted, the data isn't safe from an attacker.

We need end to end crypto. HTTPS is a partial hack to do that on a site
by site basis. It's probably the best we have for now against passive
attacks.

Access Point Isolation does not help a passive sniffing attacker unless
it is used in combination with WPA2 or some other reasonable encryption
mode. Attackers simply need their wireless cards to be in monitor mode
(eg: using Kismet) and they win.

Any reasonable attacker was doing this anyway. Heck, even Google was
doing it with their street view war driving stuff.

Also, if someone "hacks into your network" - I'm fairly sure that
session cookies and passwords are the least of your problem. Surely
they're still a problem though. Owning the upstream router or network
almost certainly beats Access Point Isolation; the packets are
reassembled and sent to the internet through that very same router that
is probably now compromised...

All the best,
Jake