[liberationtech] Firesheep: Making the Complicated Trivial
Daniel Colascione
dan.colascione at gmail.com
Tue Oct 26 16:53:35 PDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/26/2010 4:30 PM, Gregory Maxwell wrote:
> On Tue, Oct 26, 2010 at 7:12 PM, Frank Corrigan
> <email at franciscorrigan.com> wrote:
> [snip]
>> HTTPS Everywhere
>> https://www.eff.org/https-everywhere
>>
>> Force-TLS
>> https://addons.mozilla.org/en-US/firefox/addon/12714/
>
> Longer term:
> http://www.tcpcrypt.org/
I was waiting for someone to bring up tcpcrypt: while it does encrypt
each connection, it doesn't authenticate the identity of the other
party. Without this authentication, encryption is only a minor
speedbump for an attacker. Using ARP/NDP-poisoning or wireless-specific
techniques, an attacker can intercept connections between users and
external sites, and having done that, he can read these connections
just as well as if they'd been sent in the clear.
As others have mentioned, the only true solution is pervasive
end-to-end encryption _with_ authentication (and preferably perfect
forward secrecy). Everything else is a temporary half-measure.
That said, I'm afraid the gut reaction of policymakers (if there is a
reaction at all) will be to simply ban wireless chipsets that can
receive traffic intended for other users (i.e., chipsets with a
promiscuous mode), an approach doomed to fail.
Regards,
Daniel Colascione
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iEYEARECAAYFAkzHaTQACgkQ17c2LVA10Vte3gCdElV6JHCDE0Hpmo6RtwdFnOeg
LD4AnjWEd4+APB117jsUwN1zBKoMi6Eg
=GvVv
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list