[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Wireless ISPs
- To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Wireless ISPs
- From: Chris Adams <chris@xxxxxxxxxxxxxx>
- Date: Tue, 11 May 2004 20:52:35 -0700
On May 11, 2004, at 17:24, Kurt Seifried wrote:
Folks. WEP is POINTLESS for public access points.
s/ for.*//
WEP/WPA/LEAP/802.1x and anything else which puts trust at the network
level are close[1] to snake-oil - even if they actually worked as
promised the only thing you get is a false sense of security because
there's this assumption that the rest of the network is trustworthy.
You get far more real security simply enabling the strong end-to-end
crypto in the products you already use and you save a ton of money by
not chasing the latest acronyms, too.
Now a technical person can do something like SSH port forwarding and
stuff
all their email traffic and web browsing through a secure system on
the
outside. But someone like my mother is supposed to do what exactly?
Have a
colocated machine somewhere she can VPN off of, or SSH port forward?
Check the "Use SSL" box in her email client, optionally switching to a
competent ISP if this doesn't work.
We recently switch our POP/IMAP services over to a mandatory-SSL config
and used the same approach other people in this thread have mentioned:
3 months of warnings and then disabling the insecure versions. The only
problems we had were a couple of people with antique Eudora installs
who didn't want to upgrade. Other than that there was no grumbling
thanks to an ettercap demonstration and the extremely low amount
trouble/benefit ratio - we get far more whining each time we suggest
that people install the latest Windows / Office security updates.
It's just not that hard to deploy SSL any more since almost any network
client in common use includes SSL support by now - the biggest
exception is file sharing and it's not like people are used to doing
Windows networking over the internet - the worms have seen to that.
Chris
[1] I say close because it may be legally useful to say the network was
restricted if you need to sue a spammer or something.Attachment:
smime.p7s
Description: S/MIME cryptographic signature