[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Wireless ISPs

Hi Brian and Dan,

Sit down sometime inside a wireless ISPs area and run
kismet. You can see someone connect to a service via
SSL, then immediately after they purchase something
they check the email. Guess what ? the Credit card #
and address are in that email.

Yeah...

There is 2 problems :

- one is from purchase site that *should*not* send any
  credit card number on email
- one is the way people gets mails

On the second hand, there is some way to fix that :

 pop3-ssl
 imap-ssl

Why ISP don't provide such way to get mail ? FYI I do such setup on my servers for more than 4 year since it is implemented on lots of MUAs included from some from a redmont software producers.

Yes, using encrypted connections is not the solution, but can help...

Also have some SMTP server that allow STARTTLS, are good starting point about security...

If you are paranoid, like I am, you can also use : WEP + IPsec... that with encrypted connection (ssh, pop3-ssl, imap-ssl, smtp+tls) will give you more confident about your network....

People that don't use that are, IMHO, just non aware of the possibility that their data can be stolen without any intrusion.

/Xavier

--
Xavier Beaudouin - Unix System Administrator & Projects Leader.
President of Kazar Organization : http://www.kazar.net/
Please visit http://caudium.net/, home of Caudium & Camas projects

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html