[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CDDBD898-A3C7-11D8-89DA-000A95703418@improbable.org>
From: chris at improbable.org (Chris Adams)
Subject: Wireless ISPs
On May 11, 2004, at 17:24, Kurt Seifried wrote:
> Folks. WEP is POINTLESS for public access points.
s/ for.*//
WEP/WPA/LEAP/802.1x and anything else which puts trust at the network
level are close[1] to snake-oil - even if they actually worked as
promised the only thing you get is a false sense of security because
there's this assumption that the rest of the network is trustworthy.
You get far more real security simply enabling the strong end-to-end
crypto in the products you already use and you save a ton of money by
not chasing the latest acronyms, too.
> Now a technical person can do something like SSH port forwarding and
> stuff
> all their email traffic and web browsing through a secure system on
> the
> outside. But someone like my mother is supposed to do what exactly?
> Have a
> colocated machine somewhere she can VPN off of, or SSH port forward?
Check the "Use SSL" box in her email client, optionally switching to a
competent ISP if this doesn't work.
We recently switch our POP/IMAP services over to a mandatory-SSL config
and used the same approach other people in this thread have mentioned:
3 months of warnings and then disabling the insecure versions. The only
problems we had were a couple of people with antique Eudora installs
who didn't want to upgrade. Other than that there was no grumbling
thanks to an ettercap demonstration and the extremely low amount
trouble/benefit ratio - we get far more whining each time we suggest
that people install the latest Windows / Office security updates.
It's just not that hard to deploy SSL any more since almost any network
client in common use includes SSL support by now - the biggest
exception is file sharing and it's not like people are used to doing
Windows networking over the internet - the worms have seen to that.
Chris
[1] I say close because it may be legally useful to say the network was
restricted if you need to sue a spammer or something.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2369 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040511/3eadd944/smime.bin
Powered by blists - more mailing lists