lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CDDBD898-A3C7-11D8-89DA-000A95703418@improbable.org>
From: chris at improbable.org (Chris Adams)
Subject: Wireless ISPs


On May 11, 2004, at 17:24, Kurt Seifried wrote:
> Folks. WEP is POINTLESS for public access points.

s/ for.*//

WEP/WPA/LEAP/802.1x and anything else which puts trust at the network 
level are close[1] to snake-oil - even if they actually worked as 
promised the only thing you get is a false sense of security because 
there's this assumption that the rest of the network is trustworthy. 
You get far more real security simply enabling the strong end-to-end 
crypto in the products you already use and you save a ton of money by 
not chasing the latest acronyms, too.

> Now a technical person can do something like SSH port forwarding and 
> stuff
>  all their email traffic and web browsing through a secure system on 
> the
>  outside. But someone like my mother is supposed to do what exactly? 
> Have a
>  colocated machine somewhere she can VPN off of, or SSH port forward?

Check the "Use SSL" box in her email client, optionally switching to a 
competent ISP if this doesn't work.

We recently switch our POP/IMAP services over to a mandatory-SSL config 
and used the same approach other people in this thread have mentioned: 
3 months of warnings and then disabling the insecure versions. The only 
problems we had were a couple of people with antique Eudora installs 
who didn't want to upgrade. Other than that there was no grumbling 
thanks to an ettercap demonstration and the extremely low amount 
trouble/benefit ratio - we get far more whining each time we suggest 
that people install the latest Windows / Office security updates.

It's just not that hard to deploy SSL any more since almost any network 
client in common use includes SSL support by now - the biggest 
exception is file sharing and it's not like people are used to doing 
Windows networking over the internet - the worms have seen to that.

Chris

[1] I say close because it may be legally useful to say the network was 
restricted if you need to sue a spammer or something.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2369 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040511/3eadd944/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ