Re: Man-in-the-middle and VPNs

Dave Rudisill <denali@alaska.net> hath wroth:

>>Dave Rudisill <denali@alaska.net> wrote:
>
>>I recently read that even the encrypted traffic on https web sites is
>>not safe from man-in-the-middle attacks.

This article?
<http://www.sans.org/reading_room/whitepapers/threats/480.php>
Supplying sources of rumors is always useful.

>>Does the use of an Ipsec-based VPN such as JiWire's SpotLock protect
>>against man-in-the-middle servers on public unsecured WiFi networks?

Yes. All VPN's have mechanisms to prevent replay and session hijack
attacks as well as their own independent authentication mechanisms.
However, it is possible to disarm or disable such features, so don't
assume that they're functional unless you check the settings.

Those who would give up essential security to purchase a little
temporary convenience deserve neither security or convenience.
(Apologies to Ben Franklin).

>So nobody knows?

Possibly. More likely that nobody cares. I'm not a security expert
so I only have a passing interest in such topics.

>Jeez, I thought the WiFi security experts hung out here.

Nope. Just the Wi-Fi hackers hang out here. On weekends, I'm more
interested in breaking into networks than securing them. During the
work week, it's the other way around.

You might also find this interesting reading:
<http://www.remote-exploit.org/codes_hotspotter.html>
"It was possible to bring the client from a secure EAP/TLS network to
an insecure one without any warnings from the operating system."

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Mon, 26 Feb 2007 13:42:31 -0500, Dave Rudisill <denali@alaska.net>
wrote:

>>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>
>>>>Dave Rudisill <denali@alaska.net> wrote:
>>>
>>>>I recently read that even the encrypted traffic on https web sites is
>>>>not safe from man-in-the-middle attacks.
>>
>>This article?
>><http://www.sans.org/reading_room/whitepapers/threats/480.php>
>>Supplying sources of rumors is always useful.
>>
>
>This is the one I had come across: http://preview.tinyurl.com/2vu7s6

Well, that's an article on extending the all too common phishing
attack for banking sites, where the counterfeit site maintains a fake
SSL server, and is able to somehow (not described in the article)
break multiple authentication and key exchange mechanisms. The
article is also theoretical, intentionally incomplete, and reads like
a sales pitch for the authors security services company. I'm not
qualified to judge whether the proposed extensions to phishing are
probable.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS