What are the chances of breaking into a WPA2 protected WiFi network?
Does accessing the internet using wifi with WPA2 security thru http
secure connection add an extra protection? Suppose that someone is able
to get into my wifi network and sniff the packets. Can they read the
data knowing that it is encrypted? Thanks in advance.
On Mon, 13 Nov 2006 13:34:43 -0800, Ron
<fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
<ecac2$4558e4f5$4286329d$30228@msgid.meganewsserve rs.com>:
>What are the chances of breaking into a WPA2 protected WiFi network?
Very low.
>Does accessing the internet using wifi with WPA2 security thru http
>secure connection add an extra protection?
Yes.
>Suppose that someone is able
>to get into my wifi network and sniff the packets. Can they read the
>data knowing that it is encrypted? Thanks in advance.
They can sniff wireless packets, but can't read the contents without
decrypting them.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas wrote:
> On Mon, 13 Nov 2006 13:34:43 -0800, Ron
> <fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
> <ecac2$4558e4f5$4286329d$30228@msgid.meganewsserve rs.com>:
>
>
>>What are the chances of breaking into a WPA2 protected WiFi network?
>
>
> Very low.
>
>
>>Does accessing the internet using wifi with WPA2 security thru http
>>secure connection add an extra protection?
>
>
> Yes.
>
>
>>Suppose that someone is able
>>to get into my wifi network and sniff the packets. Can they read the
>>data knowing that it is encrypted? Thanks in advance.
>
>
> They can sniff wireless packets, but can't read the contents without
> decrypting them.
>
I suppose I can safely say that HttpS packets that get stolen out of the
air (wifi connection) would be the same as (or similar to) those stolen
over wired connection, right? It would all depend on the decryption part
to successfully read the data packets.
Or is the data encrypted twice (wifi encryption + SSL encryption)?
> On Mon, 13 Nov 2006 13:34:43 -0800, Ron
> <fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
> <ecac2$4558e4f5$4286329d$30228@msgid.meganewsserve rs.com>:
<snip>
> >Does accessing the internet using wifi with WPA2 security thru http
> >secure connection add an extra protection?
>
> Yes.
Really? How's that? The OP is asking if accessing the internet with WPA2
through http will add axtra protection.
> >Suppose that someone is able to get into my wifi network and sniff the
> >packets. Can they read the data knowing that it is encrypted? Thanks in
> >advance.
>
> They can sniff wireless packets, but can't read the contents without
> decrypting them.
They could get onto the OP's network and sniff packets from the WAN
side. The packets are not encrypted on the wired network and can
certainly be read from the WAn side.
Axel Hammerschmidt wrote:
> John Navas <spamfilter0@navasgroup.com> wrote:
>
>
>>On Mon, 13 Nov 2006 13:34:43 -0800, Ron
>><fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS. com> wrote in
>><ecac2$4558e4f5$4286329d$30228@msgid.meganewsser vers.com>:
>
>
> <snip>
>
>>>Does accessing the internet using wifi with WPA2 security thru http
>>>secure connection add an extra protection?
>>
>>Yes.
>
>
> Really? How's that? The OP is asking if accessing the internet with WPA2
> through http will add axtra protection.
>
>
>>>Suppose that someone is able to get into my wifi network and sniff the
>>>packets. Can they read the data knowing that it is encrypted? Thanks in
>>>advance.
>>
>>They can sniff wireless packets, but can't read the contents without
>>decrypting them.
>
>
> They could get onto the OP's network and sniff packets from the WAN
> side. The packets are not encrypted on the wired network and can
> certainly be read from the WAn side.
Axel, I think you mis-read my post. It's httpS not http. I said "...
thru http secure...". The following would've been a better sentence:
"Does accessing the internet using wifi with WPA2 security thru https
add an extra protection?"
See I almost called you Alex :-) Your name does look like Alex.
On Mon, 13 Nov 2006 14:27:14 -0800, Ron
<fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
<4abeb$4558f145$4286329d$30549@msgid.meganewsserve rs.com>:
>John Navas wrote:
>> On Mon, 13 Nov 2006 13:34:43 -0800, Ron
>> <fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
>> <ecac2$4558e4f5$4286329d$30228@msgid.meganewsserve rs.com>:
>>
>>>What are the chances of breaking into a WPA2 protected WiFi network?
>>
>> Very low.
>>
>>>Does accessing the internet using wifi with WPA2 security thru http
>>>secure connection add an extra protection?
>>
>> Yes.
>>
>>>Suppose that someone is able
>>>to get into my wifi network and sniff the packets. Can they read the
>>>data knowing that it is encrypted? Thanks in advance.
>>
>> They can sniff wireless packets, but can't read the contents without
>> decrypting them.
>
>I suppose I can safely say that HttpS packets that get stolen out of the
>air (wifi connection) would be the same as (or similar to) those stolen
>over wired connection, right?
Right.
>It would all depend on the decryption part
>to successfully read the data packets.
Right.
>Or is the data encrypted twice (wifi encryption + SSL encryption)?
Twice, by SSL encryption within WPA encryption.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Mon, 13 Nov 2006 23:31:20 +0100, hlexa@hotmail.com (Axel
Hammerschmidt) wrote in <1horkm4.1gt1s1m1s3cx7kN%hlexa@hotmail.com>:
>John Navas <spamfilter0@navasgroup.com> wrote:
>
>> On Mon, 13 Nov 2006 13:34:43 -0800, Ron
>> <fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
>> <ecac2$4558e4f5$4286329d$30228@msgid.meganewsserve rs.com>:
>
><snip>
>
>> >Does accessing the internet using wifi with WPA2 security thru http
>> >secure connection add an extra protection?
>>
>> Yes.
>
>Really? How's that? The OP is asking if accessing the internet with WPA2
>through http will add axtra protection.
http*s*
>> >Suppose that someone is able to get into my wifi network and sniff the
>> >packets. Can they read the data knowing that it is encrypted? Thanks in
>> >advance.
>>
>> They can sniff wireless packets, but can't read the contents without
>> decrypting them.
>
>They could get onto the OP's network and sniff packets from the WAN
>side. The packets are not encrypted on the wired network and can
>certainly be read from the WAn side.
*Wireless* packets.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
Ron <fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote:
> Axel Hammerschmidt wrote:
>
> > John Navas <spamfilter0@navasgroup.com> wrote:
> >
> >> On Mon, 13 Nov 2006 13:34:43 -0800, Ron wrote in:
<snip>
> >>>Suppose that someone is able to get into my wifi network and sniff the
> >>>packets. Can they read the data knowing that it is encrypted? Thanks in
> >>>advance.
> >>
> >>They can sniff wireless packets, but can't read the contents without
> >>decrypting them.
> >
> > They could get onto the OP's network and sniff packets from the WAN
> > side. The packets are not encrypted on the wired network and can
> > certainly be read from the WAn side.
>
> Axel, I think you mis-read my post. It's httpS not http. I said "...
> thru http secure...". The following would've been a better sentence:
>
> "Does accessing the internet using wifi with WPA2 security thru https
> add an extra protection?"
Axel Hammerschmidt wrote:
>>"Does accessing the internet using wifi with WPA2 security thru https
>>add an extra protection?"
>
>
> Then WPA2 doesn't make any difference.
Are u saying we'll be ok even when connecting to https site over
unsecured WiFi connection due to SSL encryption?
On Mon, 13 Nov 2006 16:15:53 -0800, Ron
<fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
<b57e$45590abc$4286329d$31814@msgid.meganewsserver s.com>:
>Axel Hammerschmidt wrote:
>>>"Does accessing the internet using wifi with WPA2 security thru https
>>>add an extra protection?"
>>
>> Then WPA2 doesn't make any difference.
>
>Are u saying we'll be ok even when connecting to https site over
>unsecured WiFi connection due to SSL encryption?
Sure. WPA would just add extra security, and prevent unauthorized use
of your Internet connection.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
Ron <fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote:
> Axel Hammerschmidt wrote:
<snip>
> > Then WPA2 doesn't make any difference.
>
> Are u saying we'll be ok even when connecting to https site over
> unsecured WiFi connection due to SSL encryption?
>Does accessing the internet using wifi with WPA2 security thru http
>secure connection add an extra protection?
No. HTTP can be sniffed. If the WPA2 security were to be breached,
the HTTP would be easily readable. HTTPS is what I think you wanted.
>Suppose that someone is able
>to get into my wifi network and sniff the packets. Can they read the
>data knowing that it is encrypted? Thanks in advance.
Ambiguous. If they "get into" (can you be more specific what you mean
by that?) your system, they can do whatever they want. To what degree
they "get into" your system is the question. If they just "get into"
your network, but you have the security on each client nailed down,
there's not much that they can do.
Your real problem with WPA2 is physical security. If I can extract
your WPA2 encryption key from your machine, I can break into your
network. I have a trick for doing this in about 3 seconds if I can
physically "get into" your desktop or laptop. Once I have the WPA2
key, I simply join your wireless network or use the key to decrypt
captured packets offline. This should give you a clue: http://www.wirelessdefence.org/Conte..._WinWzcook.htm
Is a 23 character (mainly alphabets + a few digits, definitely not in
english dictionary) WPA2 shared key long enough to thwart someone trying
to join my wifi network?
>
> No. HTTP can be sniffed. If the WPA2 security were to be breached,
> the HTTP would be easily readable. HTTPS is what I think you wanted.
>
Indeed, I was asking about http secure (httpS).
> Ambiguous. If they "get into" (can you be more specific what you mean
> by that?) your system, they can do whatever they want. To what degree
> they "get into" your system is the question. If they just "get into"
> your network, but you have the security on each client nailed down,
> there's not much that they can do.
>
No, not get into my "system". Suppose they're able to join my WiFi
network (they found out the shared key and joined in). Btw, all my
PCs/notebooks are protected with software firewall (zonealarm). Being in
my wifi network doesn't grant them access to my PCs but they can sniff
the packets going both directions (in/out). I guess the answer is that
they must overcome 1 more hurdle, decrypting the SSL packets.
> Your real problem with WPA2 is physical security. If I can extract
> your WPA2 encryption key from your machine, I can break into your
> network. I have a trick for doing this in about 3 seconds if I can
> physically "get into" your desktop or laptop. Once I have the WPA2
> key, I simply join your wireless network or use the key to decrypt
> captured packets offline. This should give you a clue:
> http://www.wirelessdefence.org/Conte..._WinWzcook.htm
>
You can't if it's SSL encrypted. Speaking of secure connection, do you
know whether or not instant messaging software (Yahoo, MSN, AOL etc) use
encryption (at least) to logon to their server? I've been looking all
over for that info but can't find it. Thanks.
On Tue, 14 Nov 2006 10:23:04 -0800, Ron
<fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
<4ca01$455a098a$4286329d$12726@msgid.meganewsserve rs.com>:
>Is a 23 character (mainly alphabets + a few digits, definitely not in
>english dictionary) WPA2 shared key long enough to thwart someone trying
>to join my wifi network?
Password cracking can be defeated by using a passphrase of at least
5 Diceware words or 14 completely random letters with WPA and WPA2.
For maximum strength, 8 Diceware words or 22 random characters
should be employed. Passphrases should be changed at regular
intervals, or whenever an individual with access is no longer
authorized to use the network or when a device configured to use the
network is lost or compromised.
>No, not get into my "system". Suppose they're able to join my WiFi
>network (they found out the shared key and joined in). Btw, all my
>PCs/notebooks are protected with software firewall (zonealarm). Being in
>my wifi network doesn't grant them access to my PCs but they can sniff
>the packets going both directions (in/out). ...
Nope. Other than their own traffic, they can only sniff broadcast
traffic. The real risk is that they can use your network to attack or
compromise your own hosts. Software firewalls can mitigate that risk,
but only if properly configured and maintained. Better, if you don't
need networking, to isolate hosts so they can't access each other.
It's a common misconception that knowing a PSK pass-phrase is enough to
decrypt encrypted wireless traffic. It's not, because WPA uses dynamic
session keys: per user, per session, and even per packet (plus
protection against replay attacks).
The insecurity of PSK is thus a matter of *authentication* (wireless
network access), not *encryption*.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas wrote:
>
> Nope. Other than their own traffic, they can only sniff broadcast
> traffic. The real risk is that they can use your network to attack or
> compromise your own hosts. Software firewalls can mitigate that risk,
> but only if properly configured and maintained. Better, if you don't
> need networking, to isolate hosts so they can't access each other.
>
That's exactly what I did. All WiFi clients do not trust each other. AP
is set to treat all clients as individual machine (I can't remember the
exact term for it - may be "client isolation" or something). In addition
to that, file sharing is disabled, netbios over tcp/ip is disabled also
(all PCs are windows boxes) and last, zonealarm on every PCs. I need
some sort of protection to tell me if something wants to access the
internet so I put zonealarm.
> It's a common misconception that knowing a PSK pass-phrase is enough to
> decrypt encrypted wireless traffic. It's not, because WPA uses dynamic
> session keys: per user, per session, and even per packet (plus
> protection against replay attacks).
>
> The insecurity of PSK is thus a matter of *authentication* (wireless
> network access), not *encryption*.
>
On Tue, 14 Nov 2006 12:16:04 -0800, Ron
<fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
<29fa7$455a2407$4286329d$13692@msgid.meganewsserve rs.com>:
>John Navas wrote:
>>
>> Nope. Other than their own traffic, they can only sniff broadcast
>> traffic. The real risk is that they can use your network to attack or
>> compromise your own hosts. Software firewalls can mitigate that risk,
>> but only if properly configured and maintained. Better, if you don't
>> need networking, to isolate hosts so they can't access each other.
>
>That's exactly what I did. All WiFi clients do not trust each other. AP
>is set to treat all clients as individual machine (I can't remember the
>exact term for it - may be "client isolation" or something). In addition
>to that, file sharing is disabled, netbios over tcp/ip is disabled also
>(all PCs are windows boxes) and last, zonealarm on every PCs. I need
>some sort of protection to tell me if something wants to access the
>internet so I put zonealarm.
>
>> It's a common misconception that knowing a PSK pass-phrase is enough to
>> decrypt encrypted wireless traffic. It's not, because WPA uses dynamic
>> session keys: per user, per session, and even per packet (plus
>> protection against replay attacks).
>>
>> The insecurity of PSK is thus a matter of *authentication* (wireless
>> network access), not *encryption*.
>
>Thanks for clearing that up.
I was actually wrong. It *is* possible to crack the encryption if the
WPA pass-phrase is known. Sorry.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
On Tue, 14 Nov 2006 10:23:04 -0800, Ron
<fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote:
>Is a 23 character (mainly alphabets + a few digits, definitely not in
>english dictionary) WPA2 shared key long enough to thwart someone trying
>to join my wifi network?
23 characters is better than 22 and not as good as 24. it seems
reasonable to me but then i use a 64 character key, a mix of numbers
and upper and lower case letters.
On Tue, 14 Nov 2006 10:23:04 -0800, Ron
<fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote:
>I guess the answer is that
>they must overcome 1 more hurdle, decrypting the SSL packets.
SSL is susceptible to a "man in the middle" type of attack. http://www.sans.org/reading_room/whi...hreats/480.php
At this time, it takes quite a bit of expertise to pull it off, so I
don't expect anyone in a coffee shop to do this. It also has to be
done in real time and not with a capture file. You're probably safe
with SSL. More common are spoofed "secure" web sites with locally
generated certificates.
You can't decrypt SSL from a capture file, but you can crack the WPA
key, and setup a man in the middle attack with a phony web server.
That's way too much work for the casual hacker, but still possible.
>Speaking of secure connection, do you
>know whether or not instant messaging software (Yahoo, MSN, AOL etc) use
>encryption (at least) to logon to their server? I've been looking all
>over for that info but can't find it. Thanks.
Well... Skype uses encryption for voice. No clue on chat.
AIM does not but there are plugins that add encryption. For example: http://www.aimencrypt.com
MSN apparently does NOT encrypt their traffic, but again there are
add-on. http://www.secway.fr/us/products/simplite_msn/
Looks like Yahoo is more of the same: http://www.secway.fr/us/products/simplite_yahoo/
I suspect the others are similar. No encryption unless added by the
user. It wasn't terribly difficult to find these with Google. You
might try searching again.
On Wed, 15 Nov 2006 00:56:57 GMT, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote in
<0iokl29bs1ktkqgrj5ol38u8ktvdcu957v@4ax.com>:
>On Tue, 14 Nov 2006 10:23:04 -0800, Ron
><fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.c om> wrote:
>
>>I guess the answer is that
>>they must overcome 1 more hurdle, decrypting the SSL packets.
>
>SSL is susceptible to a "man in the middle" type of attack.
Depends. Can be defended against with TLS, URI dereferencing and
certificate checking, and/or securing the handshake. This can be
configured in both IE and Mozilla Firefox.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
Jeff Liebermann wrote:
>
>
> Well... Skype uses encryption for voice. No clue on chat.
> AIM does not but there are plugins that add encryption. For example:
> http://www.aimencrypt.com
> MSN apparently does NOT encrypt their traffic, but again there are
> add-on.
> http://www.secway.fr/us/products/simplite_msn/
> Looks like Yahoo is more of the same:
> http://www.secway.fr/us/products/simplite_yahoo/
> I suspect the others are similar. No encryption unless added by the
> user. It wasn't terribly difficult to find these with Google. You
> might try searching again.
>
No, I don't want to encrypt the whole chat session, only during logon so
no one can steal my password. I don't send sensitive data over instant
messenger so I don't really care if the chat session is in clear text.
On Wed, 15 Nov 2006 09:14:57 -0800, Ron
<fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> wrote in
<7910e$455b4b13$4286329d$2632@msgid.meganewsserver s.com>:
>Jeff Liebermann wrote:
>>
>> Well... Skype uses encryption for voice. No clue on chat.
>> AIM does not but there are plugins that add encryption. For example:
>> http://www.aimencrypt.com
>> MSN apparently does NOT encrypt their traffic, but again there are
>> add-on.
>> http://www.secway.fr/us/products/simplite_msn/
>> Looks like Yahoo is more of the same:
>> http://www.secway.fr/us/products/simplite_yahoo/
>> I suspect the others are similar. No encryption unless added by the
>> user. It wasn't terribly difficult to find these with Google. You
>> might try searching again.
>
>No, I don't want to encrypt the whole chat session, only during logon so
>no one can steal my password. I don't send sensitive data over instant
>messenger so I don't really care if the chat session is in clear text.
The well-known instant messaging services authenticate in a secure way.
See "Threats to Instant Messaging"
<http://www.symantec.com/avcenter/reference/threats.to.instant.messaging.pdf>
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
John Navas wrote:
>>No, I don't want to encrypt the whole chat session, only during logon so
>>no one can steal my password. I don't send sensitive data over instant
>>messenger so I don't really care if the chat session is in clear text.
>
>
> The well-known instant messaging services authenticate in a secure way.
> See "Threats to Instant Messaging"
> <http://www.symantec.com/avcenter/reference/threats.to.instant.messaging.pdf>
>
Ron <fdskljfoiewiorewuokdvsfds@FI74as32etwIOtrFewDS.co m> hath wroth:
>No, I don't want to encrypt the whole chat session, only during logon so
>no one can steal my password. I don't send sensitive data over instant
>messenger so I don't really care if the chat session is in clear text.
Oh. All of them use a challenge-response mechanism, where the actual
password is not sent. Instead a hash code derived from the
combination of the password and some random rubbish is sent. It's
quite safe. At one time, it was possible to crack the AIM password
from a capture file because they used a really crude random number
generator: http://www.packetstormsecurity.org/Crackers/
Search for various AIM cracking tools.
WiFi Security 
Linear Mode
