[CentOS] Another security question
Robert Moskowitz
rgm at htt-consult.com
Wed Dec 24 16:30:58 UTC 2008
Anne Wilson wrote:
> I would like to be able to check my bank account while we are on holiday. I
> know the bank's site is encrypted from the start - the login page is https and
> Verisign-trust encrypted - but is there any risk in using public wireless
> networks for jobs like this? It sounds secure enough, but maybe I'm
> paranoid....
This is part of my real-life job....
It is relatively easy to attempt a ARP poison attack on a wireless
network. Even an encrypted one (of course the attacker has to be a
legal user of said encrypted network).
Once the attacker has poisoned yours and the routers' ARP cache, he can
then use a tool like DSNIFF to insert himself into your HTTP flows.
Thing is he cannot fake web site certs, he has to use his own.
Be VERY restrictive on what you will accept as certs on a public
wireless network. Actually look at their content, making sure who
signed them. It is actually wise to store your bank's certs on your
system, then only accept stored certs, even to excluding (or at least
first reviewing) certs signed by trusted authorities like Verisign.
If you validate the cert, the man in the middle SSL attack fails.
BTW, at IETF conferences we have had people running bogus SSH servers
through DSNIFF and other tools, and you had to watch the SSH
fingerprints as well.
More information about the CentOS
mailing list