[CentOS] Another security question

Wed Dec 24 17:18:19 UTC 2008
Anne Wilson <cannewilson at googlemail.com>

On Wednesday 24 December 2008 16:30:58 Robert Moskowitz wrote:
> Anne Wilson wrote:
> > I would like to be able to check my bank account while we are on holiday.
> >  I know the bank's site is encrypted from the start - the login page is
> > https and Verisign-trust encrypted - but is there any risk in using
> > public wireless networks for jobs like this?  It sounds secure enough,
> > but maybe I'm paranoid....
>
> This is part of my real-life job....
>
> It is relatively easy to attempt a ARP poison attack on a wireless
> network.  Even an encrypted one (of course the attacker has to be a
> legal user of said encrypted network).
>
> Once the attacker has poisoned yours and the routers' ARP cache, he can
> then use a tool like DSNIFF to insert himself into your HTTP flows.
> Thing is he cannot fake web site certs, he has to use his own.
>
> Be VERY restrictive on what you will accept as certs on a public
> wireless network.  Actually look at their content, making sure who
> signed them.  It is actually wise to store your bank's certs on your
> system, then only accept stored certs, even to excluding (or at least
> first reviewing) certs signed by trusted authorities like Verisign.
>
> If you validate the cert, the man in the middle SSL attack fails.
>
>
> BTW, at IETF conferences we have had people running bogus SSH servers
> through DSNIFF and other tools, and you had to watch the SSH
> fingerprints as well.
>
>
Hi, Robert.  Thanks for answering.

My bank first requires an account number - which I don't store on the netbook 
- then it displays a picture chosen by them and a phrase chosen by me.  
Finally I give my login pin.  I think they're being reasonably cautious and I 
don't think it would be easy for an intruder to send me false web pages during 
login.  However, unlike some sites that I've visited, the certificates are not 
in clear view.  Can you give me some guidance on how to view and validate 
their certificates?  I like the idea of having a saved copy to validate 
against.

Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20081224/ae60ca36/attachment-0005.sig>