[CentOS] Another security question

Wed Dec 24 16:30:58 UTC 2008
Robert Moskowitz <rgm at htt-consult.com>

Anne Wilson wrote:
> I would like to be able to check my bank account while we are on holiday.  I 
> know the bank's site is encrypted from the start - the login page is https and 
> Verisign-trust encrypted - but is there any risk in using public wireless 
> networks for jobs like this?  It sounds secure enough, but maybe I'm 
> paranoid....

This is part of my real-life job....

It is relatively easy to attempt a ARP poison attack on a wireless 
network.  Even an encrypted one (of course the attacker has to be a 
legal user of said encrypted network).

Once the attacker has poisoned yours and the routers' ARP cache, he can 
then use a tool like DSNIFF to insert himself into your HTTP flows.  
Thing is he cannot fake web site certs, he has to use his own.

Be VERY restrictive on what you will accept as certs on a public 
wireless network.  Actually look at their content, making sure who 
signed them.  It is actually wise to store your bank's certs on your 
system, then only accept stored certs, even to excluding (or at least 
first reviewing) certs signed by trusted authorities like Verisign.

If you validate the cert, the man in the middle SSL attack fails.


BTW, at IETF conferences we have had people running bogus SSH servers 
through DSNIFF and other tools, and you had to watch the SSH 
fingerprints as well.