Using unprotected Wifi

Hi,

I have to use an unprotected wireless network (it's not
administrated by me). When I understand it correctly, using
this WiFi is not safe since all data (such as passwords that
I type on my console when I use ssh ...) is transfered unencrypted,
i.e., it can be basically read by anyone.

Is there a way to use an unprotected WiFi in a safe way by transmitting
all data in an encrypted way such that it can't be snooped?

Best,
Tim

thunder <(E-Mail Removed)> writes:

> On Thu, 27 May 2010 22:25:00 +0000, Tim Frink wrote:
>
>> Hi,
>>
>> I have to use an unprotected wireless network (it's not administrated by
>> me). When I understand it correctly, using this WiFi is not safe since
>> all data (such as passwords that I type on my console when I use ssh
>> ...) is transfered unencrypted, i.e., it can be basically read by
>> anyone.
>>
>> Is there a way to use an unprotected WiFi in a safe way by transmitting
>> all data in an encrypted way such that it can't be snooped?
>>
>> Best,
>> Tim
>
> I'm a little confused. I can understand your concern about "all data",
> but not ssh. ssh is a "Secure Shell", and data *is* encrypted.

There's no encryption between his machine and the access point. If he
does his own encryption (even ROT13 -- deliberately chosen as "little
sister" security), it doesn't magically get unencrypted before going out
the antenna.

Several examples of doing his own encryption have been presented so far
(the ones I've seen have been a VPN, SSL, and SSH) and are just as
secure over the air as over a wire.

The mistake in regarding wifi as insecure is in thinking anything else
you do once you're off your own machine (or trusted infrastructure) is
any better.
--
As we enjoy great advantages from the inventions of others, we should
be glad of an opportunity to serve others by any invention of ours;
and this we should do freely and generously. (Benjamin Franklin)

On 2010-05-27, Tim Frink <(E-Mail Removed)> wrote:
> Hi,
>
> I have to use an unprotected wireless network (it's not
> administrated by me). When I understand it correctly, using
> this WiFi is not safe since all data (such as passwords that
> I type on my console when I use ssh ...) is transfered unencrypted,
> i.e., it can be basically read by anyone.

The unencrypted link means that any unencrypted data sent over the link
is readable from outside ( web pages, etc) However, ssh traffic IS
encryptd and furthermore the password exchqange is encrypted. Thus if
you use ssh over an unencrypted loink the data cannot be read.

>
> Is there a way to use an unprotected WiFi in a safe way by transmitting
o
Yes.
Use ssh
or use a vpn

> all data in an encrypted way such that it can't be snooped?
>
> Best,
> Tim

On 2010-05-28, David Schwartz <(E-Mail Removed)> wrote:
> On May 27, 6:09?pm, thunder <thunderTAKE...@gti.net> wrote:
>
>> I'm a little confused. ?I can understand your concern about "all data",
>> but not ssh. ?ssh is a "Secure Shell", and data *is* encrypted.
>
> He's concerned about his password. If a MITM hijacks his SSH

Unencrypted and MITM are almost orthogonal concepts. You can have MITM
with and encrypted connection, and have unencrypted connections wich are
resistant to MItm.

SSH encrypts all information going over the link. IF you use it properly
it is also resistant to MITM ( although it is amolst never uses
prpoerly-- people say to conect even if the system tells them that the
key has changed, because it changes too oftern due to innocent changes (
eg reinstallation)

> connection, unless he verifies the SSH key, the MITM could get his
> password and then SSH in as him. Unfortunately, in my experience, SSH
> keys change so often due to upgrades and incompetence that nobody ever
> checks them.
>
> DS

On 2010-05-28, Joe Pfeiffer <(E-Mail Removed)> wrote:
> thunder <(E-Mail Removed)> writes:
>
>> On Thu, 27 May 2010 22:25:00 +0000, Tim Frink wrote:
>>
>>> Hi,
>>>
>>> I have to use an unprotected wireless network (it's not administrated by
>>> me). When I understand it correctly, using this WiFi is not safe since
>>> all data (such as passwords that I type on my console when I use ssh
>>> ...) is transfered unencrypted, i.e., it can be basically read by
>>> anyone.
>>>
>>> Is there a way to use an unprotected WiFi in a safe way by transmitting
>>> all data in an encrypted way such that it can't be snooped?
>>>
>>> Best,
>>> Tim
>>
>> I'm a little confused. I can understand your concern about "all data",
>> but not ssh. ssh is a "Secure Shell", and data *is* encrypted.
>
> There's no encryption between his machine and the access point. If he
> does his own encryption (even ROT13 -- deliberately chosen as "little
> sister" security), it doesn't magically get unencrypted before going out
> the antenna.

ssh IS "his own encryption" An ssh session is encrypted from end to end
including between his machine and the access point.

>
> Several examples of doing his own encryption have been presented so far
> (the ones I've seen have been a VPN, SSL, and SSH) and are just as
> secure over the air as over a wire.
>
> The mistake in regarding wifi as insecure is in thinking anything else
> you do once you're off your own machine (or trusted infrastructure) is
> any better.

On Fri, 28 May 2010 02:46:12 -0400, unruh <(E-Mail Removed)> wrote:

> ssh IS "his own encryption" An ssh session is encrypted from end to end
> including between his machine and the access point.

The ssh connection will only be encrypted after the session has been
established.

If he's using a passphrase, instead of public/private key encryption,
then he is susceptible to passphrase sniffing.

Use public/private key encryption.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

On 2010-05-28, David W. Hodgins <(E-Mail Removed)> wrote:
> On Fri, 28 May 2010 02:46:12 -0400, unruh <(E-Mail Removed)> wrote:
>
>> ssh IS "his own encryption" An ssh session is encrypted from end to end
>> including between his machine and the access point.
>
> The ssh connection will only be encrypted after the session has been
> established.

False. The estabilshment of the key is also protected. A approaches B
and assuming that the two have shared a public key before hand, can
verify that B is actually the intended recipient. Then the two exchange
a key in a protected matter.

>
> If he's using a passphrase, instead of public/private key encryption,
> then he is susceptible to passphrase sniffing.

No he is not.

>
> Use public/private key encryption.

ssh always does use it to establish the session key.

The user public/private or passphrase key are not to establish encryption but to verify
that the user on B is the use allowed to log onto A. But by that time
encryption is established.

>
> Regards, Dave Hodgins
>

On 05/28/2010 06:14 AM, David Schwartz wrote:
> On May 28, 2:51 am, unruh<un...@wormhole.physics.ubc.ca> wrote:
>
>> False. The estabilshment of the key is also protected. A approaches B
>> and assuming that the two have shared a public key before hand, can
>> verify that B is actually the intended recipient. Then the two exchange
>> a key in a protected matter.
>
> This is true in theory, but unfortunately not always true in practice.
> (See other places in the thread where the unfortunate reality of
> constantly changing host keys has created the practice of ignoring
> changed key warnings.)

For someone who is in the habit of ignoring key change warnings,
concerns about unprotected WiFi should be the least of his worries.

--
Bob Nichols AT comcast.net I am "RNichols42"

unruh <(E-Mail Removed)> writes:

> On 2010-05-28, Joe Pfeiffer <(E-Mail Removed)> wrote:
>> thunder <(E-Mail Removed)> writes:
>>
>>> On Thu, 27 May 2010 22:25:00 +0000, Tim Frink wrote:
>>>
>>>> Hi,
>>>>
>>>> I have to use an unprotected wireless network (it's not administrated by
>>>> me). When I understand it correctly, using this WiFi is not safe since
>>>> all data (such as passwords that I type on my console when I use ssh
>>>> ...) is transfered unencrypted, i.e., it can be basically read by
>>>> anyone.
>>>>
>>>> Is there a way to use an unprotected WiFi in a safe way by transmitting
>>>> all data in an encrypted way such that it can't be snooped?
>>>>
>>>> Best,
>>>> Tim
>>>
>>> I'm a little confused. I can understand your concern about "all data",
>>> but not ssh. ssh is a "Secure Shell", and data *is* encrypted.
>>
>> There's no encryption between his machine and the access point. If he
>> does his own encryption (even ROT13 -- deliberately chosen as "little
>> sister" security), it doesn't magically get unencrypted before going out
>> the antenna.
>
> ssh IS "his own encryption" An ssh session is encrypted from end to end
> including between his machine and the access point.

Didn't I say that in my next paragraph? There had been several
suggestions for ways to get an encrupted connection -- from Thunder's
response, it appeared he may have been confused about the relationship
between SSH and the unencrypted link. I was trying to clarify that
there is no relationship (which is also true of the other suggestions
people had made).

>> Several examples of doing his own encryption have been presented so far
>> (the ones I've seen have been a VPN, SSL, and SSH) and are just as
>> secure over the air as over a wire.
>>
>> The mistake in regarding wifi as insecure is in thinking anything else
>> you do once you're off your own machine (or trusted infrastructure) is
>> any better.

--
As we enjoy great advantages from the inventions of others, we should
be glad of an opportunity to serve others by any invention of ours;
and this we should do freely and generously. (Benjamin Franklin)

On 05/29/2010 03:53 PM, David Schwartz wrote:
> On May 28, 5:08 pm, Robert Nichols
> <SEE_SIGNAT...@localhost.localdomain.invalid> wrote:
>
>> For someone who is in the habit of ignoring key change warnings,
>> concerns about unprotected WiFi should be the least of his worries.
>
> I think that's a pretty ridiculous attitude. If nothing else, it
> ignores the difference between blocking passive interception and
> blocking active attacks. There are many circumstances where it is much
> more important to block the latter than the former. (For example,
> cases where one is legal and the other is not and you are much more
> concerned by legal interception than illegal interception.)

Passive interception does not offer the opportunity to present a
fake host key that is a prerequisite for a MITM attack. The
design of the ssh protocol assumes that an eavesdropper is able
to monitor both sides of the conversation. If you know of a way
to crack an ssh connection by passive interception, I'm sure the
security community would be quite eager to hear about it.

Anyone is welcome to passively monitor my ssh connections at any
time, and that includes connections where I had no previous
knowledge of the remote system's public host key.

--
Bob Nichols AT comcast.net I am "RNichols42"