Man-in-the-middle and VPNs

Discussion in 'Wireless Internet' started by Dave Rudisill, Feb 19, 2007.

  1. I recently read that even the encrypted traffic on https web sites is
    not safe from man-in-the-middle attacks.

    Does the use of an Ipsec-based VPN such as JiWire's SpotLock protect
    against man-in-the-middle servers on public unsecured WiFi networks?

    Thanks.
     
    Dave Rudisill, Feb 19, 2007
    #1
    1. Advertisements

  2. So nobody knows?

    Jeez, I thought the WiFi security experts hung out here.
     
    Dave Rudisill, Feb 25, 2007
    #2
    1. Advertisements

  3. This article?

    Yes. All VPN's have mechanisms to prevent replay and session hijack
    attacks as well as their own independent authentication mechanisms.
    However, it is possible to disarm or disable such features, so don't
    assume that they're functional unless you check the settings.

    Those who would give up essential security to purchase a little
    temporary convenience deserve neither security or convenience.
    (Apologies to Ben Franklin).
    Possibly. More likely that nobody cares. I'm not a security expert
    so I only have a passing interest in such topics.
    Nope. Just the Wi-Fi hackers hang out here. On weekends, I'm more
    interested in breaking into networks than securing them. During the
    work week, it's the other way around.

    You might also find this interesting reading:
    <http://www.remote-exploit.org/codes_hotspotter.html>
    "It was possible to bring the client from a secure EAP/TLS network to
    an insecure one without any warnings from the operating system."
     
    Jeff Liebermann, Feb 25, 2007
    #3
  4. This is the one I had come across: http://preview.tinyurl.com/2vu7s6
    Thanks.
     
    Dave Rudisill, Feb 26, 2007
    #4
  5. Well, that's an article on extending the all too common phishing
    attack for banking sites, where the counterfeit site maintains a fake
    SSL server, and is able to somehow (not described in the article)
    break multiple authentication and key exchange mechanisms. The
    article is also theoretical, intentionally incomplete, and reads like
    a sales pitch for the authors security services company. I'm not
    qualified to judge whether the proposed extensions to phishing are
    probable.
     
    Jeff Liebermann, Feb 26, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.