Hacker News new | ask | show | jobs
by ergo98 5710 days ago
If that public wifi is secured with a password -- albeit a public password -- does that protect individual sessions?

Meaning you go to a cafe and the blackboard tells you that today's WPA2 password is "greenbeans". Knowing this does it provide the ability to sniff or abuse other users sessions on this WAP?

Honestly don't know this and can't find a clear answer about it.
3 comments
jrnkntl 5710 days ago
afaik (and from my own experience) that won't work.

  "As long as the universally supported WPA encryption protocol is used,
  each individual user receives their own private “session key” that absolutely 
  prevents eavesdropping between users, even through they are all using the
  same WiFi password."
from: http://steve.grc.com/2010/10/28/instant-hotspot-protection-f...
link
docgnome 5710 days ago
Yeah, we tested it on our WPA encrypted wireless and didn't get anything. It was seen when I logged into facebook but my coworker wasn't able to login as me. At least not with Firesheep.
link
jrockway 5710 days ago
Securing the connection layer doesn't matter. With a $10 Wifi card I can create an infrastructure access point called "Starbucks Wifi" or whatever I want that's encrypted with anything (WPA2, WEP, open... doesn't matter). Then when you connect to that, I get all your packets and can steal your session.

Now, sure, this attacks costs me $10 for the wifi card and it's not as fast as connecting to Starbucks' wifi and opening a Firefox tab... but you will still get a lot of data.

Link-level encryption is not the same as session encryption. For your link to be secure, you need link-level encryption. For your session to be secure, you need session-level encryption. It's that simple. Facebook is a session, not a link, so Facebook needs SSL.

There is simply no other workaround.

(And oh yeah, you need to authenticate who you are talking to. The access point asks you for a password to prove that you are allowed to talk to it. But you don't ask it for a password to prove that it is allowed to talk to you. Connecting to an access point is like giving your credit card information to the call that starts like, "Is this jrockway? There's a problem with your credit card...". They know who you are, but you have no idea whether they are actually your bank.)

link
icode 5710 days ago
I have wondered about the same question. Strange, I upvoted your question but it still only has one point.
link