What exactly does SSL protect in a web site forum/mail?

It is normal, even for grown ups, to have friends at home that need to connect to internet, or to my computer (typically to share files, print something, whatever), so they have a valid reason to know the password.

Some home routers have two different passwords, one for guests. The guests get access to internet, but not to the local network.

Reply to
Carlos E.R.
Loading thread data ...

The guest login for many wireless routers (i.e. Linksys) is NOT encrypted. There's only a password for using the guest login, and nothing else:

Reply to
Jeff Liebermann

I'm just worried about the basics now so I am not asking about third-order problems such as worrying about how secure wpa2 is.

For now, I just want to know if the http logins/passwords my children and I type into http web sites can be seen by neighbors when I know that they are protected by wpa2 from the router.

You say they are, and I always thought that they were (although some people implied that they are not protected).

Assuming they are protected by wpa2, then anyone NOT on the network certainly will just see gibberish. So we can move to people who ARE on the network, namely ONLY me and my two kids.

I am NOT worried about a burglar at this point, simply because it makes no sense to try to understand what a burglar can do when I don't even understand what "I" can do, with full network privileges!

I looked at my netgear router, and I don't see, in the log file, anywhere where it shows http logins/passwords from me and the kids.

formatting link

Reply to
Alice J.

A neighbour with adequate knowledge and hardware could listen to the traffic and glean anything you send or receive.

And many people on your ISP and anywhere in the route can do it. Not that they do, but that they can.

Nobody said they would be in the router log :-)

Look, you are sending postcards, not closed letters. Anybody that handles your postcards can read them.

Reply to
Carlos E.R.

The Basics is "Never enter a password on a non-SSL protected site" That is it.

It is not the case.

The wpa2 traffic is protected between the computer and the router. That is it. It is not protected after that. And it is protected only if your wpa2 has not been comprimised, and there are many ways of doing that, and you will never know it has been comprimised.

Reply to
William Unruh

The problem is that you will probably know if someone breaks into your car or your house. The goods as such that only one person can have them at a time. Your internet information is not like that. They can be "stolen" and you will never know it (until for example you find your bank account emptied and your bank refusing to compensate you because your password was used. )

>
Reply to
William Unruh

Assuming you have a good password, and it has not been obtained somehow (eg your kid gave it to another friend, who gave it to another friend, who gave it to his father,....) then from the laptop to the router the traffic is encrypted. But if someone has access to the router, the traffic is not encrypted in there, and could be read.

Why should it. Just because it does not keep track does not mean that someone cannot obtain it while you are connecting to those places. It is like saying "I do not understand how someone can break into my house. I do not see my house key lying on the sidewalk outside my house."

Yes.

Why would anyone give a lesson in that?

Reply to
William Unruh

To repeat, they may be visible to them, not via the radio waves in the air, but via the signals over the comcast cable. Remember that your neighbour is not limited by your equipment or your knowledge. They may have access to much more sophisticated equiment than you have and much more knowledge than you have. There is a widespread idea that all crooks are stupider than you are, and are much more limited than you are. It is not true.

No. They are protected ONLY in the transit from your computer to the wireless AP. Since none of the web pages you are signing onto are actually delivered by that AP, there is a lot of distance in which they are in the clear and might be readable by others.

Again, you assume that every burglar is stupider and less knowledgable than you. IT is not true.

Reply to
William Unruh

Alice J, take the above advice. I don't think anybody will contradict it. . . . Anybody?

[snip]

That's another pivotal observation. I see a lot of confusion in this thread that seems to result from people forgetting that WPA2 only protects one leg of the journey between your laptop and your bank's server. (Maybe that's the result of cross-posting to alt.internet.wireless.) Anyway, it's important to bear in mind that HTTPS give you end-to-end protection.

Reply to
Peter Pearson

To elaborate what others have said, the type of information you see in the log about the sites you visited is visible in wifi signals, if they are not encrypted by WPA2. Even if the sites used SSL, because SSL doesn't hide the site information. SSL hides the id and passwords, but not the site identity. WPA2 protects the site information from sniffing.

These days all well-run web sites that have logins use SSL, at least for the login traffic. It's considered very antiquated not to do that. For a financial site not to have fully encrypted customer traffic would be considered malpractice, possibly law-suit material. However, due to configuration error, even a well-run site may not use SSL. Encrypted WiFi will hide your information even in such a case, at least to local sniffing. (My utility, pge.com, currently has a non-encrypted login page, due to misconfiguration. Hopefully they will fix it soon.)

Reply to
default

When I am trying to understand things, I don't start with assuming a black clad burglar is lying in wait next to the router just waiting to connect a wire to an unused LAN port.

That's starting at the most preposterous, and working down. I'd rather start at the most obvious, and work up.

Again, that's starting at the most preposterous which is to say that there is no encryption (basically) whatsoever.

I said many times I have WPA2 and we can assume, for now, that the SSID and passphrase are secure (because that's a totally separate issue anyway).

For now, I try to assume that valid people are connecting to the router (namely me and my children), at least until I understand how *that* works.

After we validate how the simple wpa2 protection works, then we can get complicated and assume black-clad burglars are sneaking around my router.

The first "adversary" I'm trying to figure out is simply a neighbor who can pick off my air wave transmissions with sniffers.

I'm trying to understand what "they" can see.

I'm aware that Putin himself can sneak into my house to drip polonium into my water supply.

But I'd really first rather understand the "normal" system of what "does" happen before jumping to trying to understand all the things that can possibly happen.

Mostly, I'm just trying to figure out what happens in the normal situation where NOBODY who doesn't belong on the network is connected by wpa2 and where neighbors can easily sniff packets.

What do the neighbors see? A. Do they see my packets all in the clear? B. Do they see my packets all scrambled up?

Reply to
Alice J.

Some people said that only the login/password authentication was protected by wpa2.

Is that true?

Or is all the traffic between the computer and the router protected by wpa2 scrambling?

Reply to
Alice J.

I disagree. It's like saying "don't drive" because "cars cause accidents".

I log into bimmerfest.com. I can't use the site if I follow your advice.

It's nice neat advice. But the advice doesn't work.

So it's useless. Nice. But useless.

This is much more useful information.

First off, HTTPS doesn't play a role here becuase we, the users, have absolutely no control over that.

So let's stop talking about HTTPS please.

However, I *already* understood the end-to-end encryption part, which is why I user Tor Browser Bundle. It's not a perfect solution because the end hop is still in the clear, and because the bimmerfest site keeps kicking off Tor, but it's better than nothing.

But, what I'm stuck on now is understanding what happens in a NORMAL situation where, for simplicity, we ASSUME there are no black-clad burglars tapping into my router and we assume only that the neighbors can see in the airwaves whatever it is that they can see.

Under that SIMPLE but quite normal situation, is the wpa2 encryption still two way between the router and the computer and does that wpa2 encryption still encrypt everything (or does it only encrypt the login/password authentication process as some people said)?

Reply to
Alice J.

I'm not worried about the password.

I'm trying to understand how things work in a normal situation. Everyone is trying to tell me about abnormal situations, which is fine, except I can't understand them UNTIL I first understand a normal situation.

I have no problem whatsoever understanding the value of a good passphrase. That's not where I'm stuck.

I'm only stuck trying to understand why some people say that my neighbors can see my wpa2 encrypted traffic in the clear over the air waves.

If what they say is true, then encryption is useless. It can't be that.

So they must not understand how wpa2 works. Or they are giving me situations that I didn't ask about.

Or what?

Reply to
Alice J.

Wireless encryption applies to all packets on your network equally. Packets that happen to contain passwords are not distinguished.

If you are using pre-shared key mode, which you almost certainly are, then (AFAIK) the only secret input to the construction of the encryption keys is the wireless passphrase. Everything else either fixed, or transmitted in clear during setup. So a weak wireless passphrase will leave you vulnerable to the attacks you seem to be worried about.

Reply to
Richard Kettlewell

Mr. Jeff Liebermann, you seem to be able to handle a basic question with detail.

Can YOU explain, without introducing black-clad burglars, or WPA2 rainbow hashes, what exactly is encrypted (and what is not encrypted) when I am in a normal WPA2 communication with my router logging into an http web site?

For this, the most basic common and simple case, we can assume I have good WPA2 passphrases, and good SSIDs, and that there is nobody directly tapping into my system.

Under this, which is the most common of scenarios, can you explain what exactly my neighbor can see of my wireless and wired communications to and from the http web site?

Reply to
Alice J.

Is THIS what they see under normal circumstances?

^ From me to the router my neighbors see nothing but gibberish over the air. ^ Despite what Mr. Lewis said, that gibberish includes ALL my communication!

^ From the router to the cable modem my neighbors still see nothing. ^ From the modem to Comcast my neighbors see nothing

Reply to
Alice J.

But you started with the most preposterous statement. "If I only connect with http and not with https". So why should responders not point out to you why that is a silly start.

How in the world is that the most preposterous. WEP IS protecting the system with encryption. It is commonly used. That it was shit poor encryption procedure designed by people who had not the slightest clue about encryption doe not mean there is not encryption.

The SSID is always public.

Well, since anyone within 10 or 20 meters of your home can also connect, that is not a terribly valid assumption.

Yup. That is one.

And you have been told repeatedly.

As you have been told about 5 times, IF you use wpa2 they seen encrypted packets. They may however be able to break your wpa2 encryption (eg dictionary attacks) and then see everything. And that does not protect you beyond that router. Since the Comcast lines run to their house as well, it is possible that they can see all of the traffic your comcast router puts out to their central office, Especially since, as YOU said, they are technologically sophisticated.

Please read what people answer and do not go riding off in a high dudgeon.

Reply to
William Unruh

wpa2 has no idea what "login" or "password" are. They are just packets of data. Everything is encrypted. And is also with WEP (just not very well and for all we know WEP2 has similar holes)

Reply to
William Unruh

What? Your analogy sucks.

Does it matter if your neighbors see that you are logged in there or that they can impersonate you there? If yes, then yes, you should not use that site. If no, then why do you care. Assume that everything that does not use https is open to someone else to see you. That is the only reasonable assumption to make. If you care that they can see you, do not use it, or persuade the site to act responsibly.

Sorry, it is the only advice that is worth anything. You can rail against the gods all you want, but they will not listen.

Which has been given you time and time again.

Sure you do. DO not use site where you care about your secrecy which do not use https.

You are like the food junkie who asks how they can loose weight and says "Lets not talk about eating less please".

You can assume that your traffic is being read by someone. Perhaps not "in the air" (that is not guarenteed either since your passwords are probably piss poor, especially when you say you have not changed the password the router maker assigned you), but somewhere along the chain.

It encrypts everything between the computer and the router. So does WEP.

Reply to
William Unruh

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.