What are the chances of breaking into a WPA2 protected WiFi network? Does accessing the internet using wifi with WPA2 security thru http secure connection add an extra protection? Suppose that someone is able to get into my wifi network and sniff the packets. Can they read the data knowing that it is encrypted? Thanks in advance.
On Mon, 13 Nov 2006 13:34:43 -0800, Ron wrote in :
Very low.
Yes.
They can sniff wireless packets, but can't read the contents without decrypting them.
I suppose I can safely say that HttpS packets that get stolen out of the air (wifi connection) would be the same as (or similar to) those stolen over wired connection, right? It would all depend on the decryption part to successfully read the data packets.
Or is the data encrypted twice (wifi encryption + SSL encryption)?
Really? How's that? The OP is asking if accessing the internet with WPA2 through http will add axtra protection.
They could get onto the OP's network and sniff packets from the WAN side. The packets are not encrypted on the wired network and can certainly be read from the WAn side.
Axel, I think you mis-read my post. It's httpS not http. I said "... thru http secure...". The following would've been a better sentence:
"Does accessing the internet using wifi with WPA2 security thru https add an extra protection?"
See I almost called you Alex :-) Your name does look like Alex.
On Mon, 13 Nov 2006 14:27:14 -0800, Ron wrote in :
Right.
Right.
Twice, by SSL encryption within WPA encryption.
On Mon, 13 Nov 2006 23:31:20 +0100, snipped-for-privacy@hotmail.com (Axel Hammerschmidt) wrote in :
http*s*
*Wireless* packets.
Then WPA2 doesn't make any difference.
Are u saying we'll be ok even when connecting to https site over unsecured WiFi connection due to SSL encryption?
On Mon, 13 Nov 2006 16:15:53 -0800, Ron wrote in :
Sure. WPA would just add extra security, and prevent unauthorized use of your Internet connection.
Did eye say that?
Remotely, using wireless hacking tools, fairly slim. See CowPatty for the closest approximation:
No. HTTP can be sniffed. If the WPA2 security were to be breached, the HTTP would be easily readable. HTTPS is what I think you wanted.
Ambiguous. If they "get into" (can you be more specific what you mean by that?) your system, they can do whatever they want. To what degree they "get into" your system is the question. If they just "get into" your network, but you have the security on each client nailed down, there's not much that they can do.
Your real problem with WPA2 is physical security. If I can extract your WPA2 encryption key from your machine, I can break into your network. I have a trick for doing this in about 3 seconds if I can physically "get into" your desktop or laptop. Once I have the WPA2 key, I simply join your wireless network or use the key to decrypt captured packets offline. This should give you a clue:
Is a 23 character (mainly alphabets + a few digits, definitely not in english dictionary) WPA2 shared key long enough to thwart someone trying to join my wifi network?
Indeed, I was asking about http secure (httpS).
No, not get into my "system". Suppose they're able to join my WiFi network (they found out the shared key and joined in). Btw, all my PCs/notebooks are protected with software firewall (zonealarm). Being in my wifi network doesn't grant them access to my PCs but they can sniff the packets going both directions (in/out). I guess the answer is that they must overcome 1 more hurdle, decrypting the SSL packets.
You can't if it's SSL encrypted. Speaking of secure connection, do you know whether or not instant messaging software (Yahoo, MSN, AOL etc) use encryption (at least) to logon to their server? I've been looking all over for that info but can't find it. Thanks.
On Tue, 14 Nov 2006 10:23:04 -0800, Ron wrote in :
:Password cracking can be defeated by using a passphrase of at least 5 Diceware words or 14 completely random letters with WPA and WPA2. For maximum strength, 8 Diceware words or 22 random characters should be employed. Passphrases should be changed at regular intervals, or whenever an individual with access is no longer authorized to use the network or when a device configured to use the network is lost or compromised.
Nope. Other than their own traffic, they can only sniff broadcast traffic. The real risk is that they can use your network to attack or compromise your own hosts. Software firewalls can mitigate that risk, but only if properly configured and maintained. Better, if you don't need networking, to isolate hosts so they can't access each other.
It's a common misconception that knowing a PSK pass-phrase is enough to decrypt encrypted wireless traffic. It's not, because WPA uses dynamic session keys: per user, per session, and even per packet (plus protection against replay attacks).
The insecurity of PSK is thus a matter of *authentication* (wireless network access), not *encryption*.
That's exactly what I did. All WiFi clients do not trust each other. AP is set to treat all clients as individual machine (I can't remember the exact term for it - may be "client isolation" or something). In addition to that, file sharing is disabled, netbios over tcp/ip is disabled also (all PCs are windows boxes) and last, zonealarm on every PCs. I need some sort of protection to tell me if something wants to access the internet so I put zonealarm.
Thanks for clearing that up.
On Tue, 14 Nov 2006 12:16:04 -0800, Ron wrote in :
I was actually wrong. It *is* possible to crack the encryption if the WPA pass-phrase is known. Sorry.
23 characters is better than 22 and not as good as 24. it seems reasonable to me but then i use a 64 character key, a mix of numbers and upper and lower case letters. 73, rich, n9dko
SSL is susceptible to a "man in the middle" type of attack.
You can't decrypt SSL from a capture file, but you can crack the WPA key, and setup a man in the middle attack with a phony web server. That's way too much work for the casual hacker, but still possible.
Well... Skype uses encryption for voice. No clue on chat. AIM does not but there are plugins that add encryption. For example:
On Wed, 15 Nov 2006 00:56:57 GMT, Jeff Liebermann wrote in :
Depends. Can be defended against with TLS, URI dereferencing and certificate checking, and/or securing the handshake. This can be configured in both IE and Mozilla Firefox.
No, I don't want to encrypt the whole chat session, only during logon so no one can steal my password. I don't send sensitive data over instant messenger so I don't really care if the chat session is in clear text.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.