Is hiding your home SSID actually a privacy flaw (broadcasting your home SSID at public hotspots)?

Now THAT is interesting!

Reply to
Aaron FIsher
Loading thread data ...

Meanwhile, at the alt.internet.wireless Job Justification Hearings, Jeff Liebermann chose the tried and tested strategy of:

A salutary tale on that theme:

formatting link

Reply to
alexd

And you're worried that your wife may find out where you were the night before?

Reply to
Axel Hammerschmidt

Excellent read! Thanks for the link.

Reply to
Char Jackson

You betcha! I'm trying not to be "Tigered" by my own clubs! :)

So far, the summary of my epiphany seems to be the following:

  • Your radio NIC MAC address (as we all knew) is disclosed (authentication frame)
  • Your last-connected SSID is (often) also revealed (association request)
  • And, worst of all, your SSID is used to salt your WPA2 encryption!

I also had the revealing revelations of:

  • Hiding the SSID provides almost no "real" benefit
  • Using a generic SSID exposed you to hash pre-computation attacks
  • Using a unique SSID exposes you to wife-watching-you privacy leaks!

Is there anything else I missed, that I'm clueless of (and which isn't necessarily obvious) that I need to be concerned about? :)

Reply to
Aaron FIsher

You haven't demonstrated why this is a bad thing.

You haven't demonstrated why this is a bad thing. In fact, I'm pretty sure it doesn't mean what you think it means (or you wouldn't have added it to this list or given it the "worst of all" label).

I would have said no benefit, only disadvantages.

Only if your password falls within the limits of what's contained in the pre-comp tables. It's easy enough to avoid.

*sigh*

Yes, keep an eye on tin foil futures and stock up if you see a price increase coming.

Reply to
Char Jackson

I can't describe it any clearer than this:

It's either: a) A good thing b) A bad thing c) Meaningless

Since divulging the last-connected SSID is clearly not meaningless; and it's clearly not a "good thing", then it's a "bad thing".

The point is not "how bad"; the point is to simply realize that it exists. And to see what can easily be done to mitigate the risk.

Reply to
Aaron FIsher

What's enlightening about that story of how that team was hacked is that the security experts fell prey to relatively simple social engineering, using a few cues.

Those few cues were able to balloon into a full-scale security breach!

Your list of previously visited hotspots is one of those social cues.

The black hats knew what to do to avoid catastrophe; they just didn't do the simplest of things to prevent it.

Likewise, with revealing your previously used SSID.

Very interesting read indeed!

Reply to
Aaron FIsher

Ooo. Wonderful. Set up a set of false categories and prove anything you want.

What risk?

Reply to
unruh

I would have picked "c)".

Reply to
Char Jackson

Let's agree to disagree.

You feel absolutely no information is divulged; I feel your last- connected SSID is revealed.

I, for one, am happy that I know this. You don't care.

And that's OK. Let's just not try to convince each other.

Agree? I won't try to convince you that I don't want my home SSID disclosed, ok? And you can stop asking why it matters to me (because it's obvious why it matters to me as it's in the title of this discussion).

:)

Reply to
Aaron FIsher

If you feel there is no risk in disclosing your radio NIC MAC, your home SSID, your current machine hostname, your username, etc. at a public hotspot, then let's just agree to disagree.

I think there is risk. You do not think there is risk (apparently).

And, as I said to others, that's OK. Privacy is a personal thing (tm).

I'm not saying there's a LOT of risk, by the way. All I tried to understand here is what actually happens.

I think we have that information now (for the most part).

It's up to each of us (as individuals) as to what actions we take once we're aware of the home SSID disclosure.

I, for one, prefer not to disclose my previous whereabouts when I don't have to. You obviously do prefer to disclose that information - and that's OK.

Let's just agree that we disagree. OK?

Reply to
Aaron FIsher

He never said that. You are really great at argumentation from irrelevancies. He said he picked c) Meaningless. That does not mean he picked "absolutely no information is divulged". It means he feels that the information divulged is meaningless.

then why do you keep trying to convince people?

No, again you have changed the topic. The topic of this thread is not your likes and desires.

No, the title of this discussion is "Re: Is hiding your home SSID actually a privacy flaw (broadcasting your home SSID at public hotspots)?" There is nothing about Aaron FIsher in that title.

Reply to
unruh

Excellent! You saved me the trouble of replying while accurately covering everything I wanted to cover, especially the "meaningless" part.

Reply to
Char Jackson

The last post in any thread is always the point of view of an idiot!

Reply to
starshine

Let he who is without sin, cast the first stone. Let he who is burdened with much sin, cast the last stone. (Me, about 1972)

Reply to
Jeff Liebermann

On Thu, 17 Feb 2011 21:19:54 +0000, Aaron FIsher wrote:

What I (think I) learned (so far) from you guys was:

a) The previously connected SSID & current radio NIC MAC address are often divulged when initially connecting to an AP so you probably don't want to use a unique or identifiable SSID if you're worried about that. See examples at:

formatting link
b) Despite common Internet admonishments, hiding your SSID (or using MAC address filtering for that matter) is almost utterly useless because they are both sent, in the clear; but, contrary to the original assumption in this thread, it's not any worse, per se, to hide your SSID than it is to broadcast your SSID openly. See details at:
formatting link
c) You probably would want to use a unique SSID because both the SSID & SSID length are used as the known salt to create WPA2/WPA2-PSK encryption keys using a known algorithm. See details at:
formatting link
d) With WPA2/WPA2-PSK encryption, you can only avoid the SSID from being your encryption salt (only) if you supply a string of 64-bit hexadecimal digits instead of an ASCII passphrase of 8 to 63 characters. See details at:
formatting link
e) Since freely available pre-generated WPA2/WPA2-PSK rainbow tables are known to exist, you should probably not use a top-thousand SSID nor a top- million dictionary-style passphrase for your WPA2/WPA2-PSK encryption. See details at:
formatting link
f) Encryption security would be increased by the use of FreeRADIUS servers; but RADIUS setup is reputedly onerous (so contracting out to the likes of Jeff would seem advantageous). See details at:
formatting link

g) The last person to post is either an idiot, or "burdened with much sin"! :)

Did I miss anything in the summary?

Reply to
Aaron FIsher

Warren Oates wrote on [Fri, 18 Feb 2011 18:15:26 -0500]:

Just telnet to port 25 of a know mail server...

Reply to
Justin

How is that "anonymous"?

Reply to
Warren Oates

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.