[conspire] Password permutations
Rick Moen
rick at linuxmafia.com
Sat Apr 18 12:20:09 PDT 2020
Quoting Paul Zander (paulz at ieee.org):
> Just this morning Consumer Reports on TV gave the following advise
> about security. Their scenario was at the coffee shop with free
> WiFi. I think most of the following do not really apply, but I invite
> your comments.
All of their advice hinges on stressing that you shouldn't trust the
network, because various malign parties might do bad things in various
ways, and the related infrastructure (routing, local recursive DNS)
might lie to you.
This strikes me as quaint, because from my own perspective it's pretty
much always undesirable to trust the network. Which is one reason why
you ensure security and privacy at a higher level on the 7-layer burrito
(https://www.6connect.com/blog/moment-internet-history-osi-7-layer-burrito/).
The logical response to 'You shouldn't trust some other party's
recursive DNS' is to run your own recursive nameserver on localhost
(although lamer solutions also appeal to many, such as relying on Google
Public DNS).
> 2. Look for https. If the bogus network actually connects to my
> bank, wouldn't I get the same certs? How good is the encryption on
> the TSL, given that the network has been able to monitor all of the
> traffic that set up the connection? The encryption keys do need to be
> exchanged, yes?
SSL works just fine across malign networks (if permitted to connect at
all, that is). Of course, https is something of a weak reed to rely on
for other reasons that would be a long discussion.
> 3. Use VPN. Ah, I believe that VPN needs to be enabled at both
> ends. I haven't seen any evidence of VPN at my bank or Amazon.
Their reasoning about using a VPN connection from the coffee shop is
that all of your outbound traffic without exception heads out encrypted
to a preselected VPN server IP in, say, Dublin, Eire, and only then
emerges from that encrypted tunnel to the broader Internet. Notionally,
this means (1) you can have confidence that you actually did connect to
the endpoint in Dublin because of the SSL-based authentication and that
(2) any haplessly unencrypted traffic you are sending/receiving will
be crypto-wrapped between you and the VPN server, hence cannot be
sniffed at/near the coffee shop.
More information about the conspire
mailing list