nil.enroll(aetheric_username, quantum_class_id) (adric) wrote,
nil.enroll(aetheric_username, quantum_class_id)

Beautiful Security: Chapter Two

Ed Note: This new O'Reilly book is a collection of essays on various security related topics. It was reviewed on /. here and you can get a copy from Amazon, among other places. Please note that the authors and publisher are donating all royalties from the book sales to the IETF.

Chapter Two's Essay on Wireless Networking: Some good information, some FUD, and some bad advice

The author deserves credit for explaining some of the underlying problems with WiFi access to those new to the field or the problem. His anecdotes about airports and office buildings are certainly thrilling and pretty informative as well. Unfortunately the focus shifts from real world examples to discussions of overhyped nonsense like "warchalking" and, much worse, a suggested solution to the "public wifi access trust problem" that is just completely wrong, in part because he misunderstands the problem.

I first began to be concerned when he started to fixate on WEP/WPA as a potential solution to wireless network access restriction. Although he does explain the weakness of those two technologies and a few known successful attack methods, he still holds organizations that don't use them in some contempt. This was confusing and troubling, but I am used to being on the side of right in this matter, Bruce Schneier and I against the whole world ... running open wifi on purpose while using other technologies to secure our communications.

If all he had done wrong was to continue to advocate conventional wisdom about securing access points I would have been willing to give him a pass. Then he repeats and reinforces the fallacy that physically wired networks were significantly safer because it was harder to eavesdrop or disrupt them. The author states this belief as common among network admins, but does not discredit it. The author (and the strawman admins he criticizes) must not be aware of the many ways that wired network physical layers are available to attackers, from mis-configured switches, through fiber cuts, all the way out to TEMPEST. This pernicious idea, and the related myth of protection provided by switched networks, are quite neatly refuted in Chapter One's essay. Unfortunately his discussion of the problem of public WiFi security and his proposed solution show that he misunderstands some of the fundamental technologies (or more charitably, he declined to discuss them in this piece).

It's particularly frustrating because he comes so close to it in his explanation of why users ignore security warnings, (such as those about certificate validation). In fact he uses his parents as examples of this well-demonstrated fact before deciding that the solution to the man in the middle attack vectors inherent in common SSL/TLS usage is to ... use the same technology to validate WiFi routers! Not only is this idea dumb, and possibly unimplementable, but it goes against the technical arguments he has already done a good job of presenting: users don't understand how SSL/TLS encryption and authentication work and so don't understand the significance of certificate validation errors. They would never be able to do any better with AP Certificates than they have with Web(mail) certificates and creating false trust is precisely the problem with SSL as it is used now! This would make things much worse if it were ever implemented.

The heresy inherent in this is that he suggests we rely on the existing CA system, which does not provide adequate security or function well for most users and organizations, for securing WiFi access as well. The CA system has been proven time and again to be full of holes, from private individuals getting Verisign certificates as Microsoft ™ Corp to legitimate organizations failing to renew vital certificates on time. It has also been shown by countless researchers and hobbyists that the certificate vendors do no worthwhile verification of applicants for certificates, other than charge their card ever year. And that's without even mentioning certificate revocation, two-way authentication, or any number of other parts of the SSL trust model that flat out do not work or are not used. Or the most recent in a long series of vulnerabilities in SSL implementations, the null character problems demonstrated at the BlackHat 2009 show.

This is worse than the wrongheaded notions that have Mozilla Firefox (and other) developers adding "features" to their products to annoy people who legitimately need to use certificates not created by an official (pay) CA. It was and is reasonable to show a warning, particularly if it is configurable, but the obnoxious now infamous "traffic cop" interruption is just irritating and gets in the way of many people who use the web for work (These issues have been discussed at length in other fora). And the essay author seem to advocate this sort of nonsense for WiFi access. I guess for this is for "paid WiFi access", a concept I have always looked at with great skepticism. It won't help, and it might make things worse.

So, a good explanation of some of the risks inherent in WiFi access for personal and business use? Yes! Unfortunately it is mixed in with promulgation of superstition and bad advice. Perhaps a shorter edit of the essay with most of the rubbish removed would fare better.

ETA: Some edits suggested by helpful folks on #linuxchix. New links for SSL null bug at BlackHat 2009, Switch hardening ideas, some rewriting and typos.

Tags: beautiful_security, wifi

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded