RE: Dumb question abt. Wireless WEP security 2

["Prasad S. Athawale" <athawale () cse Buffalo EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

As per my understanding, the SSL channel - will not be compromised in
case the password is discovered. Of course - in such a case you don't
need to do any kind of sniffing etc, u can directly log in! but
technically - the 48 byte passphrase used to encrypt the SSL
connection (which uses a pre-determined encryption algo (RSA,DES
etc)) is exchanged between the the server and the client before the
https connection can be setup.

U can confirm this readily in the very fact that one can have a https
connection setup even before one can log in to provide
username/password.

HTH
- -------------------------------------------------------------
Prasad S. Athawale
Graduate Student
University at Buffalo
- -------------------------------------------------------------
' there are 10 kinds of people in this world - those who understand
binary and those who don't'

- -----Original Message-----
From: Alvin Oga [mailto:alvin.sec () Virtual Linux-Consulting com] 
Sent: Wednesday, January 21, 2004 10:24 PM
To: Paul Kurczaba
Cc: security-basics () securityfocus com
Subject: Re: Dumb question abt. Wireless WEP security 2


hi ya

> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > hi, here's another "dumb" question, if i'm using an unencrypted
> > wireless access point and oh, doing some online banking that is
> > encrypted, even if somebody was listening to the wireless part,
> > wouldn't it still be gogblygook?

even if it is... they can decrypt in a few seconds if your
password/passphrase
is simple dictionary lookups ... "my pet's name is spot" is not agood
passphrase

if you want to know your data is secure ...

        treat it as if you have a "spy" that can read/write anything you
        do and you assume the risk of which is the least risky

ssh/ssl encryption doesnt help if you use insecure passphrases
or an exploitable ssh daemon/clients

(wireless stuff) wep is cracked ...

more wireless fun
        http://www.Linux-Sec.net/Wireless/

btw.. for online banking... geez... you're asking to have $100K from
your bank acct ??? or charged to your credit card ??
        at least use your desktop w/ https for "online banking" ...

<paranoid>
c ya
alvin

- ----------------------------------------------------------------------
- -----
Ethical Hacking at InfoSec Institute. Mention this ad and get $720
off any 
course! All of our class sizes are guaranteed to be 10 students or
less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off 
any course!  
- ----------------------------------------------------------------------
- ------


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQBQKhoKN2ncVpx7SEQLbWQCeNKhBnCtwtG06aKnsz6zEhPYvU/sAn31L
jDsPL2iKeLaMTlJj6McElZu+
=H/qQ
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------