SSL, WIFI and Google apps question in Wireless Security

SSL, WIFI and Google apps question in Wireless Security http://www.dslreports.com/forum/r20694175 en Fri, 09 Jan 2009 07:13:13 EDT Fri, 09 Jan 2009 07:13:13 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20703206 anon : Google's rouge employee or CIA or even Devil himself are powerless! I have to remember my private key, google account password and keep my pc virus and spy-mal-ware free.

Brilliant :)]]> http://www.dslreports.com/forum/remark,20703206 Thu, 26 Jun 2008 15:02:34 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20703191 anon : Firefox 3 support is on, finally!

Yes, I believe extension like firegpg is exactly what I was looking for!

Please correct me if I'm mistaken, but I can store encrypted Google calendar records. When I'm in need to read my calendar I just have to log in and decrypt it. Remarkable, the only way to steel my data is a soft vulnerability. Or some ironing, surely.]]> http://www.dslreports.com/forum/remark,20703191 Thu, 26 Jun 2008 14:58:39 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20703003 nwrickert : Are you referring to the firegpg extension?
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.14]]> http://www.dslreports.com/forum/remark,20703003 Thu, 26 Jun 2008 14:21:28 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20702811 anon : Thanks guys, let the force be with you

I dream about magic - the pgp encryption/decryption addon to Firefox so I can use Google apps with no fear.]]> http://www.dslreports.com/forum/remark,20702811 Thu, 26 Jun 2008 13:43:53 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20699180 cleckjr : I always wear my tinfoil hat when using WiFi networks ... :D .. that offers the most protection.

I think everything that is being said is good information, but ...

There is being paranoid and then there is being PARANOID.

I feel you have to find what works for you and follow simple steps to be safe.

tin foil hat

]]> http://www.dslreports.com/forum/remark,20699180 Wed, 25 Jun 2008 19:21:21 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20698314 docrice : In my opinion, if you're using SSL / TLS when connecting to sites with sensitive information, your data is going to be ok *in general* (at least during transit from your machine to the server). However, you're still reliant on the fact that the provider (in your case, Google) could be in a position to publicize / sell your information, Google itself may be compromised, a rogue employee may steal your info, etc.. Of course, it seems unlikely Google would get cracked. There's no perfect security.

There's all kind of fear spread around about technological security measures / countermeasures. While it's true that surfing on insecure Wi-Fi networks has a certain amount of risk, so does working on a "secure" network. For example, can you trust the admins of the network? How about the software powering that network? Are you sure that the Cisco router acting as the gateway on the network isn't running an old version of IOS that has some huge holes in it? How about the operating system you're running or the applications that are installed on it - are you sure it's bug-free? I've seen reports on the Bugtraq mailing list about how a lot of security software itself has some remotely-exploitable issues.

In a nutshell, you can't expect absolute security. Like in the real world, there's never a super-secure state that's also simultaneously practical in general. Even if you live in a good / safe neighborhood, you can still get hit by a car. We folks in the computer security world are pessimists, but that's our job. We'll provide plenty of warnings because we want you to be aware that there are risks. It's up to you to determine what the risk / reward ratio is, and that's only possible through understanding the underlying layers of the moving parts that are involved.

Probably not the answer you're looking for, as I'm trying to be generalized in conveying network security concerns.]]> http://www.dslreports.com/forum/remark,20698314 Wed, 25 Jun 2008 16:41:30 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20698119 anon : slashdot gave me a pretty creepy feeling about data over the internet

I'm with my laptop and always on WIFI networks I can't trust. If all my data online then I don't have to worry about loosing my lap or using vulnerable soft (except OS, drivers, browser, firewall and av).

But with all that security-over-internet info I'm shocked and have no idea what to do. Maybe you have some idea what direction is wise to take...

the main goal is to read/write (sometimes over internet, in case of mail and maybe calendar) small amounts of data many times a day over insecure network]]> http://www.dslreports.com/forum/remark,20698119 Wed, 25 Jun 2008 16:05:08 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20697922 docrice : Just because something is secured by a "128-bit" or "1024-bit" key doesn't necessarily mean it's secure. What type of crypto is being utilized? What kind of algorithm is being used? What is the source of entropy used in the keying sequence given the specific implementation? If multiple ciphers are available to choose from during the negotiation, how can you be sure that the strongest one was chosen? Etc., etc..

So, there's no simple answer without some known specifics.

Regarding your firewall, etc., that's another set of problems designed to counter machine-specific attacks, not necessarily traffic over the network. That's a whole 'nother subject in itself.

There are always threats and the truth is you're never going to be 100% protected in a public environment. MITM attacks, etc., will always be there. While your e-mail traffic is secure from your browser to the web server, your DNS lookups, NetBIOS name / browser / session services, etc. are leaking out your system information in clear text. It's a matter of minimizing the risk to what's practical and acceptable. Take a look at this Slashdot thread for some more insight:

»it.slashdot.org/article.pl?sid=0···/2345223]]> http://www.dslreports.com/forum/remark,20697922 Wed, 25 Jun 2008 15:25:23 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20697716 anon : I was confused by not knowing what is asymmetric cryptography

Now it all makes perfect sense, thanks a lot!

Google uses one private key for all gmail customers, correct?

How long it will take to decrypt 128 bit encrypted data? It's much eraser for CIA to ask Google for data then decrypting it but how strong the encryption will be against extremely good hackers?

I have a firewall and antivirus installed and configured. Windows XP SP3 with auto update.
Should I be afraid of man in the middle attack? Since all sensitive communications are encrypted (mail, IM etc) I see no threat using unsecured WIFI networks.]]> http://www.dslreports.com/forum/remark,20697716 Wed, 25 Jun 2008 14:44:01 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20695425 docrice : An SSL handshake goes through a cipher capabilities enumeration, following by the key negotiation using public information in the certificate(s), and results in a symmetric session key. What makes SSL / TLS work is the asymmetrical properties via private / public key pairs. If you use one to encrypt, you must use the other to decrypt. This offers crypto possibilities where one can verify that a certificate was indeed generated by a trusted CA, etc.. The private key is never exposed to the public. If the private key is compromised, then the certificate must be added onto a certificate revocation list (CRL) and a new private / public key pair generated and new cert assigned to the server from the signing authority.

The intricacies of SSL are a bit complicated to discuss in a forum such as this. I suggest reading up on here:

»en.wikipedia.org/wiki/Secure_Sockets_Layer
»en.wikipedia.org/wiki/Public-key···tography]]> http://www.dslreports.com/forum/remark,20695425 Wed, 25 Jun 2008 04:46:41 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20695367 anon : nwrickert's

Firefox generates a random enc key based on key provided by Google. That random enc key is used later to encrypt all communications between server and client. Please correct me, it looks simple but wrong.

In order to decrypt the Firefox's key Google uses the key which was used before by Firefox for encryption, which was originally received from Google's certificate.

Please tell me I'm lost somewhere. If I'm not, it will mean that the attacker just have to obtain Google's key from certificate and decrypt the Firefox's key. Then use this key to decrypt sniffed data.

What's the Google's corresponding private key? As I know, you can decrypt something ONLY using a key which was used to encrypt that something. And that key is public, provided by Google, so there's nothing private left.]]> http://www.dslreports.com/forum/remark,20695367 Wed, 25 Jun 2008 04:07:11 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20695191 nwrickert :

Gmail sends me encrypted data and FireFox decrypts it. But how FireFox knows the decryption code?

This depends on public key encryption. Firefox sees the certificate that google offers, and verifies it (I'll skip the details on that). That certificate contains a public key. Firefox generates a random encryption key, and sends that to google, encrypted with the public key from the certificate. Google, but nobody else (we hope) has the corresponding private key. So only google can decrypt that message containing your random key. Thereafter, the session switches to standard symmetric encryption using the key that firefox sent to google.

That's standard SSL, perhaps a bit over simplified.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.14]]> http://www.dslreports.com/forum/remark,20695191 Wed, 25 Jun 2008 01:55:47 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20694998 docrice : The "decryption code" you're referring to is the SSL / TLS software that exists in the application and / or the operating system. It's nothing specific to Google. The only element which is specific to Google is the certificate used by Google which is signed by a signing authority listed in your Trusted Root Certificate Store within your Certificate Manager / certmgr.msc (I'm assuming you're using Windows).

While data within an SSL / TLS stream may be regarded as safe from third-parties during transit, your system typically doesn't encrypt all data flowing out of your interface. For example, DNS requests, certificate information while your SSL session is being set up, etc..

If you're curious to know what others can see, I suggest sniffing your own interface with Wireshark and WinPCap.]]> http://www.dslreports.com/forum/remark,20694998 Wed, 25 Jun 2008 00:40:03 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20694707 anon : So if I send or receive data via unsecured WIFI network, then this data can be sniffed, right? If I receive an email and it's unencrypted, then anyone with sniffer can read it.

But if I send or receive data via unsecured WIFI network BUT with https encryption (happens when I type »https://gmail.com) then anyone wilth sniffer can read it, but cannot understand because of encryption. So my data is safe, correct?

Let's say I requested gmail.com to view my email via https. Gmail sends me encrypted data and FireFox decrypts it. But how FireFox knows the decryption code? Did Gmail give FireFox that code before sending my encrypted email?]]> http://www.dslreports.com/forum/remark,20694707 Tue, 24 Jun 2008 23:30:17 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20694546 anon :

quote:
If you are using "https:", then data sent on that connection is encrypted, so there is no need for concern that your packets will be sniffed in transit.

Actually, I don't think that's entirely true. I believe you're still vulnerable to man-in-the-middle attacks. But to my understanding, I think you're okay unless you accept fake certificates.

A lot of your data goes through the air in plain text when on an unsecured wireless network.

I don't believe you should do anything with sensitive data on any untrusted network, let alone some random unsecure wireless networks. ]]> http://www.dslreports.com/forum/remark,20694546 Tue, 24 Jun 2008 22:56:33 EDT Re: SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20694238 nwrickert : If you are using untrusted WiFi, or an untrusted wired network for that matter, make sure you are not allowing network access to your file system and turn on the XP firewall or some other firewall that restricts external access.

If you are using "https:", then data sent on that connection is encrypted, so there is no need for concern that your packets will be sniffed in transit.

As to whether you can trust the destination - google in this case - you will have to decide that for yourself. I don't have any problem with google, but then I am not sending any sensitive data to them.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.14]]> http://www.dslreports.com/forum/remark,20694238 Tue, 24 Jun 2008 21:57:30 EDT SSL, WIFI and Google apps question http://www.dslreports.com/forum/remark,20694175 anon : Hi

I would highly appreciate you to clear some of my questions.

My typical situation is: I connect to unsecured WIFI network with my laptop. Then open google apps with »https:// on Firefox 3 and do stuff. All passwords typed by hand.

My data is very sensitive.

I wonder, how secure it is?

1) How secure it is to be on unsecured WIFI network (the one I can connect without password)?
2) How secure it is to work with google apps via »https://? In combination with unsecured WIFI network, what is the worst case scenario?
3) How secure it is to use google apps? The only thing I have to worry about is my google password, is it?

Thank you.]]> http://www.dslreports.com/forum/remark,20694175 Tue, 24 Jun 2008 21:46:21 EDT