Theme

Welcome · log in · join	food

	All Forums		Hot Topics		Gallery

Search similar:

Forums → US ISPs cable →

Comcast XFINITY → [WiFi] xfinitywifi security

uniqs
3609

« [NEWS] Listen as Comcast Simply Refuses to Let You Cancel Service • [Caps] Nashville usage meter down? »

ouroborus @134.134.139.x	ouroborus Anon 2014-Jul-15 6:33 pm [WiFi] xfinitywifi security I've read up on the process of connecting to an "xfinitywifi" hotspot ( »customer.comcast.com/hel ··· oConnect ) and I have to wonder if this is something that should be avoided. The process involves connecting to what appears to be an unsecured AP named "xfinitywifi" and then using your browser to fill out a form with your Comcast username and password. It seems like somebody could setup a wifi AP with such a name and there is software out there (for setting up wifi pay walls) that could be repurposed to look like the normal xfinitywifi sign in and used to log account usernames and passwords. (Never mind if it actually connects the user or not. There's a note in the instructions that says it can take a couple hours to kick in. Users can be encouraged to assume there's a technical difficulty.) There doesn't seem to be a way for your average user (or even a knowledgeable user?) to tell the difference between a legit and fake AP. Comcast does mention something about security but what they talk about sounds like SSL which would be meaningless in the above situation. Am I missing something?
	actions · 2014-Jul-15 6:33 pm ·
telcodad MVM join:2011-09-16 Lincroft, NJ	telcodad MVM 2014-Jul-15 6:40 pm Check out the discussions in the main xfinitywifi thread: »[WiFi] xfinitywifi channel Also see this article: Comcast XFINITY WiFi: Just say no By Michael Horowitz, Computerworld - June 27, 2014 »blogs.computerworld.com/ ··· t-say-no
	actions · 2014-Jul-15 6:40 pm ·
NetFixer From My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU 1 edit	NetFixer to ouroborus Premium Member 2014-Jul-15 7:30 pm to ouroborus said by ouroborus : There doesn't seem to be a way for your average user (or even a knowledgeable user?) to tell the difference between a legit and fake AP. Comcast does mention something about security but what they talk about sounds like SSL which would be meaningless in the above situation. Why would checking the validity of the Xfinity login site's SSL certificate be meaningless? My browser allows me to do that, so what am I missing that you see? EDIT: I forgot to mention that if you actually are brave enough to login, you can further verify that you are connected to a real xvinitywifi hotspot by using this site's »/whois page:
	actions · 2014-Jul-15 7:30 pm ·
train_wreck slow this bird down join:2013-10-04 Antioch, TN Cisco ASA 5506 Cisco DPC3939	train_wreck Member 2014-Jul-15 7:42 pm said by NetFixer: Why would checking the validity of the Xfinity login site's SSL certificate be meaningless? because it's something that most (97-99%) of users won't do or care about. i was thinking about this the other day; how easy would it be to set up a fake access point/captive portal named "xfinitywifi", download the source of a real xfinitywifi captive portal page, and modify it so it collects usernames/passwords. many devices will auto-connect to SSIDs by their name only, and the same account credentials used for xfinitywifi are also used to manage one's actual Comcast account. i agree with the OP (and that other main thread), it's a risk.
	actions · 2014-Jul-15 7:42 pm ·
NetFixer From My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU	NetFixer Premium Member 2014-Jul-15 8:10 pm said by train_wreck: said by NetFixer: Why would checking the validity of the Xfinity login site's SSL certificate be meaningless? because it's something that most (97-99%) of users won't do or care about. Those users are not interested in security in the first place. said by train_wreck: i was thinking about this the other day; how easy would it be to set up a fake access point/captive portal named "xfinitywifi", download the source of a real xfinitywifi captive portal page, and modify it so it collects usernames/passwords. many devices will auto-connect to SSIDs by their name only, and the same account credentials used for xfinitywifi are also used to manage one's actual Comcast account. But you wouldn't have a valid xfinitywifi SSL certificate for your fake hotspot login site, so you would not fool me (or anyone interested in on-line security). Of course, the victims you did attract would be the kind who would not know they had been fleeced in the first place (a definite advantage for the fleecer). Before I retired, I used to do scans at many local hotspots looking for fake SSIDs in order to at least try to protect those customers who did not care/know enough about security to protect themselves. I don't know if Comcast has its own field techs do this (just as they check for signal egress), but they certainly should.
	actions · 2014-Jul-15 8:10 pm ·
train_wreck slow this bird down join:2013-10-04 Antioch, TN Cisco ASA 5506 Cisco DPC3939	train_wreck Member 2014-Jul-15 8:22 pm said by NetFixer: Those users are not interested in security in the first place. doesn't make the situation any better. said by NetFixer: But you wouldn't have a valid xfinitywifi SSL certificate for your fake hotspot login site, so you would not fool me (or anyone interested in on-line security). point taken. said by NetFixer: I don't know if Comcast has its own field techs do this (just as they check for signal egress), but they certainly should. agreed. i think a significant danger is the fact that the same credentials are used for account management; having separate credentials for xfinitywifi logins would at least mitigate that part of the risk. but that would probably make the whole process too complicated for the general public; yet another password to remember. and disregarding that, even though the logon page is SSL encrypted, the actual wifi hotspot itself is using no (open) authentication, if i'm not mistaken. so all of your session's traffic is still being sent in the clear, at least if whatever sites you're connecting to aren't using SSL.
	actions · 2014-Jul-15 8:22 pm ·
NetFixer From My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU	NetFixer Premium Member 2014-Jul-15 8:37 pm said by train_wreck: i think a significant danger is the fact that the same credentials are used for account management; having separate credentials for xfinitywifi logins would at least mitigate that part of the risk. but that would probably make the whole process too complicated for the general public; yet another password to remember. AT&T also requires using your DSL/U-verse credentials to access their public hotspots, and my recollection is that they require using the primary account credentials. Comcast does allow using a secondary account for xfinitywifi access, so you could create a special xfinitywifi secondary account that did not have account management authorization. said by train_wreck: and disregarding that, even though the logon page is SSL encrypted, the actual wifi hotspot itself is using no (open) authentication, if i'm not mistaken. so all of your session's traffic is still being sent in the clear, at least if whatever sites you're connecting to aren't using SSL. That is usually the case at any public hotspot (which is why I usually use a VPN back to my network when using a public hotspot). However, my recollection (from my road warrior days) is that AT&T and T-Mobile both have a special WiFi access client (but only for Windows if my memory is accurate) that does allow a fully encrypted WiFi session. If Comcast has such a utility, I am not aware of it.
	actions · 2014-Jul-15 8:37 pm ·

Forums → US ISPs cable → Comcast XFINITY	« [NEWS] Listen as Comcast Simply Refuses to Let You Cancel Service • [Caps] Nashville usage meter down? »