Is it possible, that the network administrator (wpa2 wifi network) can log all the data the users send and then get password out of it?
I know it is not possible to get the password if I'm surfing with https but what if I only use http pages?
Asked
Active
Viewed 8,440 times
3 Answers
16
On any Wi-Fi network - encrypted or not, given today's Wi-Fi encryption protocols - any sufficiently skilled and equipped user of the network (and especially the network administrator) could easily access any data you transmit or receive via cleartext protocols. This includes usernames and passwords as well as web pages, documents, and other data sent or obtained via http, ftp, telnet, etc.
For open networks, gathering cleartext data is as easy as sniffing the traffic in the air. WEP security adds a slight barrier, but is still easily decipherable by even unauthenticated users.
WPA and WPA2 require a good bit more computational power for outsiders to crack, and much more time. For these, an attacker would most likely monitor traffic for awhile and then take the data home for offline cracking. As with just about any cryptography, brute force will always win if given enough time. With WPA and WPA2, that just means a lot of time.
There are side-channel attacks to WPA and WPA2 though. Currently, the Wi-Fi Protected Setup (or similar) features in most SOHO routers has a weakness that will allow an attacker to gain access to your network in fairly short time. Once they've cracked your key through this method, they can join the network like any other user (provided you don't have other protections - most of which are trivially bypassable - in place).
For WPA and WPA2, there are known weaknesses that allow authenticated users (or attackers who have broken into the network) to sniff traffic as if it were unprotected. At this point, the only defense you have is encryption at higher levels of the network stack (i.e.: HTTPS). Even then, many of these higher-level protocols can be subjected to man-in-the-middle (MitM) attacks if the victim is less than vigilant in verifying their SSL certificates (or the attacker has a certificate from a compromised CA).
The only real additional threat that a malicious network administrator would pose, is that they have access to the wired side of the network also. On the wire, traffic is not protected by the same encryption (WEP/WPA/WPA2) that applies to the wireless connection. Anyone on the wire could then sniff your traffic as if it had been sent across an open (unprotected) network on the air.
Iszi
- 26,997
- 18
- 98
- 163
-
and what if i use a vpn? – hanssii Sep 08 '11 at 17:41
-
4@hanssii - Then you're no longer using a cleartext protocol, as far as the local network is concerned. However, any data you send over http, ftp, etc. is now instead at the mercy of the administrators of whatever network you've VPNed to. – Iszi Sep 08 '11 at 17:42
-
3I think the comments about WPA and WPA2 are potentially misleading. Saying that they are crackable with sufficient computational power, while accurate in principle, may be misleading: as far as I know, if the password is unguessable, the amount of computational power required may exceed your expected life expectancy, or that of the universe. The known weaknesses in WPA2 (and, I presume, WPA) apply primarily if the attacker knows the crypto key: if the attacker doesn't know the keys, the password is strong, and the router doesn't have the WPS vulnerability, WPA2 is hard to crack. – D.W. Mar 12 '12 at 22:35
-
1@D.W.Your statements are correct. However, the question was asking particularly if the *network administrator* may be able to sniff encrypted WiFi traffic. The network admin, by virtue of his role, will most likely have the PSK. Therefore he (as well as any other user joined to the WiFi network, and therefore also in possession of the PSK) will be able to take advantage of the WPA/WPA2 weaknesses I've mentioned. – Iszi Jul 23 '13 at 18:14
-
Is it possible to sniff a WPA2 protected wi-fi when you're not a user of it? – galmeida Jul 15 '17 at 01:15
5
Iszi has good points on cleartext protocols, however you can still attack as MITM if the user is using HTTPS.
For example if the administrator terminates the HTTPS on his side and you accept his faulty certificate, the administrator can then decrypt and view your requests in plaintext.
Tools like SSLStrip can also be usefull when attacking HTTPS as MITM. The only difference for the user is usually that a supposed HTTPS site is instead provided as HTTP. Would you notice?
Chris Dale
- 16,119
- 10
- 56
- 97
0
I know it is not possible to get the password if I'm surfing with https ...
It is not possible, if you only use authorized certificates. If you don't use these, there can be man-in-the-middle, which just passes his SSL certificate to you and reads all the encrypted connection.
Tomas
- 101
- 1
-
1Or if someone hacks one of the trusted root CAs. But that's unlikely to happen; at least not more often than every 6 months or so. (yup, Diginotar's fake *.google.com certificates appeared "authorized"; and there was Comodo before that, and Etilasat) Unfortunately, even "valid", signed by a trusted root CA SSL certificates are no guarantee of a secure connection nowadays. – Piskvor left the building Sep 09 '11 at 12:51
-
@Piskvor - yes this is a fundamental weakness in `https` (having to trust random CAs)--guaranteed security doesn't exist. However, you should recognize that the server at the other end of the `https` connection is often an easier target than getting a trusted root CA certificate. (E.g., the attacker pays an admin to copy the actual certificate from `/etc/ssl/private/`, which is then used in the MITM attack). However, the nice thing is that to get the certificate the attacker must have gotten root on their server and probably could get of your private data off of it already. – dr jimbob Mar 12 '12 at 17:57
-
@dr jimbob: Sure, subverting an individual server *should* be harder than subverting a CA. – Piskvor left the building Mar 12 '12 at 19:50