4
Let's say I am browsing an HTTP accessible web site (i.e. NOT HTTPS). Is the traffic encrypted through the WiFi connection?
In other words, is there "data privacy" functionality over WiFi - regardless of higher layer protocols?
Update: I am trying to determine if IEEE802.11R is on anyone's radar.
jldupont
Posted 2012-05-04T14:37:43.810
Reputation: 5 524
7
No, there is no inherent "data privacy" in 802.11 wireless networks.
A WiFi connection can, but must not be encrypted. That's not to say it shouldn't be if you care about your data. A simple connection is always unencrypted at the data link level, and packets travelling over the air can be easily sniffed by others within reach of the base station or your WiFi adapter. Plain HTTP traffic is really easy to analyze. You don't need to be a hacker to be able to do that.
A simple encryption method that has originally been defined in the IEEE 802.11 standard is WEP (Wireless Equivalent Privacy), but it has been found to be a very weak encryption technology since its key scheduling algorithm could be easily hacked.
So, given enough time, anybody could crack WEP encryption and therefore sniff packets as if they were unencrypted.
Finally, WPA and WPA2 (Wi-Fi Protected Access) offer a very robust encryption that is likely to protect all data travelling over the air—given that a strong enough password is used. Even if your data is HTTP, another user won't be able to decipher captured packets. Some attacks have been found (involving pre-shared keys, see the link above for more), but they're quite irrelevant these days.
Still, make sure that your password is strong enough, otherwise the only limiting factor for an attacker is time.
There exist network level attacks, such as ARP spoofing and rogue DHCP, that allow other users on the network to convince your computer to route traffic through their device as a proxy. This lets them inspect traffic, even intercepting SSL connections. These work regardless of wireless encryption, and are difficult to defend against on public networks. See this IT Security question
slhck
Posted 2012-05-04T14:37:43.810
Reputation: 182 472
1
Just note that if an attacker somehow manages to obtain your WPA or WPA2 key, it's game over. Anyone with the key can decrypt almost all network traffic, not to mention perform various other attacks (i.e. man-in-the-middle using ARP spoofing). Finally, note that WPA/WPA2 are susceptible to dictionary attacks, so choose an appropriate pass key!
– Breakthrough – 2012-05-04T15:04:09.5501Correct — with anything these days time is the limiting factor. I wonder when GPU-based attacks will come into play. – slhck – 2012-05-04T15:18:13.173
Correct me if im wrong but you can have passwords up to 32 characters. That is (if you use random characters) going to make it too costly to crack. Aka, a dictionary attack wont work, and it would literally be a matter of every combination. 64^32? Or something. – Doomsknight – 2012-05-04T15:59:46.117
A 32 character random password is stronger than a dictionary word, but with this length I doubt cracking either would be a simple task @doo – slhck – 2012-05-04T16:07:02.077
1
Yes, just like any non-encrypted wifi traffic your packets can be analyzed. If you are going through a cellular network then you have more protection, but if anyone has the tools they can read that traffic too.
BloodyIron
Posted 2012-05-04T14:37:43.810
Reputation: 1 981
0
You may use WEP but its privacy is very deprecated. As SLHCK said it is easily hackable as I was able to crack a WEP Encrypted Access Point within 3 minutes on Backtrack And then after you crack it, it is very easy to sniff packets on the air
Backtrack
Posted 2012-05-04T14:37:43.810
Reputation: 15
Build encryption into the application, not the communications network. Assume all communications can be seen, and assume attackers can represent legitimate users. This is the only true way to build a secure application. – Breakthrough – 2012-05-04T15:05:31.233