[isf-wifidog] Sniffing out the wifidog network!!!

acv acv at miniguru.ca
Lun 22 Fév 12:37:57 EST 2010 

Sniffing is a non-issue if Auth server runs SSL. This was part of the
original design expectations for the security model. The only thing
supposed be sent in Plain Text is the authentication Token which is a
nonce.

Alex

On Mon, Feb 22, 2010 at 12:08:42PM -0500, Pierre-Luc Bacon wrote:
> Date: Mon, 22 Feb 2010 12:08:42 -0500
> From: Pierre-Luc Bacon <pierrelucbacon at aqra.ca>
> To: WiFiDog Captive Portal <wifidog at listes.ilesansfil.org>
> Subject: Re: [isf-wifidog] Sniffing out the wifidog network!!!
> 
> Strong security or authentication never has been a major point of
> interest for the Wifidog project. It sure is, but we don't aim at just
> being a simple authentication gateway. More sophisticated solutions
> already exist outside of Wifidog (WPA2 enterprise + radius for
> example).
> 
> On Sun, Feb 21, 2010 at 5:19 PM, Jean-Philippe Menil
> <jean-philippe.menil at univ-nantes.fr> wrote:
> > Arya Mazaheri a écrit :
> >>
> >> Hi there,
> >> I'm running wifidog for a while. For security check I decided to sniff out
> >> my network to see the possible vulnerabilities. after doing that, I found
> >> that there is a very bad security vulnerability. every user who wants to
> >> authenticate to wifidog portal, his/her username and password can be sniffed
> >> easily and hijacked!
> >> The user's authentication is performed by LDAP directory and SSL is
> >> running on the portal but still it has the problem.
> >>  Any idea?...
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> WiFiDog mailing list
> >> WiFiDog at listes.ilesansfil.org
> >> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >
> > Hi,
> >
> > theorically, the communication between your ldap and the auth server aren't
> > on the same network segement that your users.
> > So, i don't see how it can be possible to sniff anything concerning
> > password.
> > By the way, you can easily implement the ldaps protocol in your ldap server.
> >
> > Can you provide more elements of your situation?
> >
> > Regards.
> >
> > _______________________________________________
> > WiFiDog mailing list
> > WiFiDog at listes.ilesansfil.org
> > http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >
> 
> 
> 
> -- 
> Pierre-Luc Bacon
> http://pierrelucbacon.com/
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- section suivante --------------
Une pièce jointe autre que texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 195 octets
Desc: non disponible
URL: <http://listes.ilesansfil.org/pipermail/wifidog/attachments/20100222/a54abd96/attachment.pgp>

Plus d'informations sur la liste de diffusion WiFiDog