Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
>> o don't care as their threat model sees runnin' nekkid over the air as
>> not a significant additional weakness, or
>>
>> o believe that they are using sufficient encryption at higher layers
>> to meet their needs, or
> Given that it is likely that at least one of the 1200
> open-participation IETF meeting attendees -- all of whom have access to
> the WiFi password -- sometimes indulges in bad actor behavior, then it
> might be worth clarifying exactly what the incremental benefit is, in
> having WiFi encryption, if one is already using TLS liberally.
My understanding is that our use of the EAP-TLS method, even with unverified
certificates, each attendee's device winds up generating a different "WEP"
key at the L2 level. This means that attendees can not sniff each other's
traffic.
Without this, simple TCP RST attacks are trivial on TLS connections.
I don't know if we are enabling client isolation at the wifi level.
If we aren't then one could do ARP or RA impersonation, and my laptop could
convince your laptop to use me as a router, giving me access to your
unencrypted traffic.
Having said all that, I find wifi security to be generally a waste of time.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr(_at_)sandelman(_dot_)ca http://www.sandelman.ca/ | ruby on
rails [
signature.asc
Description: PGP signature