[Full-Disclosure] Wireless ISPs
Xavier Beaudouin
kiwi at oav.net
Wed May 12 12:09:22 BST 2004
Hi Brian and Dan,
> Sit down sometime inside a wireless ISPs area and run
> kismet. You can see someone connect to a service via
> SSL, then immediately after they purchase something
> they check the email. Guess what ? the Credit card #
> and address are in that email.
Yeah...
There is 2 problems :
- one is from purchase site that *should*not* send any
credit card number on email
- one is the way people gets mails
On the second hand, there is some way to fix that :
pop3-ssl
imap-ssl
Why ISP don't provide such way to get mail ? FYI I do such setup on my
servers for more than 4 year since it is implemented on lots of MUAs
included from some from a redmont software producers.
Yes, using encrypted connections is not the solution, but can help...
Also have some SMTP server that allow STARTTLS, are good starting point
about security...
If you are paranoid, like I am, you can also use : WEP + IPsec... that
with encrypted connection (ssh, pop3-ssl, imap-ssl, smtp+tls) will give
you more confident about your network....
People that don't use that are, IMHO, just non aware of the possibility
that their data can be stolen without any intrusion.
/Xavier
--
Xavier Beaudouin - Unix System Administrator & Projects Leader.
President of Kazar Organization : http://www.kazar.net/
Please visit http://caudium.net/, home of Caudium & Camas projects
Full-Disclosure is hosted and sponsored by Secunia.