[Discuss] comcast wifi question

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Eric Chadbourne
> 
> I do not think that is accurate.  Probably nobody around me knows my wifi
> password.  Cracking wifi is hard. Not like it used to be. Try it sometime.

In the old days of WEP, they just simply screwed up all the crypto.  In the modern days of WPA2 based on passwords - the weak point is the password.  You can brute force guess passwords millions per second, which means the password itself needs to have something on par with >100 bits of entropy to withstand the brute force hack.  While this is distinctly possible, it's definitely unusual.

If instead you're doing cert-based authentication, WPA2 Enterprise / EAP/TLS and similar, then modern wifi is very strong.


> Let me change the question to, if I access an evil access point will my vpn
> protect me from their mnm / DNS crackery?

Depends on their form of attack.  If they have control of a CA trusted by your VPN client, then they can still attack you.  And without any additional effort, I'll just say, they can probably come up with some additional attacks - but they are mostly kind of obscure and/or difficult.

For example, if you were using a Linux client, and have not patched shellshock, then before your VPN is even connected, they can already own you.  Perhaps some other similar attacks might exist.  And of course, lots of services (your mail client, dropbox client, etc) will automatically connect to the internet as soon as  a connection is available.  You might have to take care to connect your VPN before any automated services have the possibility of trying to use the internet...