Welcome back to the final 5 weeks of CS4 Programming.
Continue above (no school)
Your Facebook Provide - What I Know About You!
Strategic Cyber Defense
Fiction or reality?
Yes - it is THAT easy!
This is a classic Down-Grade attack - the user requests HTTPS (secure encrypted), but the Man-In-The-Middle causes the connection to be downgraded to HTTP (plain text).
Note - the reason for showing you these videos it to demonstrate just how easy these attacks are done - but it is just as easy to protect yourself by applying a bit of common sense.
- BEWARE - DOING THIS ON SOMEBODY ELSE'S NETWORK IS ILLEGAL
HTTP Strict Transport Security
It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
Website adds the following to the headers it sends to the web client:
HTTPS: Strict-Transport-Security: max-age=31536000; includeSubDomains;
Note - a Man-In-The-Middle can effectively perform a denial of service attack on any UNENCRYPTED (HTTP) website by inserting the above header sent to the web client. The web client will then obey the instruction, and always request HTTPS - if the web server does NOT support HTTPS, everything breaks!
Creating A More Secure Public WIFI Access Point
- Enable WIFI Client Isolation (http://www.wirelessisolation.com/)
- Force DNS Server to OpenDNS (188.8.131.52, 184.108.40.206 - https://www.opendns.com/)
- Configure Firewall for all traffic from WIFI as follows:
- Disable ALL local network access (including router)
- ONLY allow following outgoing ports:
- Redirect traffic to itself for following ports:
- Disable ALL other TCP ports
- Disable ALL UDP ports
- Normal Internet usages (Web Browsing, EMail) only makes use of TCP which is a stateful protocol - it ensures that both ends are real IP addresses. Normal Internet does NOT use UDP which is a state-less protocol - a sender can fake their address, and therefore is often used maliciously. Therefore it is a good idea to completely disable all UDP traffic and to only access TCP.
- Optional - redirect all allowed traffic via VPN or via TOR
More information http://wiki.openwrt.org/doc/recipes/guest-wlan