This is in regards to 802.11 on a PocketPC2002 device.
Here's a concept that I am wondering about. Say your using 802.11b with 128 bit WEP. At least your fending off the first layer of hackers.

Now, if your web browsing, and you hit an SSL protected page, like your bank accounts, is this traffic just as secure as SSL on a wired network or what? I would think that this is encryption within encryption. Am I wrong?

Shawn

Over the wireless, it is indeed double encryption.

Originally posted by JoeTampa
Over the wireless, it is indeed double encryption.

No, not really.

*NO* form of encryption is all that safe using license-exempt spectrum.

Most network perspectives seem to default to a "wired network" mentality and disregard the true physical layer here - which is the *RF*

A sophisticted hacker could just record the binary wireless transmission stream from the client while impostering the SSL Server request, and act as a man-in-the-middle to modify or record transmitted data in real time.

Actually, I'll qualify my prior statement....

If you're in your home running an 802.11 PAN using 128-bit with an AP while accessing your bank account, no worries.

Same scenario at the corporate network.... no worries.

In a popular public environment that is known thorughout the community for its open Wi-Fi accessibility, you whip out an 802.11 PDA, and decide to access private information... well, make sure that you don't have a bored hacker around. (Admittedly, such a scenario would not likely even support 128-bit encryption with its AP).

The moral of the story here is.... 2.4Ghz is public spectrum. As such, its encrypted transmission can be sniffed by default, and at the very least, a hacker can just play man-in-the-middle of a client/server transmission and butcher the transmitted data.


<Following is a bit off topic:>

Then again, toting a powered-on cordless 2.4Ghz phone in one's jacket pocket will kill any hotspot venue..... makes ya wonder how all these "explosive hot spot / disruptive tchnology" analyst predictions can justufy a service platform whose commercial viability can be so easily compromised ;)

*NO* form of encryption is all that safe using license-exempt spectrum.

And here I disagree with you, but I will say that it is too expensive for the consumer market. My company makes a product for WLAN security that simply will not be hacked for the forseeable future. Sensistivities to vendor self-promotion being considered here, I'll leave it at that.


Most network perspectives seem to default to a "wired network" mentality and disregard the true physical layer here - which is the *RF*

A sophisticted hacker could just record the binary wireless transmission stream from the client while impostering the SSL Server request, and act as a man-in-the-middle to modify or record transmitted data in real time.

Correct in both points, but the question that was posed concerned if it was or was not doubly encrypted, which it was.

The same mentality exists in the arguements for using 802.1x or IPSec over wireless - two protocols with significant security concerns over an RF physical layer where both sides of the communication are trivial to observe.


Same scenario at the corporate network.... no worries.

Here I must disagree with you again - too many corporations are targets.

Originally posted by JoeTampa
Here I must disagree with you again - too many corporations are targets.

Sure... but in the original scenario - (128-bit encryption over a corporate LAN where one is a checking a bank balance, hence transmitting a finite range of data, and where a certificate is only used for a moment of minutes), the confines of one's corporate network would be safe enough.

In regards to "unhackable" WLAN security....

While it is true that it may not be feasible to readily discern the contents of some types of encrypted data (i.e. IPSec, 802.1x), the encrypted stream itself could intrinsically be seen and butchered - merely for the malevolent purpose of causing an inconvenience.

Just curious... is your company using some proprietary form of EAP?

EAP, encrypted at layer 2 with a prenegotiated session key.

That's an oversimplification, however.