|
#1
02-15-2007, 02:16 AM
|
|||
|
|||
Is wisher redistributing wep/wpa keys ?
Hi,
I'm considering becoming a 'whishero', but there is something I need to know first. My impression is that whisher is redistributing the wep/wpa key to whishero's to be able to connect to the ap. Is that true ? What if I change the wep/wpa key of my accesspoint ? Cheers, intrax 
|
|
#2
02-15-2007, 03:20 AM
|
|||
|
|||
|
Re: Is wisher redistributing wep/wpa keys ?
Quote:
This provides a convienient way to share your hotspot with your neighbors and friends, without revealing your secret key, or even having to remember it each time. Whisher may provide an automatic service in the future where it can change your key periodically for increased safety. If you access your wifi AP and manually change the key, then Whishers will not be able to access it any more. They will have the old key, which no longer works. You would need to use Whisher to connect to your AP using the new key, and update your registration. Whishers will then need to update their location files through some other internet connection before they can return to your hotspot.
__________________
Fonero, Dreamer, Whisher, Moderator
|
|
#3
02-15-2007, 12:08 PM
|
|||
|
|||
|
This is exactly as I feared, because it presents a huge security risk once the whisher client has been compromised and the encryption keys of the 'whisheros' are revealed. You know it will be only a matter of time until someone succeeds in cracking the client as this poses a very nice hacking challenge indeed...
 A hacked whishero ap will be a big security risk as it gives access to a private ssid and than the private lan will be 'up for grabs' as there is no second line of defence like the separate subnet for foneros on the fonera.This can be seen as a major flaw in whisher's 'offering' where added value is anyway terribly hard to spot as I can share my ap key with my buddies anyhow and we can always chat and collaborate through existing internet services. If I let total strange 'wisheros' use the ap there is always a security risk as misuse off ip-identity on the internet can get me into serious trouble, but the same can be said of the fon idea. My conclusion is that the risk/reward balance is tipping the scales in the 'wrong' direction for services like fon and whisher and their offerings will be only visible for the next 6-12 months as mobile internet access prices will come down dramatically and the need for a service like fon's/whisher's will decrease rapidly. Goodluck to all whisheros, I will pass....
|
|
#4
02-15-2007, 02:17 PM
|
|||
|
|||
|
Can you please clarify this important point.
If I use an AP with the client and decide not to share it - does the key I entered into the Whisher client get uploaded to Whisher or not? Is it possible that an encrypted version is downloaded to another Whisher client? If this does not happen then the point made in the previous post is irrelevant - if I get in with a hacked key or an encrypted key to someone willing to share makes no difference surely to what I can do when connected? On the other hand if my private key I have chosen to keep private has been passed elsewhere encrypted or not without my knowledge would, IMHO, be a violation of trust.
|
|
#5
02-15-2007, 03:25 PM
|
|||
|
|||
|
If you feel someone is abusing your Whisher hotspot, you could set a ban on his login, manually block his MAC address in your AP admin, then change and reregister your AP encryption key. This may not stop a determined hacker for long, but it may be best to not run a public hotspot if you cannot sustain a little abuse.
You could still use Whisher in "buddies only" mode; then a hacker would have to fake your buddy's MAC address, get the new encryption key, then guess your buddy's nickname and login credentials. Since Whisher hotspots are always encrypted, Airsnorting would not work, unless your buddy had been compromised at some other hotspot. A hacker would literally have to stalk your buddy in order to regain access at your hotspot! 
__________________
Fonero, Dreamer, Whisher, Moderator
|
|
#6
02-15-2007, 03:37 PM
|
|||
|
|||
|
AustinTx
With respect you have not answered my question. Does the Whisher client: 1) Upload the key of an AP you have chosen not to share? 2) Download that encrypted copy to another Whisher client? Permissions as to what Whisher or a second client may or may not do with an encrypted key to a public hotspot is not the question here. If Whisher does not upload or download a private key then there is no issue. There is no way it can be compromised via Whisher. Can you confirm this is the position?
|
|
#7
02-15-2007, 06:21 PM
|
|||
|
|||
|
Quote:
 Since the Whisher Client will store connection profiles for any hotspots it has been used to connect to, it is fair to say that it probably stores your key locally. I imagine that Whisher does the right thing, and doesn't upload information it has no invitation to.
__________________
Fonero, Dreamer, Whisher, Moderator
|
|
#8
02-15-2007, 09:17 PM
|
||||
|
||||
|
Quote:
Quote:
Quote:
As I have mentioned in other threads, we don't pretend to force peoplet to share. If you are -so- concerned about the safety of your network, you should not share at all, not even with a Fonera. Have you audited their entire code base to make sure it cannot be compromised somehow? I find the use of the serial number of the router as the WPA key kind of intriguing, from a security point of view. Of course, the first thing everyone will do is change that, as we all know....  Looking forward to your comments, best regards, Mike
__________________
In God we trust, all others we monitor
|
|
#9
02-16-2007, 12:52 AM
|
||||
|
||||
|
Thanks all for your replies...
Quote:
Quote:
Goodluck all whishero's !
|
|
#10
02-16-2007, 10:33 AM
|
|||
|
|||
|
Quote:
One attraction of Whisher is to have one login client for all APs one may wish to connect to. Indeed I sense that the Whisher client actively supplants the other connection clients. Hence a Whisher client will be able to connect to a mixture of public hotspots provided by others and one's shared APs which, as AustinTx rightly pointed out, you are willing to take the risk involved. I have no problem with that. However that, would for me and others include the SSIDs & network keys of secure corporate networks which should not be shared with anyone. Including Whisher Central. If one cannot be sure of this then one cannot allow the Whisher client onto the same PC and claim to be secure. I think we need clarification here. It would all give us some sense of what is going on if, when one enters the key, there is a confirmatory box that it is not being transfered - and, if one chooses to share access in anyway - a warning is given that to confirm will mean an encrypted copy of the key will be transferred. Then we all know the position. Otherwise you are open to the accusation of harvesting keys without the knowledge or permisssion of the owners. This would conflict with the spyware claim. If you gather sensitive information you cannot stop it leaking out solely by encyption control at the client end. Most security breaches are done at HQ or by the developers. You might not have many disaffected employees/contractors now - but if you grow and are successful - they are, sadly, a near certainty in the future. I know this is a difficult subject and I'm not so concerned with what an early beta does (working at all is usually the prime objective But security and trust may make or kill the project. Maybe comforting PITAs like intrax and myself may be part of development process?I hope to remain a critical friend ...
|
Linear Mode
Contact