Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




6 posts

Wannabe Geek


# 9846 18-Oct-2006 10:58
Send private message

The current deal where Telecom broadband customers get free access to Telecom Wireless Hotspots till end of '07 is very cool, and I've started using them where convenient, BUT it bothers me that the login-page (where one enter's their Telecom username and password, which, in my case, is my broadband login) is an HTTP page. (ie clear text form, with no encryption)

It worries me that something fairly sensitive like a Telecom username/password should have to be sent in cleartext over an open, unencrypted, wireless connection.

I called the Telecom Wifi helpdesk, and a helpful chap agreed this wasn't ideal, and that he would pass the message on to the developers.  So here's hoping there will be at least an *option* for "secure login" like there is for xtramail.xtra.co.nz (their "Go to secure mode" link)



View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
BDFL - Memuneh
63563 posts

Uber Geek
+1 received by user: 14052

Administrator
Trusted
Geekzone
Lifetime subscriber

290 posts

Ultimate Geek
+1 received by user: 8


  # 48971 18-Oct-2006 13:13
Send private message

Wow, interesting point. I'm suprised its not secure because as you say, the username you use for free wireless at the Telecom HotSpots is your Xtra username which is used for more than just your broadband access.

Now although it can't be used on any other line other than the one with broadband, there is that default dial-up plan sitting on the username.

Very strange and a little naive of Telecom... though there surely must be some reasoning behind it? We would hope?

 
 
 
 


188 posts

Master Geek


  # 48972 18-Oct-2006 13:47
Send private message

I believe you can you other people's login name on your line, my flat uses my dad's broadband login name and my dad uses mine.

2366 posts

Uber Geek
+1 received by user: 13

Trusted
Spark

# 48974 18-Oct-2006 14:26
Send private message

portege: I believe you can you other people's login name on your line, my flat uses my dad's broadband login name and my dad uses mine.


While this will work, because broadband/DSL is provisioned against the line, the usage is meant to count against the line and as a result this is not achieving anything.








188 posts

Master Geek


  # 48975 18-Oct-2006 15:01
Send private message

That is correct :)

95 posts

Master Geek
+1 received by user: 3

Trusted

  # 48988 18-Oct-2006 20:14
Send private message

I brought this problem to them nearly 2 years ago.

Also asigning MAC address's to logins which would help in lots of ways. 


Wonder how long we are going to have to wait for what seems to be obvious upgrades.


Main reason why im with Cafenet just to make sure only me check my emails....


Maybe we need to be asking Alcatel to do this...  They may not have deaf ears.

488 posts

Ultimate Geek
+1 received by user: 6


  # 49156 20-Oct-2006 09:36
Send private message

Wow that is very scary, it would take approximalty 2.5 seconds for a sciprt kiddy outside a library with a sniffer to get a password when someone logged on!

And matching to a MAC address wouldnt help that much , another 10 seconds and that same person could have changed their mac address in linux....




pɐǝɥ sıɥ uo ƃuıpuɐʇs

 
 
 
 


1420 posts

Uber Geek

Trusted

# 49160 20-Oct-2006 10:15
Send private message

That is why it is free.


BDFL - Memuneh
63563 posts

Uber Geek
+1 received by user: 14052

Administrator
Trusted
Geekzone
Lifetime subscriber

# 49162 20-Oct-2006 10:26
Send private message

Good reply Jama, but we know this is not the reason why it's free. You can't just infer that "it's free because it's not secure".

A SSL certificate costs about $250/year these days. Configuration, integration, testing would be another week of IT resources.

All this for the peace of mind of knowing that people using their Xtra login on a Telecom Hotspot wouldn't have to worry about someone reading their e-mails or using their login to change preferences or anything else - like using it on DSL connection or dial-up and clocking up on data traffic charges without the user's knowledge.








488 posts

Ultimate Geek
+1 received by user: 6


  # 49165 20-Oct-2006 10:36
Send private message

Well do you even need ssl? Why could you just not have wireless protected by wpa?
Then you solve the login issue and anyone reading anyother internet access like emails etc




pɐǝɥ sıɥ uo ƃuıpuɐʇs

BDFL - Memuneh
63563 posts

Uber Geek
+1 received by user: 14052

Administrator
Trusted
Geekzone
Lifetime subscriber

# 49167 20-Oct-2006 10:48
Send private message

Because WPA is for the "physical" link, and some devices do not support. And some people wouldn't even know how to configure that on their laptops and PDAs.





488 posts

Ultimate Geek
+1 received by user: 6


  # 49172 20-Oct-2006 11:05
Send private message

freitasm: Because WPA is for the "physical" link, and some devices do not support. And some people wouldn't even know how to configure that on their laptops and PDAs.



Fair comment I suppose, I know the dse card in my laptop can't handle wpa but can handle wep. Wep however is really just an illusion of security, you can crack the encyption if you sniff more then 1million packets or somethinbg like that. Easy if its a public network.

It would be nice to see an unencrypted network with instructions on how to log into an encrypted network. $$$$




pɐǝɥ sıɥ uo ƃuıpuɐʇs

643 posts

Ultimate Geek


  # 49187 20-Oct-2006 18:07

take it from someone who has built hotspot routers, software and billing systems. you cannot totally encrypt a hotspot very easily. the nature of them is that you need people to be able to join the network easily so WEP or WPA isn't an option (not without spending megabucks on access points that support multiple ESSIDs, then automating it is another game).. but an SSL cert doesn't cost $250 unless you want thwate or whoever to sign it (rip off - I use cacert.org instead) so Telecom have no excuse for not SSL encrypting the hotspot authentication - all my hotspot systems use SSL and I would call them budget setups.




Sniffing the glue holding the Internet together

22149 posts

Uber Geek
+1 received by user: 4726

Trusted
Subscriber

  # 49835 26-Oct-2006 13:46
Send private message

I had typed a nice reply, but the damn forum ate it :(

The cost of the cert is not an issue as they could make a self signed one and just install it with some other software. A hotspot locator program would be a useful addition since the only ones I know of are at starbucks.

Anyway, the bigger problem is that their is no certification that you are connecting to the real hotspot. I could easily deploy a linux based AP distro with local copies of the spash pages, and why copies of most popular website login pages, then collect peoples credentials. I could just hookup a wrt54g in the back of my car and parkup outside starbucks and slurp away if I was that way inclined.

You could also start up your ap with the same ssid in the locale of users so they roam over to yours, then you can inject crap into pages as they go thru. Could also simply arpspoof the gateway when you are a client on the public AP to get the same result but that may raise alarmbells with the hotspot operator.

All up, they are a huge gaping security hole for the users if someone is determined to screw with them.




Richard rich.ms

Hawkes Bay
8477 posts

Uber Geek
+1 received by user: 5

Mod Emeritus
Trusted
Lifetime subscriber

  # 49840 26-Oct-2006 13:52
Send private message

setting up a hotspot to spoof it would be the biggest worry. I have several ideas about how you would *easily* get people to choose to connect to yours instead of the genuine one, though for obvious reasons I am inclined not to make them public.

I would think that TNZ will see this thread and pass it on to the right team, and something be done, and also to have some basic precautions communicated to customers about how to identify that you are securly connected to a legitmate TNZ hospot before letting any sensitive info pass over the link.







 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Anyone can broadcast with Kordia Pop Up TV
Posted 13-Jun-2019 10:51


Volvo and Uber present production vehicle ready for self-driving
Posted 13-Jun-2019 10:47


100,000 customers connected to fibre broadband network through Enable
Posted 13-Jun-2019 10:35


5G uptake even faster than expected
Posted 12-Jun-2019 10:01


Xbox showcases 60 anticipated games
Posted 10-Jun-2019 20:24


Trend Micro Turns Public Hotspots into Secure Networks with WiFi Protection for Mobile Devices
Posted 5-Jun-2019 13:24


Bold UK spinoff for beauty software company Flossie
Posted 2-Jun-2019 14:10


Amazon Introduces Echo Show 5
Posted 1-Jun-2019 15:32


Epson launches new 4K Pro-UHD projector technology
Posted 1-Jun-2019 15:26


Lenovo and Qualcomm unveil first 5G PC called Project Limitless
Posted 28-May-2019 20:23


Intel introduces new 10th Gen Intel Core Processors and Project Athena
Posted 28-May-2019 19:28


Orcon first to trial residential 10Gbps broadband
Posted 28-May-2019 11:20


Video game market in New Zealand passes half billion dollar mark
Posted 24-May-2019 16:15


WLG-X festival to celebrate creativity and innovation
Posted 22-May-2019 17:53


HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.