Telecom Wireless Hotspot - no https login?

Forums › Spark New Zealand (including Skinny and BigPipe) › Telecom Wireless Hotspot - no https login?

ChrisGNZ

6 posts

Wannabe Geek

#9846 18-Oct-2006 10:58

The current deal where Telecom broadband customers get free access to Telecom Wireless Hotspots till end of '07 is very cool, and I've started using them where convenient, BUT it bothers me that the login-page (where one enter's their Telecom username and password, which, in my case, is my broadband login) is an HTTP page. (ie clear text form, with no encryption)

It worries me that something fairly sensitive like a Telecom username/password should have to be sent in cleartext over an open, unencrypted, wireless connection.

I called the Telecom Wifi helpdesk, and a helpful chap agreed this wasn't ideal, and that he would pass the message on to the developers. So here's hoping there will be at least an *option* for "secure login" like there is for xtramail.xtra.co.nz (their "Go to secure mode" link)

1 | 2

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#48967 18-Oct-2006 11:33

This is a very good point. Let's see if anything happens.

SilentOne

290 posts

Ultimate Geek

#48971 18-Oct-2006 13:13

Wow, interesting point. I'm suprised its not secure because as you say, the username you use for free wireless at the Telecom HotSpots is your Xtra username which is used for more than just your broadband access.

Now although it can't be used on any other line other than the one with broadband, there is that default dial-up plan sitting on the username.

Very strange and a little naive of Telecom... though there surely must be some reasoning behind it? We would hope?

portege

188 posts

Master Geek

#48972 18-Oct-2006 13:47

I believe you can you other people's login name on your line, my flat uses my dad's broadband login name and my dad uses mine.

nzbnw

2374 posts

Uber Geek

Trusted

Spark NZ

#48974 18-Oct-2006 14:26

portege: I believe you can you other people's login name on your line, my flat uses my dad's broadband login name and my dad uses mine.

While this will work, because broadband/DSL is provisioned against the line, the usage is meant to count against the line and as a result this is not achieving anything.

portege

188 posts

Master Geek

#48975 18-Oct-2006 15:01

That is correct :)

Kezzainc

97 posts

Master Geek

Trusted

#48988 18-Oct-2006 20:14

I brought this problem to them nearly 2 years ago.

Also asigning MAC address's to logins which would help in lots of ways.

Wonder how long we are going to have to wait for what seems to be obvious upgrades.

Main reason why im with Cafenet just to make sure only me check my emails....

Maybe we need to be asking Alcatel to do this... They may not have deaf ears.

Filterer

489 posts

Ultimate Geek

#49156 20-Oct-2006 09:36

Wow that is very scary, it would take approximalty 2.5 seconds for a sciprt kiddy outside a library with a sniffer to get a password when someone logged on!

And matching to a MAC address wouldnt help that much , another 10 seconds and that same person could have changed their mac address in linux....

pɐǝɥ sıɥ uo ƃuıpuɐʇs

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Jama

1420 posts

Uber Geek

Trusted

#49160 20-Oct-2006 10:15

That is why it is free.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#49162 20-Oct-2006 10:26

Good reply Jama, but we know this is not the reason why it's free. You can't just infer that "it's free because it's not secure".

A SSL certificate costs about $250/year these days. Configuration, integration, testing would be another week of IT resources.

All this for the peace of mind of knowing that people using their Xtra login on a Telecom Hotspot wouldn't have to worry about someone reading their e-mails or using their login to change preferences or anything else - like using it on DSL connection or dial-up and clocking up on data traffic charges without the user's knowledge.

Filterer

489 posts

Ultimate Geek

#49165 20-Oct-2006 10:36

Well do you even need ssl? Why could you just not have wireless protected by wpa?
Then you solve the login issue and anyone reading anyother internet access like emails etc

pɐǝɥ sıɥ uo ƃuıpuɐʇs

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#49167 20-Oct-2006 10:48

Because WPA is for the "physical" link, and some devices do not support. And some people wouldn't even know how to configure that on their laptops and PDAs.

Filterer

489 posts

Ultimate Geek

#49172 20-Oct-2006 11:05

freitasm: Because WPA is for the "physical" link, and some devices do not support. And some people wouldn't even know how to configure that on their laptops and PDAs.

Fair comment I suppose, I know the dse card in my laptop can't handle wpa but can handle wep. Wep however is really just an illusion of security, you can crack the encyption if you sniff more then 1million packets or somethinbg like that. Easy if its a public network.

It would be nice to see an unencrypted network with instructions on how to log into an encrypted network. $$$$

pɐǝɥ sıɥ uo ƃuıpuɐʇs

barf

643 posts

Ultimate Geek

#49187 20-Oct-2006 18:07

take it from someone who has built hotspot routers, software and billing systems. you cannot totally encrypt a hotspot very easily. the nature of them is that you need people to be able to join the network easily so WEP or WPA isn't an option (not without spending megabucks on access points that support multiple ESSIDs, then automating it is another game).. but an SSL cert doesn't cost $250 unless you want thwate or whoever to sign it (rip off - I use cacert.org instead) so Telecom have no excuse for not SSL encrypting the hotspot authentication - all my hotspot systems use SSL and I would call them budget setups.

Sniffing the glue holding the Internet together

richms

28168 posts

Uber Geek

Trusted

Lifetime subscriber

#49835 26-Oct-2006 13:46

I had typed a nice reply, but the damn forum ate it :(

The cost of the cert is not an issue as they could make a self signed one and just install it with some other software. A hotspot locator program would be a useful addition since the only ones I know of are at starbucks.

Anyway, the bigger problem is that their is no certification that you are connecting to the real hotspot. I could easily deploy a linux based AP distro with local copies of the spash pages, and why copies of most popular website login pages, then collect peoples credentials. I could just hookup a wrt54g in the back of my car and parkup outside starbucks and slurp away if I was that way inclined.

You could also start up your ap with the same ssid in the locale of users so they roam over to yours, then you can inject crap into pages as they go thru. Could also simply arpspoof the gateway when you are a client on the public AP to get the same result but that may raise alarmbells with the hotspot operator.

All up, they are a huge gaping security hole for the users if someone is determined to screw with them.

Richard rich.ms

tonyhughes

Hawkes Bay
8476 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#49840 26-Oct-2006 13:52

setting up a hotspot to spoof it would be the biggest worry. I have several ideas about how you would *easily* get people to choose to connect to yours instead of the genuine one, though for obvious reasons I am inclined not to make them public.

I would think that TNZ will see this thread and pass it on to the right team, and something be done, and also to have some basic precautions communicated to customers about how to identify that you are securly connected to a legitmate TNZ hospot before letting any sensitive info pass over the link.

1 | 2