2015-09-14 - Re: [GRASE-Hotspot] Re: static IP traffic on the grase/chilli dhcp pool

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: 2748b6909f1075f1e5c8c7ab8b95eeac32a8d57ae0b580b01c4f26a109d4aa0d
Message ID: <CAESLx0KLp_-cvCnoiR=Wu6PswrxW3BYgCQKaiO2BkokbYo7qgg@mail.gmail.com>
Reply To: <c2b4e80c-3a1b-43c1-a632-800589ca50c5@grasehotspot.org>
UTC Datetime: 2015-09-14 02:06:12 UTC
Raw Date: Mon, 14 Sep 2015 19:06:12 +1000

Raw message 

Sorry for the delayed response.

Assuming the client is using the "secure" javascript login, the
passwords are protected as we do a CHAP login from your browser to the
Hotspot. Have a look at
https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol
to get an understanding of how it works, and how it can be secure over
an unencrypted link.

If you disable the secure login, or the user clicks the link for the
insecure non javascript login (or they have javascript disabled), then
yes, the password is over plaintext and can be sniffed. I hope in the
future that we can setup an SSL based method to cover networks like
that. Who knows, maybe I'll setup a server that is on SSL that
everyone can use for those logins in some crazy way that does
plaintext to an SSL server, so it can then do CHAP without javascript?
Hmm, that though is probably best to be shelved for now, and given a
good thinking and discussion before we even try that!

Regards

Tim

On Thu, Aug 13, 2015 at 8:44 PM, gianluca <au***a@gmail.com> wrote:
> thank you so much for your accurate reply Tim, crystal clear!
>
> one last question ... if I may.
>
> my wifi AP has "open" autentication, i.e. I rely only on grase for access.
>
> is it possible for clients to sniff username/password at the login,
> or are those sent encrypted to the grase server?
>
> thanks
>
> On Friday, July 31, 2015 at 10:51:32 PM UTC+2, timwhite88 wrote:
>>
>> Hi Gianluca
>>
>> As some have said, you shouldn't have DHCP (server) enabled. DHCP
>> client is fine. The reason you need WDS is otherwise the link is Layer
>> 3, the IP layer, but Grase needs Layer 2, the ethernet layer. Without
>> WDS you need to do IP routing across the bridge, which isn't
>> compatible with how Coova Chilli is setup in Grase. In the future
>> we'll work on allowing IP routing, but for now it's layer 2 only.
>>
>> Regards
>>
>> Tim
>>
>> On Fri, Jul 24, 2015 at 9:55 PM, gianluca <au***.@gmail.com> wrote:
>> > Hi all,
>> > quick reply to confirm that I did enable WDS and DHCP on both antennas
>> > and
>> > now it works!
>> >
>> > looks like it was a simple fix...
>> > :-)
>> >
>> > --
>> > This mailing list is for the Grase Hotspot Project
>> > http://grasehotspot.org
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "Grase Hotspot" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to gr***.@grasehotspot.org.
>> > To post to this group, send email to gr***.@grasehotspot.org.
>> > Visit this group at
>> > http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> > To view this discussion on the web visit
>> >
>> > https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/2ecfa40f-1aed-4703-8997-1f9d349ee2d6%40grasehotspot.org.
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at
> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c2b4e80c-3a1b-43c1-a632-800589ca50c5%40grasehotspot.org.

Thread