Steve Gibson's 16th podcast had some fascinating information about security for home users. Oh, and it was completely wrong.
Steve: The thing that I've suggested to people whose email addresses I had was - and actually they wrote back and loved the idea. So I guess maybe it's feasible. It's possible to run two networks. Leo: Oh. Steve: There's nothing to prevent you from having your - and this actually solves the problem of people coming over to your house, also. Leo: So have an insecure network and a secure network. Steve: Exactly. You might want to run MAC address filtering and hide your SSID so that your neighbors are not using - I mean, I would suggest having one that is WPA running at full security, and probably just leave the other one wide open. Don't even bother with WEP security on the other one if you really don't care. But do use MAC address filtering... Leo: Just to keep it out of prying eyes. Steve: ...to keep your neighbors from using it by mistake. Then your TiVos can connect, your Nintendo DS can connect, your neighbors who bring their laptops over... Leo: Real quickly, what would the topology be? You would have, okay, I have my cable modem or DSL modem. It's connected first to the insecure access point, and that's bridging to the secure access point? Steve: There are levels of security that you could go through. But as long as you've got a switch on your router which is isolating the traffic from each other, you're going to be very secure. Leo: Ah. So you have a router connected to the cable modem and a Wi-Fi access point coming off that router... Steve: Yup. Leo: ...that is open. Steve: And it's not going to see any of your - and none of your encrypted traffic would ever be decryptable anyway because you're on WPA. Leo: Right. So a modern router is going to have a switch, and it's going to be - that'll be sufficient. An older router might not, but... Steve: Yup.
Anyone on the open WiFi network would be able to scan the entire network. Home routers and routing devices generally do not allow you to segment a network to prevent one port (or series of ports) from accessing others. Further, having a switch does not absolutely prevent sniffing traffic. The popular Dsniff tool lets you do this.
Steve: The way Ethernet works is that, essentially, anyone can talk on the wire at anytime they want. ... technology, it's called CSMA, Collision Sense Multiple Access. That's the original brilliant Ethernet technology that Bob Metcalfe invented back in the old days.
Close Steve, CSMA stands for Carrier Sense Multiple Access.
Leo: Right. You've said that SSL connections are not susceptible to man-in-the-middle attacks, but I've read that they are. I want to believe you, but why do others think that SSL is susceptible to MITM attacks? And when an SSL or VPN authorizes, what stops someone listening to the packages each way to figure out the keys? So first let's start with what is a man-in-the-middle attack? Steve: Okay. In fact...
Steve said SSL connections are not susceptible to man-in-the-middle (MiTM) attacks? This is absolutely false. Such attacks have always been possible, and have been made even easier in the last year (2009/2010).