VPNs and WAP.

Bennett Todd bet at RAHUL.NET
Thu Jul 20 13:41:49 EDT 2000


2000-07-20-10:18:28 Jason Zann:
> I feel confident in the fact that from the personal device to the
> 'mobile network' (SprintPCS, palmnet, etc.) the information is
> secure from the personal device to the network [...]

I very specifically doubt that security.

The protocols being used by WAP are, as far as I know, part of
the basic GSM design, and that basic design was very deliberately
sabotaged by representatives of spy agencies, to ensure that it
would not be secure.

As always, the morons who committed this screwup thought they could
keep it quiet, and that nobody else would notice, and so they'd have
exclusive rights to listen in on everything. As always, they were
wrong.

> I am still in question as to what is available to protect
> sensitive information that travels out of the 'secure network of
> PCS or palmnet' to individual corporate WAP gateways. It would
> seem to me that this would be an opportune place (between PCS /
> palmnet and the WAP gateway) for an attacker to sit and intercept
> all information that is being transmitted.

That would be one opportune place, certainly, the other being most
anywhere, with a good radio receiver.

Happily the fix to this problem would only require support from the
wireless providers, on their servers, not from all the countless
(and so irreparably insecured) individual mobile cellphones and
whatnots. If the gateway server were willing to talk SSL to the WAP
server, that'd cover the problem you're worrying about. I've no idea
whether any of the existing ones would be so willing.

> Wireless browsers in the US (to the best of my knowledge) cannot
> support digital certificates because of the size of an x.509v3
> cert.

It has nothing to do with the size; memory is cheap as sand. What it
has to do with is that there's no secure protocol implemented within
the cellphones and useable over the air --- there's no SSL there,
just some deliberatly crippled pretend crypto.

> With no further introduction, here is my question... What, if
> anything is available for end to end security (integrity of the
> data being transferred) from a PDA / digital phone to a WAP
> gateway?

As far as I know, nothing. What's more, until and unless the various
spy agencies fall out of favour and influence, there never will be;
they are so utterly committed to shutting down practical crypto,
that they are completely unstoppable any place there's an easy
choke point for them to strangle processes --- like e.g. defining
standards for mobile phone technology. They've failed with open
source and the internet, but that's just because neither of them had
conveniently located necks that hands would fit around.  I expect
the only option for the forseeable future would be to settle on some
box capable of general-purpose programmability, like e.g. a Palm
VII, and write custom code that uses the provided protocol to carry
encrypted traffic for your application. Shouldn't be too awful a
job, SSLeay has been ported to PalmOS, and people have implemented
ssh atop it.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000720/654b8513/attachment.pgp 


More information about the VPN mailing list