[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-community
Subject:    Re: Input on privacy goal
From:       Nicolás_Alvarez <nicolas.alvarez () gmail ! com>
Date:       2018-01-22 1:09:20
Message-ID: C8A26128-9590-4982-A1F2-AE10DC30C524 () gmail ! com
[Download RAW message or body]


> On 19 Jan 2018, at 14:58, Sandro Knau� <sknauss@kde.org> wrote:
> 
> Hey,
> 
> > > Here are some thoughts on threat models for this, as a possible way to
> > > better capture what we want to achieve.
> > > 
> > > (1) Public Wifi
> > > 
> > > Assume anyone can see your Wifi network traffic (e.g. via recent
> > > vulnerabilities in WPA2). Using your device in such an environment should
> > > be safe and not compromise your privacy any more compared to using a
> > > wired network at home.
> > > 
> > > Possible counter-measures: Encrypted communication, VPN.
> > 
> > Since (I think) iOS 10, the Wi-Fi configuration gives pretty loud warnings
> > if you connect to an unsecured Wi-Fi network. Perhaps the Plasma
> > NetworkManager applet needs similar UI improvements in that area.
> 
> just to mark all non encrypted Wifi as insecure and mark everything with WPA2 
> as secure is too simple. The most bars I now have also a WPA2 secured Wifi, 
> you the the password by asking are looking into the papers laying around. But 
> I never would trust those encrypted Wifis. Everyone you have the password can 
> see my traffic, and as those bars never changing their password...

This is not quite true. Being in a WPA2 network where everyone knows the password is \
not equivalent to being in an unsecured network. If it's unsecured, traffic is in \
plaintext (unless, of course, higher level protocols do their own encryption, such as \
TLS). A WPA network transmits traffic encrypted with negotiated keys, and you can't \
passively intercept it and decrypt it even if you know the password.

It *might* be possible to do a man-in-the-middle by running your own access point \
with the same SSID and password, and get the victim to connect to you instead of the \
real one, but it's much harder to pull that off.

> I would 
> like to see a way to tell the computer "kontact and owncloud-client should 
> only be active for my home by default". Otherwise ask me, if they should go 
> online. And at second level it would be nice to say, if I'm not at my home 
> connection kontact should use this VPN to connect...

Ohh, I'm interested in this feature too, for a different reason: choosing which apps \
can connect to the network when I'm tethered to my phone and using my horribly \
limited 3G plan.

-- 
Nicolás=


[prev in list] [next in list] [prev in thread] [next in thread]