新型黑客工具威胁Wi-Fi用户安全(2)
Indeed, Gmail made end-to-end encryption its default mode in January 2010. Facebook began to offer the same protection as an opt-in security feature last month, though it is so far available only to a small percentage of users and has limitations. For example, it doesn’t work with many third-party applications.
实际上,Gmail已于2010年一月起在其默认模式中采用了端到端加密技术。上个月,Facebook也开始将同样的保护措施作为一项可选择的安全功能提供给用户,但目前仍只限于一小部分用户应用。例如,它并不适用于许多第三方应用。
“It’s worth noting that Facebook took this step, but it’s too early to congratulate them,” said Mr. Butler, who is frustrated that “https” is not the site’s default setting. “Most people aren’t going to know about it or won’t think it’s important or won’t want to use it when they find out that it disables major applications.”
“Facebook这么做并不值得,现在就为他们的成功祝贺也为时尚早。大多数人并不会了解这项保护措施,或者并不会认为这有多重要,或者由于这对于大多数第三方应用无效而不会使用它。”巴特勒先生如是说,他仍觉得“https”访问并不是网站的默认访问设置乃是一件憾事。
Joe Sullivan, chief security officer at Facebook, said the company was engaged in a “deliberative rollout process,” to access and address any unforeseen difficulties. “We hope to have it available for all users in the next several weeks,” he said, adding that the company was also working to address problems with third-party applications and to make “https” the default setting.
Facebook的信息安全总监乔·沙利文表示,他们正着手准备一个“慎重的发布过程”,以发现并克服所有潜在的困难。他说,“我们希望在几周后这项安全措施能适用于所有用户。”此外他还补充说,公司正在努力解决第三方应用方面的安全问题并力促“https”访问方式成为默认设置。
Many Web sites offer some support for encryption via “https,” but they make it difficult to use. To address these problems, the Electronic Frontier Foundation in collaboration with the Tor Project, another group concerned with Internet privacy, released in June an add-on to the browser Firefox, called Https Everywhere. The extension, which can be downloaded at eff.org/https-everywhere, makes “https” the stubbornly unchangeable default on all sites that support it.
许多网站通过“https”提供加密服务,但这用起来并不方便。为解决这个问题,电子前哨基金会联合Tor项目组(另一个互联网隐私相关组织)于去年六月发布了一款名为Https Everywhere(Https无处不在)的火狐浏览器插件。该插件(可由eff.org/https-everywhere下载)强制通过https方式访问所有支持该访问服务的网站。
Since not all Web sites have “https” capability, Bill Pennington, chief strategy officer with the Web site risk management firm WhiteHat Security in Santa Clara, Calif., said: “I tell people that if you’re doing things with sensitive data, don’t do it at a Wi-Fi hot spot. Do it at home.”
由于并非所有网站都能提供“https”访问支持,白帽安全公司(美国加州圣克拉拉的网络风险管理公司)的首席策略官比尔·潘宁顿告戒大众:“如果你要进行涉及敏感信息的操作,不要通过Wi-Fi来做,还是回家再弄吧。”
But home wireless networks may not be all that safe either, because of free and widely available Wi-Fi cracking programs like Gerix WiFi Cracker, Aircrack-ng and Wifite. The programs work by faking legitimate user activity to collect a series of so-called weak keys or clues to the password. The process is wholly automated, said Mr. Kitchen at Hak5, allowing even techno-ignoramuses to recover a wireless router’s password in a matter of seconds. “I’ve yet to find a WEP-protected network not susceptible to this kind of attack,” Mr. Kitchen said.
但家里的无线网络也并不一定能确保安全,因为Gerix WiFi Cracker、Aircrack-ng 和Wifite之类的自由Wi-Fi黑客程序正被广泛使用着。此类软件仿冒合法用户的活动以窃取一系列所谓弱密匙或者可能透露户密码的蛛丝马迹。这个过程完全是自动的,凯臣在Hak5上说,这使得哪怕是一个技术白痴都能在几秒钟内获得一个无线路由器的密码。他还说:“我还没有发现哪个采用WEP保护的网络能够对这种攻击免疫。”
A WEP-encrypted password (for wired equivalent privacy) is not as strong as a WPA (or Wi-Fi protected access) password, so it’s best to use a WPA password instead. Even so, hackers can use the same free software programs to get on WPA password-protected networks as well. It just takes much longer (think weeks) and more computer expertise.
WEP(有线等效保密)密码并不如WPA(Wi-Fi接入保护)密码强大,所以使用WPA密码方为上策。但即便如此,黑客们也还是可以用同样的软件得到采用WPA密码保护的网络的密码信息。这只是需要花上更长的时间(大概是几周),当然也需要更多的计算机专业知识。
Using such programs along with high-powered Wi-Fi antennas that cost less than $90, hackers can pull in signals from home networks two to three miles away. There are also some computerized cracking devices with built-in antennas on the market, like WifiRobin ($156). But experts said they were not as fast or effective as the latest free cracking programs, because the devices worked only on WEP-protected networks.
