Pages

Wednesday 21 October 2015

How do you know where you are?

I set up a wifi access point recently, for my own use, and just for fun, I wondered if I could pretend to be somewhere other than where I was. Let me explain.

When you access, for example, google.com, you expect to be swiftly wafted to the web site run by Google Inc. This is done by a program that translates google.com to 66.102.1.100 (or whatever), and that's one of Google's servers. But suppose I do something a bit sneaky?

The program that does this translation is called a DNS server. When you connect to a wifi access point, one of the important things that the wifi server gives you, is the address of the DNS server that you'll be using. So, in this case, I told it to use a DNS server that's running on the wifi server. And I told my DNS server a wrong address for google. So that whenever anyone accesses my wifi access point and types in google.com, then actually get sent to a page that is mine.

And I can make it look like google, and act like google, in that it will produce a page of search results that looks like it came from google (because my wifi server did a real google search), but every link that it shows you, is actually a link to my wifi server again, to a page that gives you a sarcastic remark instead of what you were hoping for.

Which is all very funny.

But it's a classic "man-in-the-middle" attack, and someone with less of a sense of humour than me, could use it for some pretty nasty purposes.

So how do you know where you are?

Well, if you're using someone else's wifi, then you probably have no way of knowing, other than by simply trusting that the organisation providing the wifi access is A) honest and straight, and B) doesn't have an employee with base motives and C) hasn't been hijacked by one of the Bad Guys.

So what can you do?

Well, if you're sitting in an airport lounge using wifi to watch entertaining Youtube videos, it really doesn't matter much. But if your thinking of logging in to your bank, or you're about to give your credit card number online, then you should only do such sensitive activities when you're *really sure* that you are where you think you are.


No comments:

Post a Comment