>>52026324
Wireshark

>>52026324
depending on your ISP the time of day can actually affect your speeds. So you have slower speeds during prime usage hours. also he isn't ripping you off if you agreed to share the bandwidth them evenly for even usage of the internet

>>52026370
He could be ripping me off if the connection costs $30 but he is charging 2 neighbors $15/mo. That means he would get internet for free. Or if he signed on more than 2 people, he would be making money.

>>52026324
I have that router. I think you can set a bandwidth limit per Mac address/IP address. Or if your neighbor has the router, he might have wifi limited to a certain bandiwidth and then as >>52026370 said, the time of day can effect speed.

For instance I normally get 25mb/s but during 2-4AM hours, I get like 50mb/s in 10 minutes bursts. Odd but whatever.

Also what internet plan are you on that you guys only pay $30? What speed connection? If something along the lines of 5/1, you're asking too much of your service to game online over wifi.

Try typing

192.168.1.1

into your browser

>>52026417
oh shit, this guy set the router pw the same as the internet password. I'm in.

>>52026324
>sharing an internet connection with your neighbour
>he owns the router

Why? You know he can see everything you are doing, right?

>>52026430
yeah this just got a whole lot easier, it has a nice device list right there. And I was right motherfuckers, there's 3 computers and 5 phones OTHER THAN MINE on the device list lol.

Inb4 he's throttling you, or just torrenting a TON of open atm

>>52026451
I already know I was being throttled lol. I didn't think too much of it cause it was only $15/mo, can't ask for much. But I'm totally not down for sharing internet 3 ways when I'm told I'm paying half the price of internet. That doesn't add up.

>>52026446
Lol no he can't

>>52026450

It might be a laptop and some friends phones, are you looking at an active address list?

>>52026467
Dude call the cops

>>52026450
Just because there's lots of connected devices doesn;t mean he's sucking up bandwidth.

>>52026467
You know, he could have two computers, ...right?

>>52026324
>I'm getting really bad lag
"Lag" can be caused by any number of things. It might be something with your rig (even though it never lagged before). It might be your internet access point, It might be your ISP. It might be your game server.

Normally, when you get "lag" you can at least troubleshoot your rig and network. Because you have access to those. But you don't have access to the router/modem. On top of that you are gaming over wifi, which I always thought was a bad idea (perhaps the speeds are better now than they were years ago?). And there are always things that can interfere with vifi.

There is no way for you to know what is happening to your connection (unless others are complaining about issues in the game).

>>52026467
If he's savvy enough to throttle people on his router, wouldn't he be savvy enough to check the router admin login history and notice that you broke into his router without permission?

>>52026468
It's wireless, literally anyone can see all of your traffic they don't even have to do be connected to the network.

Get a job

>>52026470
I got groceries like an hour ago, his apartment window was completely dark, so I assume he's not home. I know his first name, and the device "anons macbook" is offline according to the router. There is a phone and laptop that are active right now, under a completely different name (i.e. anon2's macbook).

>>52026479
idc about that, what I do care about is paying for half the net when it's getting shared more than 2 ways.

>>52026468
lol XD yes he can. are you that fucking retarded?

>>52026505
>Hur dur what's https

>>52026502
This...

>>52026499
Well looks like you are in. So you can troubleshoot.

>>52026450
>there's 3 computers and 5 phones OTHER THAN MINE on the device list lol.
That doesn't mean anything.

>>52026519
And? It can easily be downgraded even with hsts

>>52026525
see
>>52026506

>>52026529
>hur dur I don't understand public key encryption, signing authorities, or certificates
HTTPS is secure, even over public Wi-Fi networks. That's pretty much why it exists, to prevent man in the middle attacks.

>>52026566
good job, you have no idea what you are talking about. go do some research on downgrade attacks, because https can easily be downgraded to http with an intercepting proxy and spoofing dns requests

this thread is fucking retarded anyways on multiple levels, so i am not surprised to see some retard kid like yourself trying to look smart

>>52026556
It doesn't matter if he has 30 computers and 50 phones connected. You can have hardware connected and not using bandwidth.

Run some network tools and see what is actually happening. Again, it could be the game (it is Christmas eve in the USA).

>>52026590
>hur dur my router doesn't show https certificate validity right in the fucking address bar
If you go to an https website, and you get redirected to an http endpoint youl'll see that in the address bar. If the attacker tries to spoof the certificate, it will fail verification against the certificates in your certificate store and display an error.

>>52026619
>hur dur I meant browser, not router

>>52026619
wrong, you dont know how cert chains works. and the little lock icon can easily be added manually.

but since you dont know what i am talking about anyway, you can stop trying to act smart because i will prove you wrong with every reply

>>52026650
>you can stop trying to act smart because i will prove you wrong with every reply

:^)

>>52026668
i am serious, you dont know how http downgrade works, you dont know how hsts works, you dont know how cert chains work. you even mentioned 'http endpoint' which makes no fucking sense because that is not how that term is used

you lost, face it.

>>52026681
hey bruh I'm not the same guy, I was just laughing at how mad you are.

jesus I even told you you were right

>you lost, face it

>>52026650
Not whoever you're arguing with, but:

>wrong, you dont know how cert chains works.
How the hell is the neighbour going to spoof the SSL cert?

>the little lock icon can easily be added manually.
That's done in the browser.

>>52026650
Please, enlighten me. If you know how to spoof a certificate for a banking website you could sell that information for a fortune.

So far the only somewhat valid point you've raised was the downgrade attack, but that doesn't expose any vulnerabilities in https, you're simply stating the obvious, which is that http is insecure. The problem is that it's plain to see when you are connected to https vs http in any modern browser.

In order to circumvent that you would either need the private certificate signing key, or you would need to have inserted a malicious certificate into the clients root certificate store.

TLS/HTTPS are secure against man in the middle attacks, whether that man in the middle be a public wireless network or somewhere in between the client and the server upstream.

>>52026708
you dont need to spoof the cert, you just need to have a valid one presented, it never checks if the certs if FOR that website.

but it doesnt matter because you can simply manipulate dns and ignore any hsts in the first place

this whole thread is based on some kid making up some stupid story, and now you are trying to act like wireless is somehow secure because of https. you are an idiot, pick up a fucking book

>>52026728
no, look up how cert chains work and then come back to this thread. you still have no idea how an intercepting proxy is working in a downgrade attack

>>52026324
>I noticed all the lights were out in my neighbors apartment when I pulled in today, yet I'm getting really bad lag in games.

Your neighbor is torrenting or something.

The only way you're going to get consistently good performance is if your neighbor configures Quality of Service settings to give your gaming packets priority.

>>52026768
Oh I do, and you're wrong. Https is a protocol, dns lookups, web request servicing, etc are all preformed under this protocol. If you really believe what you're saying is true than it doesn't matter how you're connecting to use this protocol, be it a wireless router or a wired connection, all bets would be off because inbetween your computer and the server you're connected to there can always be a man in the middle unknown to you.

You're talking shit, buddy.

>>52026728
New participant here

You mean to tell me https is 100% secure even with physical access to the access point?

For example if I got on your network right now and do banking with https there's no way for you to find out what I'm doing?

>>52026820
Correct, https was invented to be resilient against man in the middle attacks.

File: 1350187647296.jpg (109 KB, 650x650) Image search: [Google]

109 KB, 650x650

>>52026650

>>52026816
the only thing that keeps https from being downgraded is hsts, and that is bypassed with a proxy and a dns spoofer

its not like you would notice the difference, you dont physically type "https" before every webpage you go to. this whole stupid conversation started with some retard saying that you couldnt view traffic over wireless, and that is 100% false

and since i am talking about intercepting proxy and spoofing dns, it needs to be done on the local segment because not only do isps block certain ports to prevent this, but you wouldnt have the equipment to handle the traffic in the first place

>>52026850
go look up how cert chains work and tell me why i am wrong

>>52026519
That's not the point, it's trivial to spread malware (which could then compromise local CA's, rendering ssl useless) over a network you don;t have control over.

Realistically, the chances are he's not going to push malware (although asking to share internet is suspect as hell) You've got to be pretty brave to assume he's at least not going to snoop on unencrypted traffic, all to save a little money on your internet bill?

fuck me man.

>>52026855
>>52026862
Post source

I'm interested because my main Internet connection is McDonalds

sslstrip2 works only in edge cases when you access URL over https and exact same URL is also accessible over HTTP

works unreliably and only on some low profile websites that are not forcing https

>>52026383
That's not a ripoff you fag, that's playing dumbasses like you. You fucked yourself over by not being admin.

>>52026748
>you dont need to spoof the cert, you just need to have a valid one presented, it never checks if the certs if FOR that website.
What? Yes it does.
I've seen plenty of certs get rejected because the don't match the domain name.

>but it doesnt matter because you can simply manipulate dns and ignore any hsts in the first place
How does that help if the browser explicitly asks for https?
Also, that doesn't make the connection look secure - that just directs you to a cleartext page.

>>52026855
>the only thing that keeps https from being downgraded is hsts
No. That only provides a hint to the browser.

>ts not like you would notice the difference, you dont physically type "https" before every webpage you go to.
I have at least a minimal amount of awareness. I still CHECK if my connection is encrypted before doing anything important.

>>52026855
>hur dur http is insecure
Yeah no fucking shit, but https is secure and no matter how many times you say otherwise, it wont change the fact of the matter. Every modern browser shows you if you're on an encrypted connection or not, that is something the browser does and can not be spoofed. If you're arguing that users might ignore those clear indicators then you might be right, but most savvy users that care about their security and privacy won't.

>>52026911
it works on most all sites including gmail, the versions you get now need to be modified for the dns returns to work with facebook and twitter

>>52026941
>>52026946
if you simply glance to see if there is a lock that isnt good enough. go look up how cert chains work

>>52026961
Go look up how https and certificate signing authorities works

>>52026946
any savvy user isn't going to transmit any sort of logins or other data on a public network in the first place

>>52026950
Try to access gmail login screen by http only. You can't - you are always redirected to HTTPS there is no HTTP version

>>52026974
i told you first. you dont know how cert chains work it is obvious

here, i will spoonfood just a little
https://www.youtube.com/watch?v=MFol6IMbZ7Y

and keep in mind, that video is only a little part of this argument

>>52026987
that is because of hsts. but what is stopping an intercepting proxy from completeling the https connection on its end, and staying http on your end?

>>52026978
Why wouldn't they? I assure you you probably do over your cell phone every day. You don't have control over that wireless network. For all you know your cell phone could be connected to a malicious stingray. With https none of that matters because the traffic is encrypted and only scriptable by the server you're intending to communicate with through a process known as public key encryption.

>>52027011
Scriptable = decrypted

>>52026650
Everyone get a load of this network security guy over here he definitely knows what he's talking about

>>52026855
>>52026650
>>52026681

this guy is really mad and i can't understand why

>>52026341
This OP. Or some good old Cain and Abel. They're easy to use if you just follow a guide online.

>>52027050
he's mad he's being called out on being retarded

check if anyone's torrenting with qbittorrent. I had huge lag spikes for the past few weeks and I kept thinking it was the router, turned out it was qbittorrent fucking up even when nothing was downloading. back to good old utorrent, everything's fine now.

do ping tests through cmd to see if there are periodic ping spikes. Just ping google

>>52026991
>https://www.youtube.com/watch?v=MFol6IMbZ7Y
I'm just skimming that, but the insight there just seems to be replacing HTTPS with HTTP and hoping no-one notices.

>>52027009
>but what is stopping an intercepting proxy from completeling the https connection on its end, and staying http on your end?
That I'm not dumb enough to connect to Gmail over plaintext?

>>52026991
Thanks, those talks are always very interesting. But I have to ask: did YOU watch that video? They made it pretty clear that the vulnerabilities discussed spring from non compliant implementations of https, specifically browsers ignoring the basicConstraints field in certificates, which allowed any leaf node certificate to be used as an intermediate authority for any other leaf node. That problem has been fixed for ages, as the video mentions. The rest is just about sslstrip, which has no bearing on the security of https because all it does is redirect you to an http endpoint, which everyone knows is insecure.

File: 2dWFjGl.webm (677 KB, 720x306) Image search: [Google]

677 KB, 720x306

>>52027050
Probably because OP thinks connecting to a potentially compromised AP is a good idea because "Lol https"

Unless you are on loonix/mac and have a good grasp of basic security principles then it's never a good idea. The fact that he's on wangblows and playing gaems seems to indicate otherwise.

>>52027278
Connecting to a compromised Wi-Fi network is no more unsafe than connecting to your ISP through a coax cable with respect to man in the middle attacks. What do you think that your house is directly connected to Google, 4Chan, and every other website you visit? There's always computers in between you and a given server creating your connection. At any given moment any of them could be compromised. Https was invented to rend that a moot point because the internet requires inbetween nodes to work in its current incarnation.

>>52027009
No, that's because of "HTTP/1.1 302 Moved Temporarily" you receive from gmail when you try to access HTTP version..

and regarding sslstrip it does not work as you think:

from author himself
" It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links."

>>52026324
open up explorer, go to network and you should be able to see everything connected to the same network as you. if you're not in the same homegroup/have a user/pass you won't be able to access them but you'll still be able to see them

>>52026937
This
When you're paying for half the internet, you should get equal rights

>>52027346
The only homograph here is you

>>52027329
Do you actually think you're that right that you typed all of that shit out? Jesus Christ you're autistic.

>>52027329
The difference being it takes 2 mins to inject malware at the router level that you can also continually harvest the data from.

Sure, you could tap his phone line and monitor it(if you were even capable of understanding the telephone network enough to pull it off), that's pretty easy to get caught and a sure-fire way of ending up in jail.

Do you only ever connect to https sites? I'm sure that bf4 server of his isn;t https.

You're opening yourself up to very real security threats for the sake of saving $15. It's fucking retarded no matter what way you look at it.

>>52027278
>Probably because OP thinks connecting to a potentially compromised AP is a good idea because "Lol https"
So long as you're not doing something stupid, HTTPS is still considered secure.
If I visit "https://www.4chan.org", I can be sure that I'm actually connected directly to 4chan.

>>52027346
>" It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links."
Exactly.
If the URL is good and the cert checks, the connection is safe.

>>52027428
>Do you only ever connect to https sites?
I'm not OP, but I'm actually pretty close to that point.
There's a couple of news sites and things I REALLY don't give a fuck about, but even my wasting time on IRC and 4chan is behind SSL these days.

>>52027406
>hur dur damage control

>>52027428
Inject as much malware as you like into my router, it still won't get you anywhere with respect to sniffing my https traffic. If all you're saying is that http is insecure, then you're correct, no on disagrees with that.

>>52027488
Damage control for what? I just joined this thread buddy.

>>52027488
no what he's saying is he can inject the router with his magical unicorn packet that will read his bf4 stream and autamacially steal his identity

>>52027518
>muh compromised bf4
Kek

>>52027454
The protocol is secure, getting malware by any non-encrpted page isn't so great.
if you connect to a single unencrypted connection then it's just as bad as not using encryption at all. play around with burp, it's pretty interesting seeing what shit goes over your network even when you think you've closed all them loopholes. Wangblows network security is laughably bad. This shouldn;t be any surprise to you.

>>52027488
It's not into your router that's the problem, it's getting malware pushed to your system that you should be worried about.

>>52027507
Here I'll rephrase for you
>hur dur I'm too dense to read and people who write responses longer than my ADD can handle are autistic
Kill yourself

>>52027578
You mean like through windows update? That's all secured over ssl too, you can confirm for yourself with a tool called Fiddler. Firewalls are designed to keep unsolicited traffic at bay in the event that you had inadvertently installed a Trojan on your computer that was waiting for a cnc server to see a it a command. But at that point your already be up a creek, regardless of your connection because at some point you installed malicious software on your computer.

Executable code can't be pushed to your computer and executed just by means of connecting to a Wi-Fi network.

>>52027578
>Wangblows network security is laughably bad. This shouldn;t be any surprise to you.
So... don't use it then?

>it's getting malware pushed to your system that you should be worried about.
If you're getting malware from plain websites you're doing something badly wrong.

>>52027592
>kill yourself

Nice dude hows middle school?

>>52026820
They know what server you are connecting, so they can likely figure out you're doing some banking things (because you're connected to the bank's servers). They don't know what data you're sending to the server though, or what data you are receiving.

>>52027642
I was more specifically talking about unencrypted pages in general. I'm not that guy who's questioning the security of https.

I can inject packets into any unencrypted website my laptop connects to from desktop just by being on the same network in wireshark/burp. You hear about public wifi spots getting compromised all the time and users getting malware. I can also get the cookie for that instance and use that too, Faceniff used this method to get access to peoples facebook accounts.

The point I'm getting at is there is a lot of information, probably more than you think, being passed along that connection. don;t think for one second you are safe because some of the sites you connect to use https, for every one that does there's another site that'll happily send login information in plain text. assuming someone has this information and won;t use it is pretty naive.

There's a reason why we have passwords on our routers.

You ever hea
>>52027692
>So... don't use it then?
I personally don't, OP does though.

>>52027944
Sure, but that's all also possible via a man in the middle attack at any point inbetween your computer and the server its communicating with, Wi-Fi isn't any more susceptible to man in the middle attacks.

Even then, this is all http we are talking about, as I said earlier, all bets are off if you're transferring data in clear text, regardless of how you are connected to your internet access point.

Further, malware doesn't just get installed, you can't get a virus by visiting a website. Most instances in the past that I think you're referring to were due to compromised plugins like Java, Flash, ActiveX, etc. If you run those then you're always taking a risk regardless of how you connect to the internet.

>>52027944
Router passwords exist to remove plausible deniability in cyber crime cases. If the router you send a threat, download a torrent, or hack a server from is password protected then you can't claim some random person wardrived your internet connection to commit the crimes.

File: 1437024783819.webm (1 MB, 1280x720) Image search: [Google]

1 MB, 1280x720

>>52028019
But you need to have access to the line somewhere along that chain, if it's not client>router where is it? router to cabinet, cabinet to exchange, backbone to server? All of those options like I said before are extremely risky see: >>52027428


>Further, malware doesn't just get installed, you can't get a virus by visiting a website.
You never heard of malicious ads serving malware? Sure, if you were to turn off javascript/flash then it's hard for code to run when a malicious page loads. Have you tried browsing the internet with javascipt disabled? Nothing works.

I'm 99% sure OP is not the kinda guy to disbale all this shit.

I feel I'm repeating myself a little, it's a fucking stupid scenario OP is in, that's all i wanted to say. I'm out

>>52028093
So the owner of any open wifi is responsible for any crimes that were committed on it? Starbucks must have a pretty good legal team

>>52028172
No.. because they're open Wi-Fi networks, so there's plausible deniability..

>>52026324
>$15/mo internet
>muh gaymes
just end yourself

fuck you john you paid last month late and youre bitching here

>>52028042
Boot into linux.

Install netdiscover
Scan the subnet
See all devices in the network

Or use arpscan

Or a load of other ways.

>>52028224
>Boot into linux.
EBIN :^)

>>52028172

They provide an open internet connection to patrons of their business. Part of the agreement you click-past when you agree to use it, is that if you do some illegal shit, it ain't Starbucks' fault, because you're agreeing to take responsibility for it.

Effectively the same as slipping on wet tile when a wet-floor sign is present. While you're not signing or agreeing to anything by bypassing the sign, any jury or judge is going to say "You knew what you were doing by continuing past that sign. It's your responsibility for your protection beyond that sign, not the stores."

>>52026324

If you're on Windows

Use Advanced IP Scanner.
It'll tell you everything that has an IP lease/static IP right now.
Log this data and MAC info. Next time you see your neighbor, just tell him "Yo bro, the internet was pretty shit the other night. Might if I use your laptop for a minute to check the speed? See if maybe it's just my computer/game console?" And check his MAC when you're on it, do a little speed test at speedtest.com or something, give a thoughtful remark like "Oh, the speeds fine on yours." Ban all MACs that aren't yours or his. Enjoy.

>>52027224
I will leave it up to you to find the slides and video demonstrating hsts bypass using dns

>>52028287
No thanks, you're wrong, get over it