[SGVLUG] if it possible to sniff packets if you can't get on the wi-fi network?

[Homan Chou]

A lot of businesses offer free wi-fi access within their walls as a perk of
being there.

I have a friend that is a business owner that does NOT offer it because of
"security" reasons.  In fact, in order to get on his wifi, he can't just
give you the password, he actually has to whitelist your MAC address into
his router or something like that.

His web developer set it up this way because their custom point of sale
program is just a website. And they don't use https.  So my question is, if
that website login form was accessed over non-secure http is the login just
send in plain text in packets?  Could someone theoretically observe that
with wire-shark without even being logged in to the wi-fi network?  Or do
you need to be connected to the wi-fi router in order to be able to do that?

I think it's the former but I'm not a wire-shark expert, can someone
confirm?  (Either way I will tell him he needs https).  And I want to
encourage him to provide free wi-fi, and if his POS is secured over https
it shouldn't make his business anymore vulnerable than he is now, is that
correct?

Homan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20140112/578d8910/attachment.html>