Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption

Posted by timothy on from the has-some-drawbacks dept.

An anonymous reader writes "In the wake of concerns about FireSheep sniffing credentials from people using unencrypted public WiFi hotspots, a security researcher has proposed that the problem does not just lie with big websites like Facebook, but also with those who provide free wireless internet access. Chet Wisniewski, a researcher at security firm Sophos, proposes that all free WiFi hotspots should be encrypted — with the password 'free.' ''I propose standard adoption of WPA2 and a default password of "free." Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password. Just type "free". It's not hard. In fact, operating system vendors could even program your PC to automatically try the password "free" before prompting you for a password on the assumption that you might be selecting a free service.'"

8 of 332 comments (clear)

  1. 'Free' or 'free'? by snsh · · Score: 3, Informative

    capitals matter. and don't WPA2 phrases have to be at least 8 characters?

  2. Re:Careful with those quotation marks by Gadget_Guy · · Score: 4, Informative

    I'm afraid it is not that simple. You should always be wary of assuming that the rules used in your locality are universal. There are two styles in general use regarding punctuation and quotation marks. See the wikipedia entry on the subject:

    In the U.S., the standard style is called American style, typesetters' rules, printers' rules, typographical usage, or traditional punctuation, whereby commas and periods are almost always placed inside closing quotation marks. This style of punctuation is common in the U.S., Canada, and in the U.K. in fiction and journalism.

    The other standard style--called British style or logical punctuation--is to include within quotation marks only those punctuation marks that appeared in the quoted material, but otherwise to place punctuation outside the closing quotation marks.

    Using the British style is less ambiguous in this case.

  3. Re:Before everyone says that's idiotic... by Anonymous Coward · · Score: 5, Informative

    In other words, the designers of WPA2 screwed up by not using something like Diffie-Hellman to negotiate a private connection before the initial password even changed hands?

    I realize this would be subject to man-in-the-middle, but that would seem to be detectable as you would get two different responses when you tried to do the initial negotiation, after which the OS should report "something's screwy with this network" and refuse to connect.

    WPA designers punt the problem of establishing initial session encryption key to EAPOL. Designers of EAP applications can use whatever authentication protocol and crypto bindings between layers that they want.

    DH is pointless in the case you point out because it would be trivial to operate as you point out a middle man to circumvent. For a "This is screwy" response to be possible it would require some prior knowledge to establish a trust relationship between systems. Encryption without trust is less than useless.

  4. Re:This will not work. by yuhong · · Score: 3, Informative

    It is easy to bypass though by capturing a four-way handshake. A fake authentication can be used in order to have a client go though it again.

  5. He's not a researcher, he's a salesman by Anonymous Coward · · Score: 5, Informative

    Uhmm, maybe Sophos should invest in security training of their staff before they start selling supposed security products.

    He's neither a researcher (someone who works in the virus labs) nor an engineer (someone involved in development of our endpoint or management products). He's in sales. Nothing to see here people, move along.

    Posting anonymously because I work there.

  6. Standards conflate encryption and authentication by billstewart · · Score: 5, Informative

    Most of the Wifi systems are negotiating a random session key and using the password to authenticate it, so that's doing pretty much what you want.

    However, they were mostly designed with the assumption that the objective is to prevent unauthorized access, not to protect the contents of the communications from eavesdropping, so the only way you can get encrypted sessions is to have password control, which is too bad.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  7. Re:I like this. by clone53421 · · Score: 4, Informative

    On a WPA2 network, a user cannot eavesdrop on another user despite having the same key, because a unique handshake is performed when each user connects. Without the data that was passed in the handshake, an eavesdropper has no way of decrypting your traffic.

    They can, however, force your connection to be reset, and when you reconnect they can capture the handshake. With the data that was passed in the handshake, they can decrypt all of your traffic.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  8. Re:I tried it by anUnhandledException · · Score: 3, Informative

    Because WPA2 generated per session keys.

    Although everyone connecting would use same password (in this instance free).
    Each session key would be unique and thus would prevent snooping.

    Theoretically one could redesign WPA (WPA3) to have a passwordless mode where traffic is still encrypted however no password is needed. This is simply a "could work today" modification of existing protocol.