Slashdot Mirror
Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption
An anonymous reader writes "In the wake of concerns about FireSheep sniffing credentials from people using unencrypted public WiFi hotspots, a security researcher has proposed that the problem does not just lie with big websites like Facebook, but also with those who provide free wireless internet access. Chet Wisniewski, a researcher at security firm Sophos, proposes that all free WiFi hotspots should be encrypted — with the password 'free.' ''I propose standard adoption of WPA2 and a default password of "free." Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password. Just type "free". It's not hard. In fact, operating system vendors could even program your PC to automatically try the password "free" before prompting you for a password on the assumption that you might be selecting a free service.'"
So, technically, it would prevent someone from stealing your interwebs as long as you were already connected.
Unless of course the attacker sends fake de-authentication packets forcing a new handshake to occur...
... is 8 characters.
Yep. And then we'll have a new version of Firesheep with WPA2 decryption. And then another version that'll ARP-spoof the gateway machine so every connected device then routes through your PC.
It'll end up being that a Firesheep user will just have a fast DHCP server and acting as a gateway for the WiFi so all traffic goes through your PC, forwarding packets to the real gateway.
No, the ONLY way to defeat Firesheep is to properly encrypt sessions. Otherwise we're just doing an arms race. The ARP spoofing and fake DHCP is basically endgame short of access points going and isolating users from each other. Which would then end up being someone sets up a fake access point that routes to the real one.
The endgame is, Firesheep can always win. Or anyone with a packet sniffer. Unless the site goes completely SSL.
Uhmm, maybe Sophos should invest in security training of their staff before they start selling supposed security products.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
1. Bring laptop with extra WiFi dongle into a public area.
2. Connect to Free WiFi spot using internal nic.
3. Act as an Access Point on second nic with a cooler sounding SSID.
4. NAT traffic to first WiFi net and grab everything of interest.
5. ???
6. Profit!!!1!!ONE!
... Encryption without trust is less than useless.
I am so tired of that statement. Encryption without trust is Encryption. It is way less than ideal, but way better than cleartext.
I don't particularly trust my local cafe'.
I really don't trust their ISP.
I especially don't trust the phone company.
I entirely don't trust the government.
I certainly don't trust facebook.
But I use the cafe' wireless who uses their ISP who uses the phone company who is tapped by the government when I use facebook. And if the wifi were encrypted, I would not also have to worry about my fellow cafe' sniffers.
So is that first hop encryption a complete solution? Nope. Anyone between the wireless router and facebook can still listen in. But it'd sure be a hellofa lot better than in the clear.
Encryption without trust is not security, but it is encryption.
> Is it secure? Is it bollocks. MITM is perfectly possible. To the extent that in our arms-race-at-starbucks scenario where the hacker has done his ARP spoofind and DHCP,
> you just add an MITM proxy for SSL connections. Done, your self-signed certs are now useless.
You're right. And yet this "It's gotta be perfect or it's gotta be nothing at all!" attitude is IMHO what has held crypto back a lot more than necessary. Regardless of crypto and its setup, it's still just one part of a security chain...a chain, which even in the best of circumstances will NEVER achieve 100% security! So let's cut the scare-mongering and focus on not black or white, but lovely hues of security degrees. Something people already know (traffic lights):
Browser location bar is:
Red: unencrypted plain-text HTTP
Yellow: encrypted, unauthenticated HTTPS
Green: encrypted and authenticated HTTPS
Just a suggestion.
Basically the WiFi standards bunch screwed up. So I actually blame them for a lot of the problems. So many years and they still haven't got WiFi to the level of TLS/HTTPS.
So use TLS/HTTPS over wifi. Why should the Wifi standard solve a problem that's already been solved? Wifi only has to be as secure as a wired network, at which point we can use all the protocols we use to keep our systems secure on the public internet.
Give me Classic Slashdot or give me death!
So use TLS/HTTPS over wifi. Why should the Wifi standard solve a problem that's already been solved
Solved already? Really? The last I checked "zillions" of sites don't support https. Slashdot for instance.
Some people can tunnel or VPN everything to a trusted gateway, but how many cafe users can do that? So the problem is NOT solved.
I hope you can figure out for yourself the difference between someone sniffing/exploiting traffic at a cafe, and someone doing it at the ISP or peering level.
Wifi only has to be as secure as a wired network
Yes, but it's _far_ from as secure at the moment. So they have failed.
1) It's harder to "sniff" a wired network that a wireless one. You need a free port for the former and you need to do stuff like mac-flooding (which can be detected). Or you need super duper Tempest stuff.
2) It's easier to set up a wired network where devices plugged into one port cannot snoop traffic from devices in another port. You could do this by either using what Cisco calls "port security" (other vendors have their own terms for it), or do "per port VLANs".
I was in the "hotel internet" line for a while, and we configured our switches so that guests plugged into a port could only talk to our gateway server. So guests using the wired connections were protected from other guests. They might not be protected from the NSA/CIA/KGB/FBI once their traffic leaves our control, but that's arguably beyond our responsibility.
Whereas wireless connections didn't allow us to protect guests from each other (at least while making it easy for guests to still use the system).
I am well aware that wireless connections can be DoSed more easily than wired connections, so no matter how much crypto you have, it's still jammable, but that would be a different threat level. Guests could still plug in to the wired port, lose the convenience, but still do their stuff.
FWIW: if a guest plugs into a wired port and intentionally/unintentionally tries to mess with the system we can usually figure out where that guest is, call the guest up and usually resolve things, even if we are in a different continent.
... educate people ...
I think I see a problem with your scheme ...
Those who do study history are doomed to stand helplessly by while everyone else repeats it.