Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption

Posted by timothy on from the has-some-drawbacks dept.

An anonymous reader writes "In the wake of concerns about FireSheep sniffing credentials from people using unencrypted public WiFi hotspots, a security researcher has proposed that the problem does not just lie with big websites like Facebook, but also with those who provide free wireless internet access. Chet Wisniewski, a researcher at security firm Sophos, proposes that all free WiFi hotspots should be encrypted — with the password 'free.' ''I propose standard adoption of WPA2 and a default password of "free." Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password. Just type "free". It's not hard. In fact, operating system vendors could even program your PC to automatically try the password "free" before prompting you for a password on the assumption that you might be selecting a free service.'"

7 of 332 comments (clear)

  1. Re:Before everyone says that's idiotic... by phantomcircuit · · Score: 4, Insightful

    So, technically, it would prevent someone from stealing your interwebs as long as you were already connected.

    Unless of course the attacker sends fake de-authentication packets forcing a new handshake to occur...

  2. WPA2 minimum passphrase length... by atomicstrawberry · · Score: 5, Insightful

    ... is 8 characters.

  3. Re:Ridiculous And Totally Not Helpful by tlhIngan · · Score: 4, Insightful

    Maybe he hasn't noticed that wireshark can decrypt WPA2 traffic so long as the network is being sniffed when the client originally connects.

    Yep. And then we'll have a new version of Firesheep with WPA2 decryption. And then another version that'll ARP-spoof the gateway machine so every connected device then routes through your PC.

    It'll end up being that a Firesheep user will just have a fast DHCP server and acting as a gateway for the WiFi so all traffic goes through your PC, forwarding packets to the real gateway.

    No, the ONLY way to defeat Firesheep is to properly encrypt sessions. Otherwise we're just doing an arms race. The ARP spoofing and fake DHCP is basically endgame short of access points going and isolating users from each other. Which would then end up being someone sets up a fake access point that routes to the real one.

    The endgame is, Firesheep can always win. Or anyone with a packet sniffer. Unless the site goes completely SSL.

  4. That says a lot about the 'researcher' by flyingfsck · · Score: 4, Insightful

    Uhmm, maybe Sophos should invest in security training of their staff before they start selling supposed security products.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  5. Re:Before everyone says that's idiotic... by kwerle · · Score: 5, Insightful

    ... Encryption without trust is less than useless.

    I am so tired of that statement. Encryption without trust is Encryption. It is way less than ideal, but way better than cleartext.

    I don't particularly trust my local cafe'.
    I really don't trust their ISP.
    I especially don't trust the phone company.
    I entirely don't trust the government.
    I certainly don't trust facebook.

    But I use the cafe' wireless who uses their ISP who uses the phone company who is tapped by the government when I use facebook. And if the wifi were encrypted, I would not also have to worry about my fellow cafe' sniffers.

    So is that first hop encryption a complete solution? Nope. Anyone between the wireless router and facebook can still listen in. But it'd sure be a hellofa lot better than in the clear.

    Encryption without trust is not security, but it is encryption.

  6. Re:Ridiculous And Totally Not Helpful by muckracer · · Score: 5, Insightful

    > Is it secure? Is it bollocks. MITM is perfectly possible. To the extent that in our arms-race-at-starbucks scenario where the hacker has done his ARP spoofind and DHCP,
    > you just add an MITM proxy for SSL connections. Done, your self-signed certs are now useless.

    You're right. And yet this "It's gotta be perfect or it's gotta be nothing at all!" attitude is IMHO what has held crypto back a lot more than necessary. Regardless of crypto and its setup, it's still just one part of a security chain...a chain, which even in the best of circumstances will NEVER achieve 100% security! So let's cut the scare-mongering and focus on not black or white, but lovely hues of security degrees. Something people already know (traffic lights):

    Browser location bar is:

    Red: unencrypted plain-text HTTP
    Yellow: encrypted, unauthenticated HTTPS
    Green: encrypted and authenticated HTTPS

    Just a suggestion.

  7. Re:I like this. by Hatta · · Score: 4, Insightful

    Basically the WiFi standards bunch screwed up. So I actually blame them for a lot of the problems. So many years and they still haven't got WiFi to the level of TLS/HTTPS.

    So use TLS/HTTPS over wifi. Why should the Wifi standard solve a problem that's already been solved? Wifi only has to be as secure as a wired network, at which point we can use all the protocols we use to keep our systems secure on the public internet.

    --
    Give me Classic Slashdot or give me death!