Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption

Posted by timothy on from the has-some-drawbacks dept.

An anonymous reader writes "In the wake of concerns about FireSheep sniffing credentials from people using unencrypted public WiFi hotspots, a security researcher has proposed that the problem does not just lie with big websites like Facebook, but also with those who provide free wireless internet access. Chet Wisniewski, a researcher at security firm Sophos, proposes that all free WiFi hotspots should be encrypted — with the password 'free.' ''I propose standard adoption of WPA2 and a default password of "free." Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password. Just type "free". It's not hard. In fact, operating system vendors could even program your PC to automatically try the password "free" before prompting you for a password on the assumption that you might be selecting a free service.'"

3 of 332 comments (clear)

  1. WPA2 minimum passphrase length... by atomicstrawberry · · Score: 5, Insightful

    ... is 8 characters.

  2. Re:Before everyone says that's idiotic... by kwerle · · Score: 5, Insightful

    ... Encryption without trust is less than useless.

    I am so tired of that statement. Encryption without trust is Encryption. It is way less than ideal, but way better than cleartext.

    I don't particularly trust my local cafe'.
    I really don't trust their ISP.
    I especially don't trust the phone company.
    I entirely don't trust the government.
    I certainly don't trust facebook.

    But I use the cafe' wireless who uses their ISP who uses the phone company who is tapped by the government when I use facebook. And if the wifi were encrypted, I would not also have to worry about my fellow cafe' sniffers.

    So is that first hop encryption a complete solution? Nope. Anyone between the wireless router and facebook can still listen in. But it'd sure be a hellofa lot better than in the clear.

    Encryption without trust is not security, but it is encryption.

  3. Re:Ridiculous And Totally Not Helpful by muckracer · · Score: 5, Insightful

    > Is it secure? Is it bollocks. MITM is perfectly possible. To the extent that in our arms-race-at-starbucks scenario where the hacker has done his ARP spoofind and DHCP,
    > you just add an MITM proxy for SSL connections. Done, your self-signed certs are now useless.

    You're right. And yet this "It's gotta be perfect or it's gotta be nothing at all!" attitude is IMHO what has held crypto back a lot more than necessary. Regardless of crypto and its setup, it's still just one part of a security chain...a chain, which even in the best of circumstances will NEVER achieve 100% security! So let's cut the scare-mongering and focus on not black or white, but lovely hues of security degrees. Something people already know (traffic lights):

    Browser location bar is:

    Red: unencrypted plain-text HTTP
    Yellow: encrypted, unauthenticated HTTPS
    Green: encrypted and authenticated HTTPS

    Just a suggestion.