Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption

An anonymous reader writes "In the wake of concerns about FireSheep sniffing credentials from people using unencrypted public WiFi hotspots, a security researcher has proposed that the problem does not just lie with big websites like Facebook, but also with those who provide free wireless internet access. Chet Wisniewski, a researcher at security firm Sophos, proposes that all free WiFi hotspots should be encrypted — with the password 'free.' ''I propose standard adoption of WPA2 and a default password of "free." Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password. Just type "free". It's not hard. In fact, operating system vendors could even program your PC to automatically try the password "free" before prompting you for a password on the assumption that you might be selecting a free service.'"

Careful with those quotation marks

"free" and "free." are not the same.

Re:Before everyone says that's idiotic...

[Nursie]

"And if the wifi were encrypted, I would not also have to worry about my fellow cafe' sniffers.

So is that first hop encryption a complete solution? Nope. Anyone between the wireless router and facebook can still listen in. But it'd sure be a hellofa lot better than in the clear."

Except it's not, because there are attacks that allow you to see the data if you capture the handshake, regardless of whether the traffic once you've set up the session is encrypted or not. And there are ways to force the handshake to replay without the user ever finding out. Even with DH there are various MITM, DNS insertion and other tricks that can be done.

Worse than useless I'm not sure, but equal to useless, certainly, because it doesn't stop the other people in the coffee shop from doing anything much they like, they just need slightly more sophisticated tools than firesheep.