Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption

Posted by timothy on from the has-some-drawbacks dept.

An anonymous reader writes "In the wake of concerns about FireSheep sniffing credentials from people using unencrypted public WiFi hotspots, a security researcher has proposed that the problem does not just lie with big websites like Facebook, but also with those who provide free wireless internet access. Chet Wisniewski, a researcher at security firm Sophos, proposes that all free WiFi hotspots should be encrypted — with the password 'free.' ''I propose standard adoption of WPA2 and a default password of "free." Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password. Just type "free". It's not hard. In fact, operating system vendors could even program your PC to automatically try the password "free" before prompting you for a password on the assumption that you might be selecting a free service.'"

10 of 332 comments (clear)

  1. Ridiculous And Totally Not Helpful by phantomcircuit · · Score: 5, Interesting

    Maybe he hasn't noticed that wireshark can decrypt WPA2 traffic so long as the network is being sniffed when the client originally connects.

    1. Re:Ridiculous And Totally Not Helpful by muckracer · · Score: 5, Insightful

      > Is it secure? Is it bollocks. MITM is perfectly possible. To the extent that in our arms-race-at-starbucks scenario where the hacker has done his ARP spoofind and DHCP,
      > you just add an MITM proxy for SSL connections. Done, your self-signed certs are now useless.

      You're right. And yet this "It's gotta be perfect or it's gotta be nothing at all!" attitude is IMHO what has held crypto back a lot more than necessary. Regardless of crypto and its setup, it's still just one part of a security chain...a chain, which even in the best of circumstances will NEVER achieve 100% security! So let's cut the scare-mongering and focus on not black or white, but lovely hues of security degrees. Something people already know (traffic lights):

      Browser location bar is:

      Red: unencrypted plain-text HTTP
      Yellow: encrypted, unauthenticated HTTPS
      Green: encrypted and authenticated HTTPS

      Just a suggestion.

  2. WPA2 minimum passphrase length... by atomicstrawberry · · Score: 5, Insightful

    ... is 8 characters.

    1. Re:WPA2 minimum passphrase length... by wilson_c · · Score: 5, Funny

      freeeeee?

  3. Re:Before everyone says that's idiotic... by Anonymous Coward · · Score: 5, Informative

    In other words, the designers of WPA2 screwed up by not using something like Diffie-Hellman to negotiate a private connection before the initial password even changed hands?

    I realize this would be subject to man-in-the-middle, but that would seem to be detectable as you would get two different responses when you tried to do the initial negotiation, after which the OS should report "something's screwy with this network" and refuse to connect.

    WPA designers punt the problem of establishing initial session encryption key to EAPOL. Designers of EAP applications can use whatever authentication protocol and crypto bindings between layers that they want.

    DH is pointless in the case you point out because it would be trivial to operate as you point out a middle man to circumvent. For a "This is screwy" response to be possible it would require some prior knowledge to establish a trust relationship between systems. Encryption without trust is less than useless.

  4. Re:Before everyone says that's idiotic... by kwerle · · Score: 5, Insightful

    ... Encryption without trust is less than useless.

    I am so tired of that statement. Encryption without trust is Encryption. It is way less than ideal, but way better than cleartext.

    I don't particularly trust my local cafe'.
    I really don't trust their ISP.
    I especially don't trust the phone company.
    I entirely don't trust the government.
    I certainly don't trust facebook.

    But I use the cafe' wireless who uses their ISP who uses the phone company who is tapped by the government when I use facebook. And if the wifi were encrypted, I would not also have to worry about my fellow cafe' sniffers.

    So is that first hop encryption a complete solution? Nope. Anyone between the wireless router and facebook can still listen in. But it'd sure be a hellofa lot better than in the clear.

    Encryption without trust is not security, but it is encryption.

  5. Re:I like this. by TheLink · · Score: 5, Interesting

    I've suggested this before a few times: http://it.slashdot.org/comments.pl?sid=457132&cid=22455074

    Thing is he left out the part where there are two different modes of WPA2.

    One (WPA2 PSK) where if everyone has the same password, it's still not secure (know the same key, sniff a session's 4 way handshake, and you can decrypt that session's traffic).

    And one (the other WPA2) where it's supposedly more secure, but apparently still has problems: http://wifinetnews.com/archives/2010/07/researchers_hints_8021x_wpa2_flaw.html

    Yeah, not so simple for Starbucks to get right...

    Basically the WiFi standards bunch screwed up. So I actually blame them for a lot of the problems. So many years and they still haven't got WiFi to the level of TLS/HTTPS.

    HTTPS doesn't solve the "stupid user problem", or the "browsers not warning users of changed CAs", but at least the tech/standard isn't that crap, it's more a people problem.

    --
  6. He's not a researcher, he's a salesman by Anonymous Coward · · Score: 5, Informative

    Uhmm, maybe Sophos should invest in security training of their staff before they start selling supposed security products.

    He's neither a researcher (someone who works in the virus labs) nor an engineer (someone involved in development of our endpoint or management products). He's in sales. Nothing to see here people, move along.

    Posting anonymously because I work there.

  7. A simple modification to EAP-TLS by yuhong · · Score: 5, Interesting

    Christopher Byrd has a simple modification to EAP-TLS that disables client certificate validation to provide more secure open wi-fi:
    http://riosec.com/open-secure-wireless
    This would require modifying only the Authenticator and the Supplicant, and it would be a simple modification to both.

  8. Standards conflate encryption and authentication by billstewart · · Score: 5, Informative

    Most of the Wifi systems are negotiating a random session key and using the password to authenticate it, so that's doing pretty much what you want.

    However, they were mostly designed with the assumption that the objective is to prevent unauthorized access, not to protect the contents of the communications from eavesdropping, so the only way you can get encrypted sessions is to have password control, which is too bad.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks