Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption 332
An anonymous reader writes "In the wake of concerns about FireSheep sniffing credentials from people using unencrypted public WiFi hotspots, a security researcher has proposed that the problem does not just lie with big websites like Facebook, but also with those who provide free wireless internet access. Chet Wisniewski, a researcher at security firm Sophos, proposes that all free WiFi hotspots should be encrypted — with the password 'free.' ''I propose standard adoption of WPA2 and a default password of "free." Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password. Just type "free". It's not hard. In fact, operating system vendors could even program your PC to automatically try the password "free" before prompting you for a password on the assumption that you might be selecting a free service.'"
Before everyone says that's idiotic... (Score:4, Interesting)
Ridiculous And Totally Not Helpful (Score:5, Interesting)
Maybe he hasn't noticed that wireshark can decrypt WPA2 traffic so long as the network is being sniffed when the client originally connects.
Re:Before everyone says that's idiotic... (Score:3, Interesting)
Security's not my area, so maybe this question is nonsense, but why does each wireless router not have its own unique public/private key pair installed at the factory (that could later be changed by the owner) so that the session key could be generated by the client, sent to the server encrypted by the public key, and now only the router can decrypt the session key?
Re:Careful with those quotation marks (Score:3, Interesting)
Except when you're signifying an explicit string that will need to be readable by a computer. I would tend to err on the side of caution lest someone mistake my correct English punctuation for some sort of design intent.
Re:Before everyone says that's idiotic... (Score:2, Interesting)
I realize this would be subject to man-in-the-middle, but that would seem to be detectable as you would get two different responses when you tried to do the initial negotiation, after which the OS should report "something's screwy with this network" and refuse to connect.
Re:Standard Default Password? (Score:3, Interesting)
Re:Ridiculous And Totally Not Helpful (Score:4, Interesting)
The endgame is, Firesheep can always win. Or anyone with a packet sniffer. Unless the site goes completely SSL.
Indeed, this is the most obvious end result.
And now, for the most ridiculous question ever: Why isn't this being done? It isn't 1995 anymore: SSL is (at worst) easy and well-understood for these purposes.
Why does this continue to be an uphill battle?
Re:Ridiculous And Totally Not Helpful (Score:1, Interesting)
Because you have to pay to get your certificate signed, and sites that aren't transmitting sensitive data aren't going to pay for it.
Yes, you can self-sign and avoid the costs, but if you do that the browsers tell the users that you're a dirty, evil cheat and liar for doing so, scaring visitors away from your site. It's taught people to think that insecure browsing is safer than SSL with self-signed certificates.
Until something changes with either the browsers or the signing process, we'll never see 100% SSL use on webpages.
Re:I like this. (Score:5, Interesting)
I've suggested this before a few times: http://it.slashdot.org/comments.pl?sid=457132&cid=22455074 [slashdot.org]
Thing is he left out the part where there are two different modes of WPA2.
One (WPA2 PSK) where if everyone has the same password, it's still not secure (know the same key, sniff a session's 4 way handshake, and you can decrypt that session's traffic).
And one (the other WPA2) where it's supposedly more secure, but apparently still has problems: http://wifinetnews.com/archives/2010/07/researchers_hints_8021x_wpa2_flaw.html [wifinetnews.com]
Yeah, not so simple for Starbucks to get right...
Basically the WiFi standards bunch screwed up. So I actually blame them for a lot of the problems. So many years and they still haven't got WiFi to the level of TLS/HTTPS.
HTTPS doesn't solve the "stupid user problem", or the "browsers not warning users of changed CAs", but at least the tech/standard isn't that crap, it's more a people problem.
"British" style is indeed logical (Score:5, Interesting)
It's also perhaps worth noting that punctuation style is nothing at all to do with correct English. Punctuation is there to help understand the text, not to be part of it, and anyone who has ever trained as a copy editor knows that there are endless arguments over its proper use. If putting a full stop inside a quote means someone would naturally consider it part of the quoted material, it is clearly wrong.
Set SSID to "password = free" etc. (Score:5, Interesting)
If you put the password in the SSID so it's obvious, people won't have to guess if you're following that convention, or the convention that the password is "guest" or whatever.
A simple modification to EAP-TLS (Score:5, Interesting)
Christopher Byrd has a simple modification to EAP-TLS that disables client certificate validation to provide more secure open wi-fi:
http://riosec.com/open-secure-wireless [riosec.com]
This would require modifying only the Authenticator and the Supplicant, and it would be a simple modification to both.
Re:Standards conflate encryption and authenticatio (Score:3, Interesting)
Re:I like this. (Score:3, Interesting)
You can capture the handshake w/ WPA but not WPA2.
Or more technically sniffing the WPA2 handshake will not allow you to decrypt the traffic.
Of course TKIP is flawed and was only really included to allow backwards comptibility. WPA2 AES should be the only option.