[wsfii-discuss] Fwd: [india-gii] poor WiFi encryption a security risk

Fri Sep 19 09:54:09 UTC 2008

> We do have about 6,000 thowsands of open links in Catalonia, all of that 
> outdoors, which means public locations.
> I assume there are some criminals at the region like any other region in 
> the world.
> If you see, by having open and free networks that doesn't make ant 
> difference at all. 

I'm not convinced of that... since the open network itself provides a
(rather "safe") medium for the attacker to attack. I could put a device
in your public area network to harvest peoples Internet traffic a whole
lot easier than trying to achieve a similar kind of man-in-the-middle
attack by hacking a system within an ISP or breaking into a building to
tap the Ethernet. Or, I could just put up my own access points with the
same SSID and your users would know no difference.

> "Security" in the terms of user "safety" you are referring happens when 
> you have firewalls avoiding others to get into your private segments of 
> the network which really requires security, or enabling VPN connections 
> when you are trespassing the open networks (that's the real function of 
> the VPN). Not by closing open networks/accesses.
> 

Yes, creating a false sense of security is absolutely the worst thing
one can do. I believe the industry has done a good job of educating the
public about the risks posed by leaving your home access point open.
This is easily verified by scanning in a dense city and seeing how many
access points are using some form of security. 

True, security isn't absolute. It never is. It can be broken or socially
engineered. But, locking down your AP does more: it gives "notice" to
people that trespassing is not welcome. You can't prevent people from
breaking the law, but you can keep honest people honest by making it a
conscious decision on their part.

> To encrypt the network itself to close it, creates a false idea of 
> safety and you loose performance and usability, and that is much more 
> worst for the average user.
> 
> You must educate the users on security, not to lie them or propagate the 
> paranoia that open networks do compromise the safety.

Yet, open networks *do* compromise security... or rather, provide none.
Does the public know this? Do they even know exactly what network they
are connecting to? Do they have the right information to make a valid
risk assessment for themselves? 

I said before that individual locations are different from anything city
wide. This has a lot to do with a sense of security... I believe people
sitting in a cafe know they are in a public place, that it isn't their
everyday network, and they have *some* criteria to decide for themselves
if they are safe. It gets more complicated when you teach people to
connect anywhere and everywhere. It raises the user's comfort level
using networks they know nothing about. They start using it every day
and in places they normally might not consider "safe". If the network is
government sponsored, I'd also argue that fact alone will give the
impression of legitimacy and safety. 

What makes matters worse is that your laptop will likely automatically
connect to open networks and apps like e-mail will start synchronizing.
This might even happen *before* the user has made any kind of risk
assessment. At least with networks providing a captive portal, this kind
of automatic loss of information isn't so automatic - connections to the
POP server will fail. The user can then be given some information about
the network, terms of service, the risks, and other tips on how to
protect themselves before clicking to get access. 

David