Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOff topicUnsecured free wifi - good/bad?


6305 posts

Uber Geek
+1 received by user: 378

Moderator
Trusted
Lifetime subscriber

Topic # 113297 12-Jan-2013 14:38
Send private message

Just had a tweet about our cafe's free wifi:

Was just informed of this cafe's free WiFi. Checked it and it's unencrypted. No thank you, I like my stuff not to be flying around bare


What do you lot think?  Once I get a few replies, I'll explain my thinking around why it's unencrypted.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
395 posts

Ultimate Geek
+1 received by user: 86

Subscriber

  Reply # 743772 12-Jan-2013 14:41
Send private message

Virtually all cafe's have unencrypted Wi-Fi don't they? I can't recall ever encountering one with encryption.

BDFL - Memuneh
59999 posts

Uber Geek
+1 received by user: 11098

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 743776 12-Jan-2013 14:46
Send private message

If the person is really worried about unencrypted WiFi they should use a VPN.

You could encrypt the WiFi AP and make the key visible everywhere around the cafe. People can still access but the traffic is encrytped. But only really make things difficult.

If I go to a place with my laptop and the WiFi is open I use a VPN (such as cafes and conferences). If I have my phone I just use 3G.

If the person is thinking of using a phone or tablet they should be using 3G. If they were cheap to not buy a 3G device then they can't complain about their options.




Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Backblaze cloud backup (personal and business)My technology disclosure  

 

You can support content creators (and Geekzone) by using the Brave browser.

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
1539 posts

Uber Geek
+1 received by user: 39

Trusted

  Reply # 743781 12-Jan-2013 15:12
Send private message

TBH if data usage isn't an issue I would find having to enter a network password more of an inconvenience to customers than its worth as you no matter how many signs you put up you will have people asking staff what the password is.

Anything I want done securely I tether my phone over 3G anyway.

602 posts

Ultimate Geek
+1 received by user: 65

Trusted

  Reply # 743783 12-Jan-2013 15:32
Send private message

No real difference between Unencrypted Wifi and Encrypted wifi where everyone knows the Password. Once you have the password, everything on the broadcast domain is fair game.

I personally choose not to use Unencrypted Wifi generally, because i'm not keen on something 'leaking' out in an unencrypted sense, but the truth is that if you encrypted it with a commonly known or accessible password, it wouldn't be any more secure.




This would be me...

26197 posts

Uber Geek
+1 received by user: 5796

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 743881 12-Jan-2013 21:14
Send private message

Clearly the person who tweeted that has no concept of a WiFi deployment or security.

With AP isolation enabled unsecured WiFi security is fundamentally no different to a secured network (and just using WPA/WPA2 doesn't mean broadcast/L2 exploits can't occur). There are hotspots out there without AP isolation enabled and they should be avoided like the plague unless you're using a VPN, with with AP isolation enabled the vast majority of security risks are eliminated.

On the other hand you can't eliminate all risks, so if you're really security conscious you would always use a VPN on a foreign network.

1923 posts

Uber Geek
+1 received by user: 139


  Reply # 743898 12-Jan-2013 22:20
Send private message

Personally I think you're doing the right thing. By offering a free unsecured network you're making it clear you have no obligation to the user in terms of their usage content or security. It's an 'all care, no responsibility' approach. If customers have an issue with that then they have other choices.


13787 posts

Uber Geek
+1 received by user: 1714


  Reply # 743900 12-Jan-2013 22:25
Send private message

Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it. eg Illegal hacking from that connection. I have found from personal experience that people do abuse free wifi networks by hiding behind them if they want to do something bad. These days people should just get their own 3G connection if they want to use the internet in a public environment.

1923 posts

Uber Geek
+1 received by user: 139


  Reply # 743901 12-Jan-2013 22:30
Send private message

mattwnz: Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it. eg Illegal hacking from that connection. I have found from personal experience that people do abuse free wifi networks by hiding behind them if they want to do something bad. These days people should just get their own 3G connection if they want to use the internet in a public environment.

Agree with your comment about not being a fan, but free access doesn't mean the connection is un-restricted

599 posts

Ultimate Geek
+1 received by user: 25


  Reply # 743913 12-Jan-2013 22:54
Send private message

I run a wifi hotspot service providing captive portals for cafe's, motels etc...  all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated.  But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion.  If someone really wanted to start sniffing i've just made things a whole lot harder for them.

2940 posts

Uber Geek
+1 received by user: 428

Trusted
Subscriber

  Reply # 744006 13-Jan-2013 11:14
Send private message

gareth41: I run a wifi hotspot service providing captive portals for cafe's, motels etc...  all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated.  But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion.  If someone really wanted to start sniffing i've just made things a whole lot harder for them.


No you haven't.  If the Wifi network itself is unencrypted, then intercepting another user's traffic and obtaining access to confidential information is super easy - encrypted captive portal or not.  Especially what with the SSL renegotiation exploit and so on.

Ultimately, you just shouldn't do anything super confidential on public access points.  That includes banking, possibly even checking email.  If you intend to, then establish a VPN connection back to a trusted network to do so.

BDFL - Memuneh
59999 posts

Uber Geek
+1 received by user: 11098

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 744008 13-Jan-2013 11:17
Send private message

I have three VPN solutions that I can use while away from my LAN:

- In New Zealand: OpenVPN to Synology NAS at home and from there to the Internet
- In New Zealand: LogMein Hamachi to one of the Geekzone monitoring servers in Auckland, and from there proxy to the Internet
- Outside New Zealand: OpenVPN to WiTopia

Since WiTopia doesn't have a New Zealand end point I use my local "home made" alternatives to not add too much latency. When overseas I use WiTopia everywhere else.




Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Backblaze cloud backup (personal and business)My technology disclosure  

 

You can support content creators (and Geekzone) by using the Brave browser.

599 posts

Ultimate Geek
+1 received by user: 25


  Reply # 744277 13-Jan-2013 21:51
Send private message

Kyanar:
gareth41: I run a wifi hotspot service providing captive portals for cafe's, motels etc...  all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated.  But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion.  If someone really wanted to start sniffing i've just made things a whole lot harder for them.


No you haven't.  If the Wifi network itself is unencrypted, then intercepting another user's traffic and obtaining access to confidential information is super easy - encrypted captive portal or not.  Especially what with the SSL renegotiation exploit and so on.

Ultimately, you just shouldn't do anything super confidential on public access points.  That includes banking, possibly even checking email.  If you intend to, then establish a VPN connection back to a trusted network to do so.


Sorry I meant in regards to securing the users login details/private information when they authenticate.  I understand fully that once they authenticate and leave the captive portal, they are vulnerable.

621 posts

Ultimate Geek
+1 received by user: 121


  Reply # 744326 13-Jan-2013 23:36
Send private message

sbiddle: Clearly the person who tweeted that has no concept of a WiFi deployment or security.

With AP isolation enabled unsecured WiFi security is fundamentally no different to a secured network (and just using WPA/WPA2 doesn't mean broadcast/L2 exploits can't occur). There are hotspots out there without AP isolation enabled and they should be avoided like the plague unless you're using a VPN, with with AP isolation enabled the vast majority of security risks are eliminated.

On the other hand you can't eliminate all risks, so if you're really security conscious you would always use a VPN on a foreign network.




From what I understand so far, AP isolation doesn't stop someone with a network device in promiscuous mode from sniffing all the data being broadcast (and by broadcast I mean RF). It's all still there for any device to watch, there's no need for something like man in the middle efforts.

I agree VPN is the way to go if you must use open wi-fi. If someone was serious enough one could sit out front with a netbook running as a rogue AP with the same network name. Most wouldn't be the wiser.

Personally, I don't do anything on an open wi-fi network other than basic news/media reading/watching. Even if there was encryption being used, I wouldn't expect cafe staff to know anything about it to gain any trust in it for the short stay anyway. Cafe internet is use at your own risk and I'm fine with that.

20882 posts

Uber Geek
+1 received by user: 4094

Trusted
Subscriber

  Reply # 744565 14-Jan-2013 14:36
Send private message

Sniffing like that worked great in the days of 54 meg G gear, but with multi stream N, sniffing doesnt actually get a hell of a lot since the streams are not aimed at the sniffer.

And yes, I at one time did leave an old linksys in the boot of the car with a SSID of "free google wifi" or something to see how many people tried to connect. The answer was lots, and that was some time ago. If I was really evil I could have had a google like splashscreen and ask for credentials and see how many were dumb enough to provide them.

The problem with wifi is there is no authentication of the base stations, so anyone can impersonate you, including a friends neighbour that seems to take great joy at copying their SSID making things break for them.




Richard rich.ms



6305 posts

Uber Geek
+1 received by user: 378

Moderator
Trusted
Lifetime subscriber

  Reply # 744594 14-Jan-2013 15:11
Send private message

boby55: TBH if data usage isn't an issue I would find having to enter a network password more of an inconvenience to customers than its worth as you no matter how many signs you put up you will have people asking staff what the password is.


Exactly.  Also, if they type the password in incorrectly, they will ask my staff what is wrong - hospo staff aren't IT technicians (far from it)

mattwnz: Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it.


We mitigate this as much as possible by having a data limit up/down on known protocols like browsing, email etc, and rating limiting all and everything else to 0 (so pretty much unusable)

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38

Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55

How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08

How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15

iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13

Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11

111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50

Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41

Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29

Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22

Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18

Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47

Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25

New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48

Shipments tumble as NZ phone upgrades slow
Posted 2-Mar-2018 11:48


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.