Unsecured free wifi

Forums › Off topic › Unsecured free wifi - good/bad?

nate

6328 posts

Uber Geek
+1 received by user: 391

Moderator

Trusted

Lifetime subscriber

Topic # 113297 12-Jan-2013 14:38

Just had a tweet about our cafe's free wifi:

Was just informed of this cafe's free WiFi. Checked it and it's unencrypted. No thank you, I like my stuff not to be flying around bare

What do you lot think? Once I get a few replies, I'll explain my thinking around why it's unencrypted.

1 | 2

401 posts

Ultimate Geek
+1 received by user: 90

Subscriber

Reply # 743772 12-Jan-2013 14:41

Virtually all cafe's have unencrypted Wi-Fi don't they? I can't recall ever encountering one with encryption.

freitasm

BDFL - Memuneh
61331 posts

Uber Geek
+1 received by user: 12075

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 743776 12-Jan-2013 14:46

If the person is really worried about unencrypted WiFi they should use a VPN.

You could encrypt the WiFi AP and make the key visible everywhere around the cafe. People can still access but the traffic is encrytped. But only really make things difficult.

If I go to a place with my laptop and the WiFi is open I use a VPN (such as cafes and conferences). If I have my phone I just use 3G.

If the person is thinking of using a phone or tablet they should be using 3G. If they were cheap to not buy a 3G device then they can't complain about their options.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management

boby55

1539 posts

Uber Geek
+1 received by user: 39

Trusted

Reply # 743781 12-Jan-2013 15:12

TBH if data usage isn't an issue I would find having to enter a network password more of an inconvenience to customers than its worth as you no matter how many signs you put up you will have people asking staff what the password is.

Anything I want done securely I tether my phone over 3G anyway.

BlakJak

638 posts

Ultimate Geek
+1 received by user: 78

Trusted

Reply # 743783 12-Jan-2013 15:32

No real difference between Unencrypted Wifi and Encrypted wifi where everyone knows the Password. Once you have the password, everything on the broadcast domain is fair game.

I personally choose not to use Unencrypted Wifi generally, because i'm not keen on something 'leaking' out in an unencrypted sense, but the truth is that if you encrypted it with a commonly known or accessible password, it wouldn't be any more secure.

This would be me...

sbiddle

27065 posts

Uber Geek
+1 received by user: 6509

Moderator

Trusted

Biddle Corp

Lifetime subscriber

Reply # 743881 12-Jan-2013 21:14

Clearly the person who tweeted that has no concept of a WiFi deployment or security.

With AP isolation enabled unsecured WiFi security is fundamentally no different to a secured network (and just using WPA/WPA2 doesn't mean broadcast/L2 exploits can't occur). There are hotspots out there without AP isolation enabled and they should be avoided like the plague unless you're using a VPN, with with AP isolation enabled the vast majority of security risks are eliminated.

On the other hand you can't eliminate all risks, so if you're really security conscious you would always use a VPN on a foreign network.

oxnsox

1923 posts

Uber Geek
+1 received by user: 139

Reply # 743898 12-Jan-2013 22:20

Personally I think you're doing the right thing. By offering a free unsecured network you're making it clear you have no obligation to the user in terms of their usage content or security. It's an 'all care, no responsibility' approach. If customers have an issue with that then they have other choices.

mattwnz

14353 posts

Uber Geek
+1 received by user: 1866

Reply # 743900 12-Jan-2013 22:25

Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it. eg Illegal hacking from that connection. I have found from personal experience that people do abuse free wifi networks by hiding behind them if they want to do something bad. These days people should just get their own 3G connection if they want to use the internet in a public environment.

oxnsox

1923 posts

Uber Geek
+1 received by user: 139

Reply # 743901 12-Jan-2013 22:30

mattwnz: Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it. eg Illegal hacking from that connection. I have found from personal experience that people do abuse free wifi networks by hiding behind them if they want to do something bad. These days people should just get their own 3G connection if they want to use the internet in a public environment.

Agree with your comment about not being a fan, but free access doesn't mean the connection is un-restricted

gareth41

607 posts

Ultimate Geek
+1 received by user: 28

Reply # 743913 12-Jan-2013 22:54

I run a wifi hotspot service providing captive portals for cafe's, motels etc... all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated. But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion. If someone really wanted to start sniffing i've just made things a whole lot harder for them.

Kyanar

3034 posts

Uber Geek
+1 received by user: 466

Trusted

Subscriber

Reply # 744006 13-Jan-2013 11:14

gareth41: I run a wifi hotspot service providing captive portals for cafe's, motels etc... all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated. But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion. If someone really wanted to start sniffing i've just made things a whole lot harder for them.

No you haven't. If the Wifi network itself is unencrypted, then intercepting another user's traffic and obtaining access to confidential information is super easy - encrypted captive portal or not. Especially what with the SSL renegotiation exploit and so on.

Ultimately, you just shouldn't do anything super confidential on public access points. That includes banking, possibly even checking email. If you intend to, then establish a VPN connection back to a trusted network to do so.

freitasm

BDFL - Memuneh
61331 posts

Uber Geek
+1 received by user: 12075

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 744008 13-Jan-2013 11:17

I have three VPN solutions that I can use while away from my LAN:

- In New Zealand: OpenVPN to Synology NAS at home and from there to the Internet
- In New Zealand: LogMein Hamachi to one of the Geekzone monitoring servers in Auckland, and from there proxy to the Internet
- Outside New Zealand: OpenVPN to WiTopia

Since WiTopia doesn't have a New Zealand end point I use my local "home made" alternatives to not add too much latency. When overseas I use WiTopia everywhere else.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management

gareth41

607 posts

Ultimate Geek
+1 received by user: 28

Reply # 744277 13-Jan-2013 21:51

Kyanar:
gareth41: I run a wifi hotspot service providing captive portals for cafe's, motels etc... all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated. But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion. If someone really wanted to start sniffing i've just made things a whole lot harder for them.

No you haven't. If the Wifi network itself is unencrypted, then intercepting another user's traffic and obtaining access to confidential information is super easy - encrypted captive portal or not. Especially what with the SSL renegotiation exploit and so on.

Ultimately, you just shouldn't do anything super confidential on public access points. That includes banking, possibly even checking email. If you intend to, then establish a VPN connection back to a trusted network to do so.

Sorry I meant in regards to securing the users login details/private information when they authenticate. I understand fully that once they authenticate and leave the captive portal, they are vulnerable.

kiwirock

623 posts

Ultimate Geek
+1 received by user: 124

Reply # 744326 13-Jan-2013 23:36

sbiddle: Clearly the person who tweeted that has no concept of a WiFi deployment or security.

With AP isolation enabled unsecured WiFi security is fundamentally no different to a secured network (and just using WPA/WPA2 doesn't mean broadcast/L2 exploits can't occur). There are hotspots out there without AP isolation enabled and they should be avoided like the plague unless you're using a VPN, with with AP isolation enabled the vast majority of security risks are eliminated.

On the other hand you can't eliminate all risks, so if you're really security conscious you would always use a VPN on a foreign network.

From what I understand so far, AP isolation doesn't stop someone with a network device in promiscuous mode from sniffing all the data being broadcast (and by broadcast I mean RF). It's all still there for any device to watch, there's no need for something like man in the middle efforts.

I agree VPN is the way to go if you must use open wi-fi. If someone was serious enough one could sit out front with a netbook running as a rogue AP with the same network name. Most wouldn't be the wiser.

Personally, I don't do anything on an open wi-fi network other than basic news/media reading/watching. Even if there was encryption being used, I wouldn't expect cafe staff to know anything about it to gain any trust in it for the short stay anyway. Cafe internet is use at your own risk and I'm fine with that.

richms

21464 posts

Uber Geek
+1 received by user: 4362

Trusted

Subscriber

Reply # 744565 14-Jan-2013 14:36

Sniffing like that worked great in the days of 54 meg G gear, but with multi stream N, sniffing doesnt actually get a hell of a lot since the streams are not aimed at the sniffer.

And yes, I at one time did leave an old linksys in the boot of the car with a SSID of "free google wifi" or something to see how many people tried to connect. The answer was lots, and that was some time ago. If I was really evil I could have had a google like splashscreen and ask for credentials and see how many were dumb enough to provide them.

The problem with wifi is there is no authentication of the base stations, so anyone can impersonate you, including a friends neighbour that seems to take great joy at copying their SSID making things break for them.

Richard rich.ms

nate

6328 posts

Uber Geek
+1 received by user: 391

Moderator

Trusted

Lifetime subscriber

Reply # 744594 14-Jan-2013 15:11

boby55: TBH if data usage isn't an issue I would find having to enter a network password more of an inconvenience to customers than its worth as you no matter how many signs you put up you will have people asking staff what the password is.

Exactly. Also, if they type the password in incorrectly, they will ask my staff what is wrong - hospo staff aren't IT technicians (far from it)

mattwnz: Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it.

We mitigate this as much as possible by having a data limit up/down on known protocols like browsing, email etc, and rating limiting all and everything else to 0 (so pretty much unusable)

1 | 2