Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOff topicUnsecured free wifi - good/bad?


6373 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

#113297 12-Jan-2013 14:38
Send private message

Just had a tweet about our cafe's free wifi:

Was just informed of this cafe's free WiFi. Checked it and it's unencrypted. No thank you, I like my stuff not to be flying around bare


What do you lot think?  Once I get a few replies, I'll explain my thinking around why it's unencrypted.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
429 posts

Ultimate Geek

Subscriber

  #743772 12-Jan-2013 14:41
Send private message

Virtually all cafe's have unencrypted Wi-Fi don't they? I can't recall ever encountering one with encryption.

BDFL - Memuneh
66335 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #743776 12-Jan-2013 14:46
Send private message

If the person is really worried about unencrypted WiFi they should use a VPN.

You could encrypt the WiFi AP and make the key visible everywhere around the cafe. People can still access but the traffic is encrytped. But only really make things difficult.

If I go to a place with my laptop and the WiFi is open I use a VPN (such as cafes and conferences). If I have my phone I just use 3G.

If the person is thinking of using a phone or tablet they should be using 3G. If they were cheap to not buy a 3G device then they can't complain about their options.




 

Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Sharesies (ref code) | My technology disclosure 

 
 
 
 


1539 posts

Uber Geek

Trusted

  #743781 12-Jan-2013 15:12
Send private message

TBH if data usage isn't an issue I would find having to enter a network password more of an inconvenience to customers than its worth as you no matter how many signs you put up you will have people asking staff what the password is.

Anything I want done securely I tether my phone over 3G anyway.

745 posts

Ultimate Geek

Trusted

  #743783 12-Jan-2013 15:32
Send private message

No real difference between Unencrypted Wifi and Encrypted wifi where everyone knows the Password. Once you have the password, everything on the broadcast domain is fair game.

I personally choose not to use Unencrypted Wifi generally, because i'm not keen on something 'leaking' out in an unencrypted sense, but the truth is that if you encrypted it with a commonly known or accessible password, it wouldn't be any more secure.




No signature to see here, move along...

28820 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #743881 12-Jan-2013 21:14
Send private message

Clearly the person who tweeted that has no concept of a WiFi deployment or security.

With AP isolation enabled unsecured WiFi security is fundamentally no different to a secured network (and just using WPA/WPA2 doesn't mean broadcast/L2 exploits can't occur). There are hotspots out there without AP isolation enabled and they should be avoided like the plague unless you're using a VPN, with with AP isolation enabled the vast majority of security risks are eliminated.

On the other hand you can't eliminate all risks, so if you're really security conscious you would always use a VPN on a foreign network.

1923 posts

Uber Geek


  #743898 12-Jan-2013 22:20
Send private message

Personally I think you're doing the right thing. By offering a free unsecured network you're making it clear you have no obligation to the user in terms of their usage content or security. It's an 'all care, no responsibility' approach. If customers have an issue with that then they have other choices.


15889 posts

Uber Geek


  #743900 12-Jan-2013 22:25
Send private message

Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it. eg Illegal hacking from that connection. I have found from personal experience that people do abuse free wifi networks by hiding behind them if they want to do something bad. These days people should just get their own 3G connection if they want to use the internet in a public environment.

 
 
 
 


1923 posts

Uber Geek


  #743901 12-Jan-2013 22:30
Send private message

mattwnz: Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it. eg Illegal hacking from that connection. I have found from personal experience that people do abuse free wifi networks by hiding behind them if they want to do something bad. These days people should just get their own 3G connection if they want to use the internet in a public environment.

Agree with your comment about not being a fan, but free access doesn't mean the connection is un-restricted

640 posts

Ultimate Geek


  #743913 12-Jan-2013 22:54
Send private message

I run a wifi hotspot service providing captive portals for cafe's, motels etc...  all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated.  But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion.  If someone really wanted to start sniffing i've just made things a whole lot harder for them.

3147 posts

Uber Geek

Trusted
Subscriber

  #744006 13-Jan-2013 11:14
Send private message

gareth41: I run a wifi hotspot service providing captive portals for cafe's, motels etc...  all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated.  But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion.  If someone really wanted to start sniffing i've just made things a whole lot harder for them.


No you haven't.  If the Wifi network itself is unencrypted, then intercepting another user's traffic and obtaining access to confidential information is super easy - encrypted captive portal or not.  Especially what with the SSL renegotiation exploit and so on.

Ultimately, you just shouldn't do anything super confidential on public access points.  That includes banking, possibly even checking email.  If you intend to, then establish a VPN connection back to a trusted network to do so.

BDFL - Memuneh
66335 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #744008 13-Jan-2013 11:17
Send private message

I have three VPN solutions that I can use while away from my LAN:

- In New Zealand: OpenVPN to Synology NAS at home and from there to the Internet
- In New Zealand: LogMein Hamachi to one of the Geekzone monitoring servers in Auckland, and from there proxy to the Internet
- Outside New Zealand: OpenVPN to WiTopia

Since WiTopia doesn't have a New Zealand end point I use my local "home made" alternatives to not add too much latency. When overseas I use WiTopia everywhere else.




 

Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Sharesies (ref code) | My technology disclosure 

640 posts

Ultimate Geek


  #744277 13-Jan-2013 21:51
Send private message

Kyanar:
gareth41: I run a wifi hotspot service providing captive portals for cafe's, motels etc...  all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated.  But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion.  If someone really wanted to start sniffing i've just made things a whole lot harder for them.


No you haven't.  If the Wifi network itself is unencrypted, then intercepting another user's traffic and obtaining access to confidential information is super easy - encrypted captive portal or not.  Especially what with the SSL renegotiation exploit and so on.

Ultimately, you just shouldn't do anything super confidential on public access points.  That includes banking, possibly even checking email.  If you intend to, then establish a VPN connection back to a trusted network to do so.


Sorry I meant in regards to securing the users login details/private information when they authenticate.  I understand fully that once they authenticate and leave the captive portal, they are vulnerable.

652 posts

Ultimate Geek


  #744326 13-Jan-2013 23:36
Send private message

sbiddle: Clearly the person who tweeted that has no concept of a WiFi deployment or security.

With AP isolation enabled unsecured WiFi security is fundamentally no different to a secured network (and just using WPA/WPA2 doesn't mean broadcast/L2 exploits can't occur). There are hotspots out there without AP isolation enabled and they should be avoided like the plague unless you're using a VPN, with with AP isolation enabled the vast majority of security risks are eliminated.

On the other hand you can't eliminate all risks, so if you're really security conscious you would always use a VPN on a foreign network.




From what I understand so far, AP isolation doesn't stop someone with a network device in promiscuous mode from sniffing all the data being broadcast (and by broadcast I mean RF). It's all still there for any device to watch, there's no need for something like man in the middle efforts.

I agree VPN is the way to go if you must use open wi-fi. If someone was serious enough one could sit out front with a netbook running as a rogue AP with the same network name. Most wouldn't be the wiser.

Personally, I don't do anything on an open wi-fi network other than basic news/media reading/watching. Even if there was encryption being used, I wouldn't expect cafe staff to know anything about it to gain any trust in it for the short stay anyway. Cafe internet is use at your own risk and I'm fine with that.

23077 posts

Uber Geek

Trusted
Subscriber

  #744565 14-Jan-2013 14:36
Send private message

Sniffing like that worked great in the days of 54 meg G gear, but with multi stream N, sniffing doesnt actually get a hell of a lot since the streams are not aimed at the sniffer.

And yes, I at one time did leave an old linksys in the boot of the car with a SSID of "free google wifi" or something to see how many people tried to connect. The answer was lots, and that was some time ago. If I was really evil I could have had a google like splashscreen and ask for credentials and see how many were dumb enough to provide them.

The problem with wifi is there is no authentication of the base stations, so anyone can impersonate you, including a friends neighbour that seems to take great joy at copying their SSID making things break for them.




Richard rich.ms



6373 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #744594 14-Jan-2013 15:11
Send private message

boby55: TBH if data usage isn't an issue I would find having to enter a network password more of an inconvenience to customers than its worth as you no matter how many signs you put up you will have people asking staff what the password is.


Exactly.  Also, if they type the password in incorrectly, they will ask my staff what is wrong - hospo staff aren't IT technicians (far from it)

mattwnz: Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it.


We mitigate this as much as possible by having a data limit up/down on known protocols like browsing, email etc, and rating limiting all and everything else to 0 (so pretty much unusable)

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces 10th Gen Intel Core H-series for mobile devices
Posted 2-Apr-2020 21:09

COVID-19: new charitable initiative to fund remote monitoring for at-risk patients
Posted 2-Apr-2020 11:07

Huawei introduces the P40 Series of Android-based smartphones
Posted 31-Mar-2020 17:03

Samsung Galaxy Z Flip now available for pre-order in New Zealand
Posted 31-Mar-2020 16:39

New online learning platform for kids stuck at home during COVID-19 lockdown
Posted 26-Mar-2020 21:35

New 5G Nokia smartphone unveiled as portfolio expands
Posted 26-Mar-2020 17:11

D-Link ANZ launches wireless AC1200 4G LTE router
Posted 26-Mar-2020 16:32

Ring introduces two new video doorbells and new pre-roll technology
Posted 17-Mar-2020 16:59

OPPO uncovers flagship Find X2 Pro smartphone
Posted 17-Mar-2020 16:54

D-Link COVR-2202 mesh Wi-Fi system now protected by McAfee
Posted 17-Mar-2020 16:00

Spark Sport opens its platform up to all New Zealanders at no charge
Posted 17-Mar-2020 10:04

Spark launches 5G Starter Fund
Posted 8-Mar-2020 19:19

TRENDnet launches high-performance WiFi Mesh Router System
Posted 5-Mar-2020 08:48

Sony boosts full-frame lens line-up with introduction of FE 20mm F1.8 G large-aperture ultra-wide-angle prime Lens
Posted 5-Mar-2020 08:44

Vector and Spark teamed up on smart metering initiative
Posted 5-Mar-2020 08:42


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.