Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


6314 posts

Uber Geek
+1 received by user: 380

Moderator
Trusted
Lifetime subscriber

Topic # 113297 12-Jan-2013 14:38
Send private message

Just had a tweet about our cafe's free wifi:

Was just informed of this cafe's free WiFi. Checked it and it's unencrypted. No thank you, I like my stuff not to be flying around bare


What do you lot think?  Once I get a few replies, I'll explain my thinking around why it's unencrypted.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
397 posts

Ultimate Geek
+1 received by user: 86

Subscriber

  Reply # 743772 12-Jan-2013 14:41
Send private message

Virtually all cafe's have unencrypted Wi-Fi don't they? I can't recall ever encountering one with encryption.

BDFL - Memuneh
60771 posts

Uber Geek
+1 received by user: 11663

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 743776 12-Jan-2013 14:46
Send private message

If the person is really worried about unencrypted WiFi they should use a VPN.

You could encrypt the WiFi AP and make the key visible everywhere around the cafe. People can still access but the traffic is encrytped. But only really make things difficult.

If I go to a place with my laptop and the WiFi is open I use a VPN (such as cafes and conferences). If I have my phone I just use 3G.

If the person is thinking of using a phone or tablet they should be using 3G. If they were cheap to not buy a 3G device then they can't complain about their options.




1539 posts

Uber Geek
+1 received by user: 39

Trusted

  Reply # 743781 12-Jan-2013 15:12
Send private message

TBH if data usage isn't an issue I would find having to enter a network password more of an inconvenience to customers than its worth as you no matter how many signs you put up you will have people asking staff what the password is.

Anything I want done securely I tether my phone over 3G anyway.

634 posts

Ultimate Geek
+1 received by user: 74

Trusted

  Reply # 743783 12-Jan-2013 15:32
Send private message

No real difference between Unencrypted Wifi and Encrypted wifi where everyone knows the Password. Once you have the password, everything on the broadcast domain is fair game.

I personally choose not to use Unencrypted Wifi generally, because i'm not keen on something 'leaking' out in an unencrypted sense, but the truth is that if you encrypted it with a commonly known or accessible password, it wouldn't be any more secure.




26584 posts

Uber Geek
+1 received by user: 6086

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 743881 12-Jan-2013 21:14
Send private message

Clearly the person who tweeted that has no concept of a WiFi deployment or security.

With AP isolation enabled unsecured WiFi security is fundamentally no different to a secured network (and just using WPA/WPA2 doesn't mean broadcast/L2 exploits can't occur). There are hotspots out there without AP isolation enabled and they should be avoided like the plague unless you're using a VPN, with with AP isolation enabled the vast majority of security risks are eliminated.

On the other hand you can't eliminate all risks, so if you're really security conscious you would always use a VPN on a foreign network.



1923 posts

Uber Geek
+1 received by user: 139


  Reply # 743898 12-Jan-2013 22:20
Send private message

Personally I think you're doing the right thing. By offering a free unsecured network you're making it clear you have no obligation to the user in terms of their usage content or security. It's an 'all care, no responsibility' approach. If customers have an issue with that then they have other choices.


14082 posts

Uber Geek
+1 received by user: 1788


  Reply # 743900 12-Jan-2013 22:25
Send private message

Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it. eg Illegal hacking from that connection. I have found from personal experience that people do abuse free wifi networks by hiding behind them if they want to do something bad. These days people should just get their own 3G connection if they want to use the internet in a public environment.

1923 posts

Uber Geek
+1 received by user: 139


  Reply # 743901 12-Jan-2013 22:30
Send private message

mattwnz: Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it. eg Illegal hacking from that connection. I have found from personal experience that people do abuse free wifi networks by hiding behind them if they want to do something bad. These days people should just get their own 3G connection if they want to use the internet in a public environment.

Agree with your comment about not being a fan, but free access doesn't mean the connection is un-restricted

604 posts

Ultimate Geek
+1 received by user: 28


  Reply # 743913 12-Jan-2013 22:54
Send private message

I run a wifi hotspot service providing captive portals for cafe's, motels etc...  all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated.  But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion.  If someone really wanted to start sniffing i've just made things a whole lot harder for them.

2978 posts

Uber Geek
+1 received by user: 453

Trusted
Subscriber

  Reply # 744006 13-Jan-2013 11:14
Send private message

gareth41: I run a wifi hotspot service providing captive portals for cafe's, motels etc...  all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated.  But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion.  If someone really wanted to start sniffing i've just made things a whole lot harder for them.


No you haven't.  If the Wifi network itself is unencrypted, then intercepting another user's traffic and obtaining access to confidential information is super easy - encrypted captive portal or not.  Especially what with the SSL renegotiation exploit and so on.

Ultimately, you just shouldn't do anything super confidential on public access points.  That includes banking, possibly even checking email.  If you intend to, then establish a VPN connection back to a trusted network to do so.

BDFL - Memuneh
60771 posts

Uber Geek
+1 received by user: 11663

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 744008 13-Jan-2013 11:17
Send private message

I have three VPN solutions that I can use while away from my LAN:

- In New Zealand: OpenVPN to Synology NAS at home and from there to the Internet
- In New Zealand: LogMein Hamachi to one of the Geekzone monitoring servers in Auckland, and from there proxy to the Internet
- Outside New Zealand: OpenVPN to WiTopia

Since WiTopia doesn't have a New Zealand end point I use my local "home made" alternatives to not add too much latency. When overseas I use WiTopia everywhere else.




604 posts

Ultimate Geek
+1 received by user: 28


  Reply # 744277 13-Jan-2013 21:51
Send private message

Kyanar:
gareth41: I run a wifi hotspot service providing captive portals for cafe's, motels etc...  all of the login pages use ssl, the ap's have ap isolation enabled by default, save password cookies are encrypted, php sessions are also checked and regenerated.  But at the end of the day theres only so much that can be done, nothing is 100% secure in my opinion.  If someone really wanted to start sniffing i've just made things a whole lot harder for them.


No you haven't.  If the Wifi network itself is unencrypted, then intercepting another user's traffic and obtaining access to confidential information is super easy - encrypted captive portal or not.  Especially what with the SSL renegotiation exploit and so on.

Ultimately, you just shouldn't do anything super confidential on public access points.  That includes banking, possibly even checking email.  If you intend to, then establish a VPN connection back to a trusted network to do so.


Sorry I meant in regards to securing the users login details/private information when they authenticate.  I understand fully that once they authenticate and leave the captive portal, they are vulnerable.

622 posts

Ultimate Geek
+1 received by user: 121


  Reply # 744326 13-Jan-2013 23:36
Send private message

sbiddle: Clearly the person who tweeted that has no concept of a WiFi deployment or security.

With AP isolation enabled unsecured WiFi security is fundamentally no different to a secured network (and just using WPA/WPA2 doesn't mean broadcast/L2 exploits can't occur). There are hotspots out there without AP isolation enabled and they should be avoided like the plague unless you're using a VPN, with with AP isolation enabled the vast majority of security risks are eliminated.

On the other hand you can't eliminate all risks, so if you're really security conscious you would always use a VPN on a foreign network.




From what I understand so far, AP isolation doesn't stop someone with a network device in promiscuous mode from sniffing all the data being broadcast (and by broadcast I mean RF). It's all still there for any device to watch, there's no need for something like man in the middle efforts.

I agree VPN is the way to go if you must use open wi-fi. If someone was serious enough one could sit out front with a netbook running as a rogue AP with the same network name. Most wouldn't be the wiser.

Personally, I don't do anything on an open wi-fi network other than basic news/media reading/watching. Even if there was encryption being used, I wouldn't expect cafe staff to know anything about it to gain any trust in it for the short stay anyway. Cafe internet is use at your own risk and I'm fine with that.



21219 posts

Uber Geek
+1 received by user: 4268

Trusted
Subscriber

  Reply # 744565 14-Jan-2013 14:36
Send private message

Sniffing like that worked great in the days of 54 meg G gear, but with multi stream N, sniffing doesnt actually get a hell of a lot since the streams are not aimed at the sniffer.

And yes, I at one time did leave an old linksys in the boot of the car with a SSID of "free google wifi" or something to see how many people tried to connect. The answer was lots, and that was some time ago. If I was really evil I could have had a google like splashscreen and ask for credentials and see how many were dumb enough to provide them.

The problem with wifi is there is no authentication of the base stations, so anyone can impersonate you, including a friends neighbour that seems to take great joy at copying their SSID making things break for them.




Richard rich.ms



6314 posts

Uber Geek
+1 received by user: 380

Moderator
Trusted
Lifetime subscriber

  Reply # 744594 14-Jan-2013 15:11
Send private message

boby55: TBH if data usage isn't an issue I would find having to enter a network password more of an inconvenience to customers than its worth as you no matter how many signs you put up you will have people asking staff what the password is.


Exactly.  Also, if they type the password in incorrectly, they will ask my staff what is wrong - hospo staff aren't IT technicians (far from it)

mattwnz: Not a fan of free wifi myself, and the free provider could be potentially liable for anything that anyone does on it.


We mitigate this as much as possible by having a data limit up/down on known protocols like browsing, email etc, and rating limiting all and everything else to 0 (so pretty much unusable)

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40


Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36


Microsoft ices heated developers
Posted 6-Jul-2018 20:16


PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45


Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40


Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.