From: listuser at seifried.org (Kurt Seifried)
Subject: Wireless ISPs

Folks. WEP is POINTLESS for public access points. You have to share the
password. Let's see locally:

Coffee shop #1 has Telus hotspot (local telco), no WEP, SSL gateway
redirect, plug your CC in and buy access. Login through SSL encryped web
site to access. Not sure how access is enforced (probably MAC address), I
haven't bothered to test this yet.

Coffee shop #2 has homebrew, the SSID is the name of the place, the password
is in a small duotang (labeled "do not remove from bar") and I'm guessing it
never changes. You buy $5 (cdn) of whatever, you get to use the wireless
inet (or wired, they provide several stations and a conference table).

Coffee shop #3 has homebrew, the SSID is posted on the wall upstairs, no
password is required (i.e. no WEP).

Which is more secure? None of them really. The SSID is public. They either
do not use WEP, or they use WEP and any attacker will trivially be able to
find the WEP key (hint: buy a cup of coffee and ask).

The most secure option is likely the wired access at coffee shop #2.

Now a technical person can do something like SSH port forwarding and stuff
all their email traffic and web browsing through a secure system on the
outside. But someone like my mother is supposed to do what exactly? Have a
colocated machine somewhere she can VPN off of, or SSH port forward?

Now ideally the coffee shop would provide security from your machine to
their gateway, however:

WEP is useless. See above.
VPN based solutions generally require client software (which isn't always
possible, corporate laptops, etc.), and configuration and client account
management. A PPTP or IPSec solution would result in a non trivial amount of
help required for your average customer.
Other wireless encryption protocols may solve this, WAP? Who knows.

Kurt Seifried, kurt@...fried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

Powered by blists - more mailing lists