Sidejacking and Wi-Fi security

It is more than a week ago since this new tool “Firesheep” caught a lot of attention in the US and international press. I won’t write about this tool because there is not much to say. Just search the web and you’ll see a lot of discussions around it.

More important for us, from the point of view of security, is the way the free Wi-Fi networks are dealing with the privacy of the users. The general practice at public places like cafes, bookstores and airports which offer Wi-Fi for free is to supply unencrypted service.

The reason for this is that “free access” is associated with “unrestricted access”. As password usage is usually seen as a restriction, even if the password is made available for free, most Wi-Fi are available completely unprotected. As a matter of fact, people feel free if they feel secure – the same should be applied to wireless networks.

Some places provide a password on the receipt the client receives after buying something. Others offer 10-20 minutes for free, and afterwards a login is required (which sometimes encrypts the connection, sometimes not). Most providers of free Wi-Fi are afraid of compatibility problems between customers’ devices and their access points when using high level encryption mechanisms. In order to avoid any support problems, they completely cancelled the problem: they removed the encryption completely.

Without any encryption the danger of eavesdropping with criminal intent is much bigger, as there are many more potential victims. If you use no encryption everything you send over the network is plain text. This means that if you use a chat program or send an email without encryption, anyone could see what you write by sniffing the traffic. By anyone I mean even those having no knowledge about computer science. This was proven by the Firesheep tool.

What can be done? Use a strong encryption with a password. WPA2 is the most secure currently. But this means a password of minimum 8 characters. If you want to provide free internet, just make the password public. This can be seen as a blocker by many providers, because it may impose difficulties for some users to type it and there are even devices which can’t understand the protocol at all. If this is a major problem, use at least WPA (the older version of the WPA2). And don’t forget to tell your users that security means sometimes some constraints.

Sorin Mustaca
Data Security Expert