End Open WiFi Access Points Now!
Open WiFi is convenient, but not secure. All of us need to help people and businesses providing Open WiFi understand the issues so they will stop providing it.
The real problem is that most people do not understand how insecure Open WiFi is. There’s a new Firefox extension that grabs social network connection credentials from people around on an open wifi network. That extension works on Windows, Mac OSX, and soon, Linux. It is named FireSheep and anyone can get the FireSheep extension here AND it is trivial to use. This extension lets the nearby cracker act as if they are you on the social websites. They can post to twitter as you, they can update photos on facebook. For all important uses, they ARE you with just a click of a button.
The Fix – Easy
What is the fix? It is simple, just enable a trivial WPA passphrase for the WiFi access point. That’s it. This method is useful for all those small businesses to prevent most of the hijacking computer attacks, while still not really causing issues for their clients. For a simple example passphrase, Starbucks could use … er … “starbucks.” That would be enough to foil the FireSheep extension.
Not Secure Enough for Home or Business WiFi Networks
Ok, so this fix is just for places that provide an open wifi hotspot for clients and definitely should not be used by any business for their private network or by any of us in our homes. For small businesses and homes, you really want to follow my WiFi Security Checklist.
The Best Fix
Another way to solve this issue – a better way – is for all websites with a login to use SSL encryption for everything, all data. No exceptions. 10 yrs ago, that would have been computationally unreasonable. These days, having everything SSL encrypted adds about 3% overhead to bandwidth and compute requirements. That isn’t a big deal for almost any website to handle. The newest CPUs from Intel include special instructions to make AES encryption/decryption even less computationally intensive – becoming a non-issue.
If you have a website with encryption, please force SSL connections. There are some very easy ways to do this without touching the website. Simply use a reverse proxy like pound to provide the SSL connection handling, then forward the request to the back end web servers. This web site, jdpfu, uses pound to proxy both SSL and to perform load balancing of traffic across 3 server instances. Connections with logins stay on the same server instance, so there’s no session confusion between the different server. All the web servers read and write to the same DB instance. SSL connections are all handled in pound and the application doesn’t know anything about it.
If you need help setting up pound, let me know below.
