Bruce Schneier is wrong about unencrypted WLAN!

January 12, 2008

Bruce is right with many statements but his last one (Steal This Wi-Fi) is just populist and tries to provoke people. People with an understanding in this topic will see that and take it the right way, but not the ones who have a default setup of a access point / router running at home. They heard in the media that they have an insecure setup at home, and hopefully thought about changing that – but now a security expert tells them that’s not needed. He is simplifying the whole topic and is forgetting some important points.

Most users which have an unencrypted WLAN also have insecure PC at home. What is easier for them to do? Make a Windows System secure besides activating the automatic updates or login onto his router and change the password and configure the WLAN to be encrypted with 20 char long password?
Sure this still leaves the attack vector via malicious websites and emails but it is a start and a drive by attack is now much more complicated. Would a security computer help? Sure, but is it realistic?

Bruce also writes about his dear neighbors, which may need his internet access. Some thoughts about this. Not all neighbors are your friends, just talk to your friends – ask them if all there neighbors are their friends? If you like your neighbors, why not make an encrypted WLAN and tell them the password and share the costs of the internet connection with them. That helps all – except the ISP 😉

But lets look more at his technical points. He says that he is as secure at his unencrypted WLAN at home as at a public hotspot. Public access points normally allow no direct communication between clients. In infrastructure mode all traffic even between 2 clients need to be relayed by the access point and in a public access point setup it just makes no sense to activate this feature. Due the limited address space with IPv4 almost all public access points will provide only local IP addresses which are then masqueraded to one global IP address. Due to this facts it is possible to sniff the packet from and to the clients it is not possible initiate a direct communication to a client.
But still I would not do my e-banking via a public hotspot. Sure I trust my notebook and the CAs I’ve installed and I think the current version of SSL is secure. But still I would not do it. Call me paranoid, but it is different to do something like this at home or at a public hotspot.

I believe in layered security. Bruce writes in this commentary that one layer of security is enough (the one of his PCs). I can’t believe that he really means that. If you want to provide yourself with plausible deny ability then use 2 separate WLANs. One that is unencrypted and provides only access to the internet and one thats encrypted with WPA and at least a 20 char long password, as a passive dictionary attack is possible on WPA . Within this network you and your family can work within a first line of defense. That is a similar setup as FON provides, which he mentions in his commentary. So why should someone like Bruce use the unencrypted network for himself?

Besides these technical points someone needs to look also at the legal ones. He writes about the situation in the US, which is quite different from the laws in Europe. e.g. a German court ruled that the owner of a WLAN is required to make and keep it secure (german)
And I won’t talk about the problems you get into if the police raids your home, even if they don’t find something and to the gossip this leads in your village.


RSS feed for comments on this post. TrackBack URI

  1. Another Option when surfing over public hotspots would be to set up an own server with a vpn, which provides internet access. Then you can go from the public hotspot to your own vpn, and you are at least sure that the hotspot provider won’t sniff your net-accesses.

    Comment by Richard — January 12, 2008 #

  2. Finally someone who doesn’t believe in all what Mr. Schneier postulates.

    Actually I’ve been waiting for some time now that at least some people realize that a Schneier can also be wrong, at least in some sense.

    A poor lock is better than none. If you don’t have the technical capability or knowledge of securing your wlan with WPA or even better with WPA2, WEP protection is better than none and helps you (at least in most parts of Europe) at least in court.

    Great entry!

    Comment by Markus — January 13, 2008 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 39 queries. 0.110 seconds.