>We need WiFi that is open and encrypted at the same time!
There is currently no WiFi protocol that allows anybody to join the network, while using link-layer encryption to prevent each network member from eavesdropping on the others. But such a protocol should exist.
It boggled my mind, repeatedly, when I discovered that non-password-protected wireless networks don't generate a unique encryption key for each connection. Boggle, I say. Sure, public key cryptography used to be too computationally expensive, but not any more. And even if it were, Diffie-Hellman has been around for quite a while, go ahead and use symmetric keys.
What the hell is wrong with our standards groups? And hardware manufacturers? There are trivial solutions to this, why haven't they pushed them?
that's surprisingly brilliant (and ranks up there in the "why didn't I think of that it's so obvious (but I didn't)" hierarchy of things that include the wheel)!
Of course, the problem is that using public key cryptography by themselves would not prevent MITM attacks. This can be solved using a certificate. In fact, such a protocol already exists, It is called EAP-TLS:
http://riosec.com/files/Open-Secure-Wireless.pdf
Windows already lets you trust specific root CAs for EAP, as well as server host names.
No, but for wireless, MITM is a bit harder. They need to be broadcasting and interfering with the station you're trying to connect to - that should be at least somewhat detectable, and alert people to the possibility. And certificates are a known system, implementing them is beyond "doable" and into the "easy" realm.
In any case, current MITM-prevention techniques should work just fine w/o a password. Unless someone knows otherwise, I don't really see why a default-encrypted system would be any more vulnerable than something behind a password.
> They need to be broadcasting and interfering with the station you're trying to connect to
The article raises the point that if you're just looking for a connection, you might not know the ID of the access point you want. Most of the time, if you want to snoop on people's traffic all you'd need to do is set up an AP with a higher signal strength than your neighbour's (and just forward the traffic on to the neighbour to get the bits onto the internet.)
More to the point, even if you do know the ID of the access point they want, you may not know that it's trustworthy. Even if the link between you and it is encrypted, it still gets to see your packets in the clear.
Yes, but if you're randomly connecting to un-trusted networks, you're... randomly connecting to un-trusted networks. Protect yourself with an SSH tunnel, or some other kind of VPN, and / or only run on https sites / fully-encrypted protocols.
Seriously, you're asking to be MITM'd if you're connecting to un-trusted networks. Literally. If you don't understand that, then you deserve what's coming to you. As long as you're not protecting yourself by somehow tunneling to only trusted end-points, there's no way to secure yourself.
Sounds like a great opportunity for some hackers (hardware and software) to get together and put together a Secure Open Wifi protocol and reference designs.
I honestly believe this is solvable. Maybe there's no financial market, but it seems like a tremendous good.
Seriously? We want a new network that big brother can't shut down or spy on so easy so your solution is to let the company that said "If you're worried about others seeing what you're doing maybe you shouldn't be doing it" running the show? I would trust Facebook with this before I'd trust Google with it.
I think we are talking about a protocol included in the WiFi standard which is implemented by whoever makes these devices. I'm not saying it should be some closed source proprietary 'Google' connection. They just have enough say in these matters that they could drive it forward.
It's irrelevant what exactly he meant. The bottom line is that Google can't be trusted and he said this explicitly in the interview. Whether that be because Google doesn't care about your privacy or because they are afraid of fighting with the Government is immaterial. The end result is the same: don't trust Google.
If you don't want to use Gmail for sensitive email, by all means don't. But this is just a silly knee-jerk reaction. Even if Google is the evilest company in the world, how could their development and championing of an open WiFi standard possibly compromise your privacy?
There is currently no WiFi protocol that allows anybody to join the network, while using link-layer encryption to prevent each network member from eavesdropping on the others. But such a protocol should exist.
It boggled my mind, repeatedly, when I discovered that non-password-protected wireless networks don't generate a unique encryption key for each connection. Boggle, I say. Sure, public key cryptography used to be too computationally expensive, but not any more. And even if it were, Diffie-Hellman has been around for quite a while, go ahead and use symmetric keys.
What the hell is wrong with our standards groups? And hardware manufacturers? There are trivial solutions to this, why haven't they pushed them?