A safe user experience on public WiFi?

Maybe just because it does work pretty well, you’re seeing it more and more often: public WiFi, usually free as well. I’m not even talking about people sharing their network, but about stores and offices offering some sort of public access. And yes: it does work pretty good; no cables, no dongles or other ‘mobile solutions’ are necessary to use the internet when you’re outdoors, this way. It even works so well that we’re usually forgetting about the security issues that come up when using a Wireless LAN. Time for a more structured and standardized approach for offering this type of access?

Asking the question if it isn’t right about time for some sort of standardized approach to offering WiFi access actually misses one of the biggest problems: it’s not all that easy to secure a public network like that. Even so, it still seems odd that you can offer your visitors free WiFi as a teaser or extra service and do not have to provide even the most basic means of information about possible risks involved. Of course: users should be aware of the risks involved with using any computer service, but often they are not. Having these visitors or customs use a wireless LAN sounds quite nice, but they might be in for an unpleasant surprise later on. Not too long ago I was asking myself if we shouldn’t set up some sort of code of conduct for venues offering WiFi.

Clear information is necessary

Don’t take me wrong: I love free WiFi, but now that the number of venues offering such a service and numbers of people using it are increasing it would be wise to set up a standard set of information that venues can offer. For all you geeks and nerds it might be blasphemy, but the time when users could be expected to make a fair judgement about risks involved with certain services is over. On the other hand the fact that we can’t really protect people from themselves in this case makes it very clear that we will have to choose for providing information, rather than putting up some fences here and there. This is why the Dutch ‘consumers society’ has started it’s ‘Don’t get yourself hacked’ campaign, to point people at the risks that are involved when using a hotspot.

The dangers

Perhaps the easiest thing to set up and therefore perhaps the most dangerous thing: just an access point. Say, I’m going to some store, I turn on my laptop and set up an internet connection. I turn this computer into an access point and call it ‘free WiFi’ or something like that. Maybe I’d like to add the store name as well. Everyone that is consequently use my access point to get internet access can be sure that I will, at least, listen in to the network traffic. Even better would be setting up an access page, like one can see at hotels. I would set up a small web page that you see first and have it display: web access is 1 Euro per hour, payable by credit card. Inexperienced users might easily fall for this and send me their credit card data! The WiFi-alliance is already warning the public for these kind of ‘rogue access points’. This means it’s very important to know if a venue is offering public WiFi in the first place.

A normal public wireless LAN, that has been set up with the best intentions by a store owner, is far from safe as well. Besides rogue access points, the largest risks on a public WLAN that users run are the possibilities for fellow users to listen in to traffic. On Security Focus one can find this old (2006!) article about the use of ‘Coffeeshop WiFi’ that is still relevant. The safest thing to assume is that someone can listen in to anything you send over a public WiFi any time. So be sure to only use safe connections when logging in to a website or other services, especially if you know you’re using the password elsewhere. This means using only web mail services that use https, and be sure to use a firewall. Lifehacker came up with up some basic advice and rules, at the beginning of this year. The safest thing to do is using a VPN (virtual private network), for example by setting up one at home. This being something most people would only use in a work related environment, I don’t think this will be a realistic option, ‘safe surfing’ is a good start though.

A consumer WLAN-label

At the risk of creating an illusion of safety even more, I would propose to set up a ‘consumer WLAN-label’ that a company or organization can use to give better information right at the door. This way people will always know if they can expect some sort of WiFi, and if so: what type. As a start one would have to provide the exact name of the network. In addition, one could come up with extra labels. For now, I’ve come up with the following set of labels:

  1. Network Name (SSID)
  2. Network Type
    • Open: free, open, public network
    • Closed: network requires a login
    • Monitored: this organization is actively monitoring traffic on the network
    • Restricted: the organization only allows certain internet activities, for example: you can only visit a limited number of websites

This way, one could set up a basic system of labels, where a combination of label 1 with several label 2 options is of course possible. For example, a network can have Name + Open + Restricted. This obviously doesn’t give any security per se, but at least users have a better idea of what they can expect from the network. It sets the parameters that the legitimate network in this area has. Maybe an extension of this system is possible, with the option that using the restricted and monitored labels is limited to an organization that holds up certain standards for its WLAN.

Listening in to network traffic and other attacks like the ‘Man in the middle’ attack are still possible, but at least we can now direct our visitors to the proper network, after which they can take their own extra security measures. Besides the proposed labels and extensions, one could think of many more, and maybe I’m forgetting other security issues or –solutions. What do you thing so far?

This article is a liberal translation of an earlier article (in Dutch) that I’ve written for marketing blog bijgespijkerd.