[OpenWireless Tech] Securing Open Wireless

Christopher Byrd chris at riosec.com
Thu Jul 28 10:42:09 PDT 2011 

On Thu, Jul 28, 2011 at 11:28 AM, Michael Blizek
<michi1 at michaelblizek.twilightparadox.com> wrote:
> I do not really see how the certificates would help at all. First, getting
> them has a significant time and cost impact, especially for individuals.

There are free PKI providers available, e.g. StartSSL. Self signed
certificates are also free, just don't provide protection against
MitM. Besides, with the same "time and cost" argument we would have
never adopted HTTPS. We could debate the pros and cons of HTTPS, but I
think most people would agree it is better than what existed before
(no HTTP encryption), just as Open Secure Wireless is better than what
we have now (no open wireless encryption).

> Second, they do not protect you if the operator itself is evil. Third, you

Nothing will protect you against an evil operator if you choose to
connect to them. Even VPN is not a complete solution as I discuss in
my article. As Voltaire said "The perfect is the enemy of the good",
or as Eisenhower said "We will bankrupt ourselves in the vain search
for absolute security." That said, some additional features will make
this better such as EV certificates, SSID comparison to CN and SAN,
and Wireless supplicants pinning the certificate to the preferred
network - similar to what HSTS does for HTTPS.

> probably do not even need them for protection against man-in-the-middle
> attacks. See the last paragraph of my previous link at:
> http://michaelblizek.twilightparadox.com/projects/cor/internet_exit.html

Even assuming that mechanism works, it doesn't seem to apply to
wireless hotspots. For it to be applicable the user would first have
to have another Internet connection to send the validation traffic
(something they are trying to establish in the first place) and the
authentication server would have to be Internet accessible, which is
not a requirement and not necessarily a good idea.

> Fourth, these certificates might even make it easier to cause intented legal
> problems to the hotspot operator.

Unfortunately I don't understand this part. Would you mind explaining
your meaning?

For technical users, there is nothing that would prevent a user from
running VPN on top of that, or a hotspot operator requiring VPN for
that matter.

Users of wireless hotspots may not have a VPN provider. The VPN
provider may be just as evil as the "evil hotspot" operator you
describe, or an attacker might just DoS the VPN.

Also, the reason that some VPNs do not require PKI (actually newer SSL
VPNs do) is that VPNs must be set up in advance. In other words, I
can't just buy a new laptop, tablet, etc, go to Starbucks, and connect
securely. VPNs also may not run on all devices, can be difficult for
non technical users to set up... in other words, there are lots of
reasons why VPNs do not provide the solution. If they did, then this
list wouldn't be necessary.

The bottom line is that there is a protocol available (EAP-TLS) that
can give us HTTPS equivalent security on hotspot networks. It is a
long established and well supported protocol, and requires only
relatively minor changes to wireless supplicants.

Thanks,

Christopher

More information about the Tech mailing list