[OpenWireless Tech] Securing Open Wireless

["Andy Green (林安廸)"]

On 07/28/2011 06:42 PM, Somebody in the thread at some point said:

> Also, the reason that some VPNs do not require PKI (actually newer SSL
> VPNs do) is that VPNs must be set up in advance. In other words, I
> can't just buy a new laptop, tablet, etc, go to Starbucks, and connect
> securely. VPNs also may not run on all devices, can be difficult for
> non technical users to set up... in other words, there are lots of
> reasons why VPNs do not provide the solution. If they did, then this
> list wouldn't be necessary.

Well, you jumped from it currently being difficult to set up, to it "not 
providing the solution".  They can be made easier to set up.

For example folks with a wireless router are used to connecting to it 
with a browser and configuring its SSID name and other parameters.  If 
it had an additional checkbox to turn on VPN service and a field with an 
autogenerated random Pre-Shared Key for you to copy and paste, or button 
for .p12 download for self-signed client cert setup on your other 
devices, I think that'd be easy enough.  And that is certainly 
"providing the solution".

> The bottom line is that there is a protocol available (EAP-TLS) that
> can give us HTTPS equivalent security on hotspot networks. It is a
> long established and well supported protocol, and requires only
> relatively minor changes to wireless supplicants.

I think you're right that solves the snooping issue between the user and 
the AP, but this proposal does not solve the liability problem for the 
AP operator since everything the anonymous users do goes out with his IP.

VPNs uniquely have the effect of removing the AP's IP from the equation 
and that's quite key for people to actually turn this on and offer this 
I believe.

-Andy