[OpenWireless Tech] Open Wireless encryption
Björn Smedman
bs at anyfi.net
Tue Aug 13 09:34:10 PDT 2013
On Tue, Aug 13, 2013 at 6:23 AM, Christian Huitema <huitema at huitema.net> wrote:
> Björn Smedman wrote:
>
>> When you connect a new device to your home Wi-Fi router it sends a small
> registration message to a server. The registration message contains the
>> MAC address of the device and the IP address of your home router, and the
> server stores this association. You can think of this server as sort of a
>> DynDNS server, but with a device MAC as the key.
>
> A database linking MAC addresses to their home router address? Think of the
> spying tools that track the MAC addresses of passing Wi-Fi devices. If they
> can cross check the MAC with an IP address, they are 90% of the way to
> correlating the MAC with a user ID. What kind of protection are you building
> against such potential abuse?
You're right that you are trusting the server with a mapping of MAC to
home IP. You can in theory get around that (i.e. no single party needs
to know both MAC and home IP) with a combination of encryption and
relays, but if anonymity is a primary concern then termination in the
home router may not be ideal anyway...
Like any design it's a trade-off between conflicting goals. If you
place less importance on usability and more on anonymity then I think
you should consider central termination and truly anonymous non-mutual
authentication. Here a combination of Anyfi.net and Christopher's Open
Secure Wireless could be interesting, because when you separate the
"trust anchor" from the AP the way Anyfi.net does you can be much more
restrictive with who gets access to the private key of a trusted TLS
certificate. This lets anybody operate an AP, without letting them
operate a rogue AP.
Personally I think offering both options at every AP would be best. If
you want termination in your own home you're probably looking for
convenience, then set up your home router for that. If you want
anonymity then connect to an "anonymous TLS"-protected network with
routing through Tor.
Björn
More information about the Tech
mailing list