Ever since I had a wireless router I’ve been sharing my WiFi network with anyone who could find it. It had a web-only restriction, but that’s just because I didn’t want anyone using file sharing and using up all the bandwidth. Yesterday, however, I password protected and encrypted my home WiFi network.
The reason is the latest unveiling of Firesheep, a tool for HTTP session hijacking that works over open WiFi networks. The only protection against Firesheep is using secure HTTP (https://) with every website, but I don’t think I’m that meticulous to remember this all the time. And yes, I know about the extensions that help with that.
On the other hand, it’s probably a better idea to start using https everywhere just to be on the safe side.
p.s.
Sorry, neighbors.
I’m not an expert on WiFi security, but I’m pretty certain that if you use WPA or WPA2, set your password to something like X, and your SSID to something like FREE-ACCESS-Password-is-X, you get the best of both world: Nobody can sniff your packets and your WiFi is still effectively free for all.
I do have two warnings though: 1. I’m not at all sure about this. Somebody will have to actually read the WPA specs to make sure it’s true, and I’m certainly not going to do this now. 2. One of the most common security best practices is not to open anything you don’t need, so you did make the right choice in this regard anyway (unless you want to use public-access as a defense for some illegal on-line activities. The “Somebody else did it” excuse seems to work well in some countries).
Your idea is a good one and was actually offered by a security researcher ( http://it.slashdot.org/story/10/11/10/0355231/Sophos-Researcher-Suggests-Password-Free-to-Spur-Wi-Fi-Encryption ) – he offered that all publicly-available networks should be encrypted and with the password “free.”
Unfortunately, though, I think I’ll leave my network encrypted (with a secret password) because of my new venture after quitting IBM – it’s just safer not to let anyone in instead of trying to enforce security with firewall rules like I used to.
One thing I don’t understand is why WiFi network encryption is related to the network password. I mean – it should have been possible to enable encryption without requiring a password. Or am I missing something?
Thanks!
Your suggestion should have been more or less straight forward to implement, but if you look at the history of WiFi encryption, and how easy it was to crack some of the earlier protocols, you’ll be quite amazed at how clueless even some of the professionals in this field sometimes are, so this oversight is not really that surprising.