Tags:








To encrypt or not to encrypt
June 7, 2006 5:04 AM   RSS feed for this thread Subscribe

I'm interested in setting up a public wireless hotspot. The question is: to encrypt or not to encrypt?

I'd like to setup a hotspot in a local coffee shop, where anybody can walk in, connect to the network (the password will be supplied freely) and they can get online in under a minute. I've been reading and asking questions on WEP/WPA encryption, and I've come to this conclusion:

If the password is available to anybody who walks into this shop, is there any point in encrypting the data at all? Sure, it means the casual wardriver won't be able to sniff traffic without going in and getting the password, but that only takes 2 minutes.

I'm trying to make the tradeoff between access being as easy as possible (one password, no annoying client programs, installs, downloads, etc) and users feeling secure. I've also realised that the onus is also on the users to make sure they're secure (using a VPN connection if possible, using HTTPS, secure IMAP and POP connections, etc) but there's only so far I can go.

So, to encrypt or not to encrypt? Or what are my alternative options?
posted by gaby to computers & internet (13 comments total)
My opinion is that it's better that users feel insecure if the network is insecure, and that is what it will be if the password is effectively public knowledge.

Don't bother with encryption. It's unnecessary hassle for your users and it's not offering any significant protection to anyone, and the false sense of security you'll be giving people is a bad thing.
posted by edd at 5:10 AM on June 7, 2006


There's no point to doing it that way, you make a hurdle for your users that doesn't accomplish anything.

You could make a RADIUS server and hand out individual user/pass pairs if you want the local wifi to be secure, but I say that security is their issue. Convienence is what you're providing, not security.
posted by Steve3 at 5:21 AM on June 7, 2006


If you're providing the encryption key freely, then there's really no point -- not to mention the amount of tech support you and your staff will have to do to help people figure out where to put that key in, how to configure their machines, and that sorta thing. It's so not worth it.
posted by delfuego at 5:26 AM on June 7, 2006


Be careful. The problem with hotspots and internet geeks is that they have the tendency to sit in one place (without purchasing anything) for hours. So if you're at all concerned about limited seating, make sure that you only give out the password to customers.

One store I used to manage had this issue. Especially on Saturday and Sunday mornings, when the store was its busiest, locals decided to spend their entire day just surfing the web and people-watching. Unfortunately, these people took away limited seating from paying customers who wanted a place to sit. In addition, these squatters purchased tea for a dollar and just filled up on hot water for the rest of the day.
posted by SeizeTheDay at 5:51 AM on June 7, 2006


Steve3: I had considered RADIUS as an option, there is a central auth database which could be proxied to by a local RADIUS server. The question then is what's the most secure way, over an unsecure network, to create the account in the first place? I want the system to require no administration from the staff at the site, as they're non-technical and I would ilke them to stay that way.

edd: There will be plenty of warning about the security of the connection, and some information available about how to protect themselves more readily.

SeizeTheDay: This problem is circumvented by the fact that the users have to actually buy their online time. The profits are then split between me and the proprietor. If a g33k wants to sit there and surf all day, that's fine, the owner will still be recouping costs from them, and their shop then looks busy all day.

delfuego: Yes, tech support is the biggest problem I have yet to consider. I don't want to spend all day, every day on the phone, I've done that before, never again. I suppose the only real benefit is to stop the casual sniffer stealing packets. Plus, if they had to go into the shop, they may end up on CCTV, which is a bonus.
posted by gaby at 6:04 AM on June 7, 2006


I think you might want to look at what others have done to address the needs you're looking to address. One place I know of to start is a group that has done this kind of thing a lot and have put a lot of info online: Ile Sans Fil and the captive portal solution they're building, WiFiDog.
posted by mikel at 6:20 AM on June 7, 2006


mikel: An interesting prooject. It would seem that I've already implemented most of what's on there, I just hadn't gone as far as moving it all onto a LinkSys router. Thanks for the heads-up, I'll be studying that site in detail.
posted by gaby at 6:38 AM on June 7, 2006


The perfect answer (which, I believe, some shops use, I can't remember the software package behind it though) is to print out a serial code on your receipts good for 1 hour of usage (or whatever you feel is right).

The WAP is left unencrypted, but for new connections that are not "logged in" it will only redirect to a webpage asking for the code. Once the code is entered, the network card is good for 1 hour of surfing. No special software, and it will work with ANYTHING with a web browser installed (if your customer doesn't have one of those... wow... too bad I suppose!)

As far as how to roll your own, I could see the following working free:

- DHCPD + IPTables (or whatever flavour of packet mangler you like) + Your favourite language + Apache (Actually, I'd probably use THTTPD, but that's because I'm a masochist) + Some way to interface to the cash registers (hard)

Basically IPTables could, by default, deny everything except web traffic, which it would forward to your webserver (no matter what the IP received is). The webserver accepts a code, checking it against the database generated by the code generating computer, and sets the gears in motion to check the MAC associated with the IP of the computer transmitting the code. Then the script tells IPTables to allow all traffic to the MAC and tells it to stop forwarding all traffic to the webserver. It forks a daemon that, after 1 hour, reverts that IPTables entry back to original.

And, on the other end, you have a code generator, a printer, and a database.

If the cash register interface fazes you, then you could just have a separate receipt printing machine that will print off a little receipt with the easy instructions and the code with the touch of a button. If you don't mind people "hanging out" (leeching) you could even make the button and printer accessible to the customers...

No RADIUS. Cheap crappy hardware (Free, if you live near somewhere that pays to junk PCs). Not particularly complicated. And anyone too stupid to answer a webpage saying "Code:" properly probably doesn't deserve to surf the internet at your shop (Heh... :)

And, yes, that was my idea 2 or 3 years ago (except I'd sell the access... :D ). I have like a whole 20 lines of completely useless script on a backup somewhere I have lost. Ho hum.
posted by shepd at 6:50 AM on June 7, 2006


A very simple solution is to use WPA in "enterprise" mode. This means every user gets a different key so my key wont unencrypt someone else's data.

Frankly, when it comes to public hotspots like these its more trouble than its worth. Sniffing and the evils of wardrivers is a very overblown problem. Important traffic like banking and ecommerce will use ssl encryption anyway.
posted by skallas at 7:33 AM on June 7, 2006


This pretty much follows the same route that other conversations have had, it's just north worth the candle. WPA Enterprise is a possibility, but requires a bit more in terms of systems and infrastructure at my end. RADIUS is a possibility, but again requires more infrastructure, and a RADIUS client. WPA authenticating against a RADIUS server, perhaps, but initial account setup is a bit of a pain (although not impossible).

I have to wonder if it's worth offering a simple, unsecure service alongside a WPA encrypted service. Can I do both from one wireless device, or do I need to have two WiFi cards in the access point, one for each?
posted by gaby at 8:10 AM on June 7, 2006


Since access of SSL-protected websites scrambles the kind of data people want to keep secret anyway, the real benefit for RADIUS authentication and WPA encryption is for handling liability and costs of the wireless service provider — that is, you would restrict access in some way in order to keep tabs on your network, not necessarily to protect your end users.

Also, I should point out that RADIUS is not encryption, it is authentication. The only benefit of authentication is to allow you to restrict access. It offers no protection from eavesdropping on signal and is not a security measure, per se.
posted by Mr. Six at 8:27 AM on June 7, 2006


"This problem is circumvented by the fact that the users have to actually buy their online time."

I'd stop right there. I have seen several coffee shops try that route through jwire/etc and their own "pay as you go" and they were all failures. The users simply decided to go elsewhere, or they just stopped bringing laptops in. It ended up being a money hole for each shop and none of them made any money off of it.

One of the shops ditched the pay wireless and advertised free wifi - then they put up a sign saying "Please don't be a table hog."
It worked well. Sales went up overall.

I'd just say leave it unencrypted, and don't charge for it. If you're worried about table hogs, cut off power to any AC outlets near tables. Unless you have some hoser carrying around 5 fully charged batteries, the laptop hogs will only be there for an hour or so, max.
posted by drstein at 12:03 PM on June 7, 2006


Also remember that some people may want to use it for services which do not allow a password to be entered. A PSP or Nintendo DS, for example. If they can come in and play a game while they sit there, you may get people who bring in more kids. Whether that is good or bad is up to you.

One thing I would recomend is to set up a small web server with some basic webgames on it. Checkers, chess, etc, can be a big draw for someone wanting to kill 30-60 minutes before a movie.

Heck, you could set up a couple of thin clients really cheaply and sell access to people without laptops.
posted by slavlin at 3:49 PM on June 7, 2006


« Older Getting Flash/Macromedia in in...   |   Mix CD Filter: Looking for som... Newer »
This thread is closed to new comments.