[Noisebridge-discuss] WPA ant other network Q's
Ryan Castellucci
ryan.castellucci at gmail.com
Sat May 29 00:07:48 UTC 2010
On Thu, May 27, 2010 at 11:17 PM, Jonathan Lassoff <jof at thejof.com> wrote:
> Excerpts from Geoff Horne's message of Thu May 27 17:45:08 -0700 2010:
>> 1) why isn't WPA enabled for the wireless, surely that will help with
>> some of the paranoia
>
> Paranoia? What paranoia?
> I for one prefer it not be configured for a couple of reasons:
> 1. It's easier for visitors and passers-by to connect to free internet.
> I think pervasive wifi is cool.
> 2. It lures users into a bit of a false sense of security. Just because
> the WiFi leg of the network is using WPA doesn't mean someone isn't
> still sniffing your traffic.
> That said, there's a point behind defense-in-depth.
> 3. We've got a mix of APs, and as far as I know, there's not a way to
> do WPA authentication in a central place without a propriatary box.
>
> That said, we have dearth of APs, most of which will support WPA/WPA2.
> If you're interested in setting any of these up, you're more than
> welcome. I would be glad to help or show you around.
Centralized WPA authentication doesn't require anything proprietary,
WPA/WPA2-Enterprise works with FreeRADIUS just fine.
The most reasonable/secure setup would be to set up
PEAPv0/EAP-MS-CHAPv2 and have everyone log in a guest/guest or the
like. This has pretty wide device/OS support. You do need to either
get a signed SSL cert or get people to whitelist a self-signed cert
for it to work. It uses per-connection keys such that people can't
sniff each other's connections over wifi.
It's still stupid though. It just raises the bar slightly - someone
can sniff the connection once it hits ethernet. Running the wifi
without encryption is a reminder that it is open to all, and that your
data is subject to snooping by anyone who cares to do so.
--
Ryan Castellucci http://ryanc.org/
More information about the Noisebridge-discuss
mailing list