-2

Why not just create a network named: Starbucks_passIsHelloWorld, wouldn't that prevent the network from having some security issues?

After that every user would be able to login using the password and have better security.

Honey
  • 103
  • 7
  • 1
    what are you asking exactly? – yeah_well Aug 02 '19 at 14:31
  • @VipulNair I made an edit. Is it more clear now? – Honey Aug 02 '19 at 14:38
  • "wouldn't that prevent the network from having some security issues?" How did you come to that conclusions? also "using the password and have better security." how did you come to this conclusion? – yeah_well Aug 02 '19 at 14:41
  • I've read that you shouldn't join a network that doesn't have a password, because 1. you may get MITM. Hence dumping the password to the user will add a layer of encryption – Honey Aug 02 '19 at 14:52
  • thats not true.If you use HTTPS then you wont get MITM even on an open wifi.Btw are you talking about a captive portal? – yeah_well Aug 02 '19 at 14:56
  • and if you don't use HTTPS? I'm talking about public wifis, With our without captive portal – Honey Aug 02 '19 at 14:57

2 Answers2

1

Why not just create a network named: Starbucks_passIsHelloWorld, wouldn't that prevent the network from having some security issues?

There is a few reasons to use captive portals instead of just a password.

  1. In a shop/college its hard to authenticate with just a password.Basically WI-FI is just radio waves so anyone and everyone that CAN will authenticate and use the network.
  2. Wifi authentication in and of itself doesn't support 2FA.So anyone can use free internet to do anything illegal.That why is partly why they require your phone number before giving you internet
  3. Using a captive portal also help to keep track of users and their usage.
  4. Changing a password of WI-FI is not scalable.Think of trying to tell the password to all people in a campus

There are more reasons to captive portal just google it

After that every user would be able to login using the password and have better security.

I am guessing you are talking about the security of people that authenticate with a open/password protected WI-FI as you say in the comments.Lets just say SSL/TLS was created for solving a problem such as this.If an attacker and you are in the same network(i.e connected to the same wifi hotspot) and you happen to visit a HTTP site an attacker will be able to see it(MITM).Just to drive the point if a wifi is open or password protected and happen to visit a site with HTTPS.No an attacker wont see anything.PERIOD

yeah_well
  • 3,744
  • 1
  • 14
  • 31
  • "In a shop/college its hard to authenticate with just a password.Basically WI-FI is just radio waves so anyone and everyone that CAN will authenticate and use the network." You mean the intention is to tie it down to a student's user/pass which is more vital/personal to the user, hence less of a chance that he would share that with another person. That's a good point. But the reasons you provide don't explain why my suggestion isn't better for a small Starbucks coffee store. It's not as big as a campus. – Honey Aug 02 '19 at 15:38
  • I do understand the illegal activity...are you saying governments would rather have users login with something trackable rather than allowing users to securly connect to a network? – Honey Aug 02 '19 at 15:39
  • imagine someone looking at child porn from your open wifi with your IP address.The feds will come knocking on your shop. – yeah_well Aug 02 '19 at 15:43
  • This is what I don't understand then. If Feds can track that, then how is the connection secure? – Honey Aug 02 '19 at 15:45
  • What is the meaning of secure to you? – yeah_well Aug 02 '19 at 15:46
  • That what the communication between me and the server is not open to another entity – Honey Aug 02 '19 at 15:53
  • In a HTTPS communication the communication between you and server cannot be eavesdropped.What i said was imagine you have a open wifi.An attacker connects to it he goes to an illegal website.The feds will come to owners door because his IP address would get logged on the website.That is why you ask for people's phone number in a captive portal – yeah_well Aug 02 '19 at 15:56
  • once you give your phone number in captive, then is the connection between you and the server secure? If not then with or without the captive the connection isn't secure. It's actually worse for the user since he/she is making their network traffic traceable to their phone number. – Honey Aug 02 '19 at 16:00
  • Phone number has nothing to do with connection.The connection is still secure In HTTPS.But if you give your phone number and feds can find out the timing of a website visit or timing of illegal activity.Then we know who it was.Mind you the connection is still secure. – yeah_well Aug 02 '19 at 16:05
  • so basically the connection is secure, yet identifiable. I thought when we say a connection is secure it's that the ISP or whatever can't see what domain I'm connecting to. But from what you're saying it can figure that part out, just not what params you're sending e.g. it can see that you're reaching to gmail, but it can't see what fields you passed in the header. Right? – Honey Aug 02 '19 at 16:12
  • 1
    https://security.stackexchange.com/questions/107065/what-information-can-my-isp-see-when-i-visit-a-website – yeah_well Aug 02 '19 at 16:15
  • So to conclude, you're saying identifying a session (just to the point of knowing the URLs the user is hitting) —while encrypted is prioritized over pure encryption. Is that right? – Honey Aug 02 '19 at 16:35
  • 1
    Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/96976/discussion-between-vipul-nair-and-honey). – yeah_well Aug 02 '19 at 16:37
0

The answer to this question is yes, and no. You see it would make it secure if no one was able to sniff the wireless traffic. But when using a shared key, if I can sniff packets, and watch your device authenticate and associate to the network, and I capture your devices 4 way handshake, I now have all the information I need to decrypt your data. Unless you are using another level of encryption, like a website using HTTPS, or a VPN tunnel.

peterh
  • 2,958
  • 6
  • 26
  • 32
James Scott
  • 11
  • Given that you haven't made the blog post yet, I'm not sure it's appropriate to link to your website. It would be better to link directly to the post once you've made it, as it would actually include information relevant to the question, rather than just being self-promotion. – AndrolGenhald Aug 20 '19 at 00:50
  • The point for adding the link, was to let the OP know that there will be a place to look for a more detailed explanation in the future. I never made any claim it was already there, and the post that I do have up, is relevant to WI-FI, and may answer other questions the OP has. If this goes against in sort of terms of use, then I will avoid doing so in the future. – James Scott Aug 20 '19 at 01:02
  • Hi, I temporarily removed the link to your not yet written blog post. Write the blog post, if it is done, and you link it, that is okay. – peterh Aug 20 '19 at 01:35
  • @JamesScott you can leave a comment here about a related link. That’s totally fine as long as the post offers some value – Honey Aug 20 '19 at 01:42