After reading a bit about WiFi roaming where multiple access points are set up with the same SSID and WPA/WPA2 shared key, I'm wondering how secure the concept of WiFi roaming is.
If clients connect to access points with the same SSID (and usually without the user's knowledge), what's to stop someone setting up a rogue access point to get the shared key or do something malicious with users' traffic?
Rogue access points can certainly be dangerous, but there is a caveat:
If the "real" network is encrypted, you cannot set up a rogue access point without knowing the key. Rogue access points must have exactly the same security settings as the original access points, including the same key. If they do not have the same key, clients will try to connect but fail. Fortunately, it is not possible to see what key the clients attempted to use, as the key is never actually transmitted during the authentication process.
Thus, the only people who can cause any real damage with rogue access points are people who already know the key to the original network. People who don't know the key can still set up a rogue access point, but all they'll be able to do is make people unable to connect when their devices fail to authenticate with the rogue ap.
For networks with large numbers of users and public networks though, they become a more serious concern. There's no way for a users to tell that they may be connected to a rogue ap, and pretty much anything could happen (data theft, malware injection, eavesdropping...) if they are. That's part of the reason why VPNs are always recommended when using public wifi.
