Per Thorsheim Profile picture
Jan 24, 2020 22 tweets 11 min read Read on X
Open Wifi Security (Friday evening rant)

1) Yes, at our @nordic_choice hotels we have open wifi as standard. No Client<->AP encryption (WPA/23), and no captive portal to logon to.

Let me first explain some obvious reasons for doing so. (Often disregarded by infosec pros.)
@Nordic_Choice 2) It is INCREDIBLY easy for anyone to connect and start using the Internet at our hotels. And we have absolutely all kinds of people staying with us. That includes people that are not tech-savvy at all.
@Nordic_Choice 3) Being a company who very actively seek to reduce our footprint on earth & measure our performance in "People, Planet & Profit" (not just profit), open wifi with no captive portal saves time, energy & money. It helps your mood as well. 😇
@Nordic_Choice 4) We are using enterprise solutions for our wifi. Hey, we have APs with WPA3 support available! Flick the switch, and you got it. Oh, and we do client isolation. You doing a conference or a meeting? Ask us, and we can give you your own SSID. With encryption & a serious password.
@Nordic_Choice 5) At most of our hotels we don't do captive portals. We don't need it to provide you with Internet access. Guest wifi is a shared resource, and we provide plenty for each client (30/20). At some hotels even much higher speeds at optimal times.
@Nordic_Choice 6) We use RFC1918 private addresses for clients connecting to our guest wifi, so Internet villains cannot directly portscan or connect to your honeypot telnet server, should you have one.
@Nordic_Choice 7) We have (obviously) monitoring tools to look for APs that are not working, areas with massive spikes in traffic & signs of errors that shouldn't be there. But hey, we don't block ports or protocols: your VPN, Tor or corporate VPN connection works fine.
@Nordic_Choice 8) "BUT YOUR WIFI IS OPEN, THERE IS NO ENCRYPTION, ANYONE CAN HACK ME!"

No.

Most services you use online today are encrypted (HTTPS you know). Quite a few of them has even configured HTTPS to a level where MitM is very, very hard to do for an adversary. Even on open wifi!
@Nordic_Choice 9) DNS IS PLAINTEXT.

We know. We are working hard to only use #DNSSEC resolving DNS servers, but of course you can use your own as well. Personally I want to provide our guests with DoT too, and you can use DoH as well with whatever provider you prefer.
@Nordic_Choice 10) About DNS:
We @Nordic_Choice use #DNSSEC. We do #DNSSEC for our email with Google. Check our MX records: we use mailservers with the smtp.goog (Google) domain, which is #DNSSEC signed.

We ask our providers to use #DNSSEC. You should too.
@Nordic_Choice 11) We haven't had a single report coming in from anyone becoming a victim of "hacking", where lack of Client<->AP encryption in our guest wifi was the reason for the incident.

*Not a single report.*
@Nordic_Choice 12) Yes, we are well aware of clients remembering open wifi SSIDs, & automatically connecting to those SSIDs, even if it is someone playing with Kali or their brand new Hak5 Pineapple.

We can't help with your wifi history, and imho most devices have been on open wifi once.
@Nordic_Choice 13) Side note: two largest telcos in Norway ran massive campaigns warning against use of (open) wifi last year, promoting 4G instead. One of those telcos is also a BIG provider of open wifi in several countries. Paradox?
@Nordic_Choice 14) We have also experienced the confusion related to encryption & captive portals. Some even believe that captive portals are there to protect their security & privacy, and that a captive portal means there is encryption in place.
@Nordic_Choice 15) At one point I was told that without "double encryption" + login using a captive portal, we would violate #GDPR, and our wifi could not be used by employees of organisation X.

Tough job trying to fix that one.
@Nordic_Choice 16) Now a little probability threat analysis: Where is the most obvious location of a villain wanting to hack you?
@Nordic_Choice 17) Another survey: What do you reckon as the most common way of getting hacked:
@Nordic_Choice 18) Third survey question:
Have you ever been the victim of open Wifi hacking (MitM or other ways) - Infosec cons & Hak5 Pineapple demos excluded?
@Nordic_Choice 19) Obviously there are MANY ways to hack, bypass or make any wifi Client<->AP encryption irrelevant. Not to make that an argument against using encryption though, I personally prefer the encrypted version.

But risk analysis is cool.
@Nordic_Choice 20) There are threats out there, we will always have vulnerabilities, and we have values to protect.

As a provider of free & open wifi access for our guests, we try to evaluate all of those, looking at probability & impact, while also remembering UX.
@Nordic_Choice 21) I could have said lots more, and I probably forgot something important as well.

A nudge to @boblord here is in place, as well as @schneierblog & many, many others I've learned from in terms of being sober when doing risk analysis. :)
@Nordic_Choice @boblord @schneierblog 22) So I'll stop my rant here, and say thank you for reading all these tweets.

I am now ready to answer your questions, comments and flames.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Per Thorsheim

Per Thorsheim Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @thorsheim

Jul 26, 2020
Can you find the pin?
(Clues coming later for those who can't figure it out from this.)
Official clue number 1:
Official clue number 2:
Access to private house. Owner used to be a cop. Now a CSO & part time insurance forensics investigator.
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(