Hacker News new | past | comments | ask | show | jobs | submit login

Or any common password shared by "open" networks. If enough APs intentionally adopt the same password then they are effectively open, just with the ritual step of having to enter a password.



Probably wouldn't fly in court; the whole idea behind requiring passwords is to be able to tie a person to the device connected to the network.

(I think it is a terrible idea to require this; however, chances are any scheme like the one you are proposing will be shot down in flames once the WiFi owner is dragged into court.


How does requiring passwords tie the user to the device? Sure, in a house for example, you have assurance that the only people connected are your family (or friends). But if you're at, say, Starbucks (and they change the pass every day), the only thing you'll know is that people connected visited that day.

If you require a username and password to access, then sure, you could track who is visiting what websites (provided you don't allow guest/guest like my high school did).


I was in Austria recently, Starbucks there requires you to register an account to use Wi-Fi.


It's not very relevant to the current discussion, but there is a security advantage to requiring a public password vs totally open. For instance, a store could post a sign reading "Welcome to N Guy's Burgers; our WiFi password is 'N'".

You see, if the WiFi network is truly open, then client-to-access point traffic is open and can be sniffed by other clients on the network. But if the network is secured, even trivially as above, then each client's connection to the access point is individually encrypted and cannot be sniffed.

That means, if you needed any password to join the network, you needn't fear the questionable critter with the MBP in the corner (unless he's hacked the store's ISP or upstream from there).


Not true, unfortunately. The session key can be obtained as long as the attacker can capture the initial handshake (and they can send deauth packets to force the client and AP to handshake again). Wireshark does this decryption out of the box, just insert the Wifi password: https://wiki.wireshark.org/HowToDecrypt802.11


I don't see how this is possible. With a shared secret, there's no way to authenticate the AP. No auth means no defence against MITM. What am I missing? It might be harder to sniff but it's just a tool away, right?


If you're trusting your traffic to wifi, authenticated or not, there's no need to fear Mr. Questionable. That horse already bolted.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: