Dear Starbucks: The skinny on how you can be a security hero

by Chester Wisniewski on November 9, 2010 | 1 Comment

Filed Under: Data loss, Mobile, Privacy

Starbucks secure WiFiThe recent hubbub around Firesheep has provided me with a golden opportunity to Venti my views on public WiFi hotspots and present my Grande Plan.

All of the attention (as intended) resulting from the release of Firesheep has been focused on the service providers and how they should be using SSL/TLS to protect users' sessions. That's great, even if I would have preferred a more delicate approach to proving the point.

But I think it's the right answer to the wrong question.

The right question is this: why is "public Wifi" always synonymous with "unencrypted WiFi?" Encryption has been a basic component of WiFi technology since the first versions of 802.11 were approved. I wouldn't suggest we go back to using WEP like we did in the early days, but even WEP is an improvement over nothing.

While Facebook and other companies should be providing us secure methods of connecting to their services, those companies kind enough to provide us with free internet access at cafes, airports and other public places are also part of the problem.

I propose standard adoption of WPA2 and a default password of "free". Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password.

Just type "free". It's not hard. In fact, operating system vendors could even program your PC to automatically try the password "free" before prompting you for a password on the assumption that you might be selecting a free service.

What is the value of a password if it is a "well-known secret?" WPA2 negotiates unique encryption keys with every computer that connects to it. This means you and I cannot spy on one another's traffic even when sharing access on the same access point. This is not true for WEP, but nearly all 802.11g access points (the most common) support WPA2 and can provide safe, convenient, free internet access.

This is a golden opportunity for a high-profile provider of free WiFi to step up and show us how easy it is. I chose to call on Starbucks because they have a demonstrated policy of trying to do the right thing. In fact, their website says

"..we dedicated ourselves to earning the trust and respect of our customers, partners and neighbors. How? By being responsible and doing things that are good for the planet and each other."

Starbucks partners with AT&T in the United States and Bell in Canada to provide their service. I am confident they both possess the expertise and staff to quickly convert Starbucks stores from providing fast, reliable internet access to providing fast, reliable and SECURE internet access.

Do you provide guest WiFi? Join my movement to provide a safer internet for everyone by making sure you provide secure wireless access. If you care enough to provide networking to your friends, neighbors, or customers, help them enjoy it securely.

Tags: , , ,

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski or send him an email at chesterw@sophos.com.

Related Posts

FireSheep and freedom of speech

Firesheep author takes backhanded pot-shot at free speech

fire-sheep

Secure websites are insecure - ask Firesheep

'Here you have' virus strikes email inboxes

'Here you have' virus strikes email inboxes

thumb-zombie

We are fighting zombies this Halloween - How about you?