Friday, March 17, 2006

How WiFi Sucks (and how to fix it)

I had to stop blogging the workshop after the WiFi broke down. That got me thinking about the fact that five years after people started pointing out how their security is broken they still don't get it.

Don't get me wrong, I am sure that the WPA cryptography is as good as anyone can make it. The problem is that fixing the cryptography is not the same thing as fixing the security.

The biggest problem with WiFi security is that it is simply too hard to configure.

Windows XP makes it especially hard to configure WEP. First you have to enter a 26 character hex key into a password form, then you have to re-enter it again to confirm. Did the designer of this interface ever ask themselves why it is necessary to enter an authentication key twice? The machine should be able to discover if the key is correct or not all by itself without bothering the user.

That is the first lesson: Security is not an excuse for a crappy user interface.

Before Apple users get too smug about their O/S I will point out that this is only one eggregious symptom. Mac users still have to deal with the same silly key.

In theory WPA should fix this problem. In practice it might as well not exist if you already have a WEP network deployed. All the access points I have used that support WPA support it as an alternative to WEP. These boxes will not run both systems side by side. I now have 6 machines connected to my home wireless network. Sitching them over would take half a day or so and if any one of them did not work at the end I would have to either leave that machine off the network or spend another half day getting back to where I started.

This is the reason that I had to enter the 26 bit key at the workshop. Most people have machines that can handle WPA but some people are still stuck with WEP. The access points cannot do both at the same time so everyone has to go at the speed of the slowest.

Thats the second lesson: A security improvement must provide an upgrade plan. Unless there is a way to upgrade a deployed network incrementally the system designers should be sent back to try again.

At most conferences the security is turned off altogether. The same is true of public access at hotels, coffee bars etc. The reason is that they want to control access to the network. Sometimes it is a paid service and they need to collect a credit card number. Almost all public access points want agreement to their terms of service (e.g. don't send spam).

In order to allow the initial contact to take place en-clair the entire remaining session has to be en-clair. Worse still the customer has to agree to the silly terms of service every visit. That is not good if they are paying for the service.

Thats the third lesson: If you don't provide a good authentication interface that meets their needs people will bodge together a bad one.

So how to fix it? First get some usability people into the loop. Don't consider the system secure until they are willing to sign off on the system as having acceptable usability with security turned on by default.

Then provide a channel that lets the machine trying to connect to a network discover the types of authentication on offer. Next design access points that support multiple security schemes rather than making them exclusive. Finaly define an extension to WPA that supports the type of rich authentication/agreement to terms dialogue that existing practice shows is in demand.

No comments: