Many people think that WiFi will be everywhere sometime soon. I agree, but wonder in what form, or rather, how many forms. Muni wireless projects are happening all over the place, as they should. There are substantial benefits for public infrastructure - providing private networks for city departments and emergency services. But, what about public access? Given that politics is involved, I somehow don’t think ‘anonymous’ open access to WiFi will last long, not on that scale. Just one high-profile law suit of a minor or transient downloading illegal porn or committing other crimes over the Internet and there’s the end of that. And what about CALEA? Can a wire-tap be targeted and guaranteed without being certain of IP or even MAC address? Then there is also the constant threat of the so-called Evil Twin and the harvesting of MAC addresses, usernames and passwords.
The need for 802.1X
Wireless security. It just sounds right. And it is right. Particularly in certain circumstances. It’s when you’re talking massive coverage through a city-wide mesh or in the homes of residents. Many people already use some kind of wireless security in their homes, usually WEP (not good) or WPA Personal (better). Others intentionally leave their access points open as a way of sharing or just don’t know any better. Regardless, I believe people want security and the ability to share with friends and community. This is possible by passing around WEP or WPA-PSK keys, made easy with the help of software. But, perhaps not well suited for the muni or large scale community.
For ubiquitous WiFi access networks, the solution lies in WPA-Enterprise and 802.1X. Wireless security using standard technologies; takes advantage of inter-community roaming and provisioning features found in access controllers using RADIUS; and very likely to be compatible with WiMAX networks down the road.
What makes 802.1X so great? The answer can get technical, but boils down to 1) robust wireless security, 2) centralized access provisioning and configuration, and 3) being able to ‘authenticate’ the network before revealing any username or password (similar to how SSL works on secure websites). Then, why don’t people use 802.1X more? First of all, people do! At work, on campus, even at commercial and public hotspots. Perhaps main-stream adoption is slow because Windows doesn’t make it overly easy to configure - certainly not as easy as on a Mac. But, that might soon change as cross-platform “smart clients” become more widely available and easy to use.
The need for captive portal
Ok, wireless security is great, but there is a purpose to having a captive portal - almost always with an “open” access point (no wireless security), though not necessarily. The portal is important to communities and venues like cafes, hotels, airports, and so on, not only to sell access, but to give useful location specific content. In many of these cases, the threats of the open access point are mitigated by the fact they are in public places - people doing something they shouldn’t be tend to be suspicious in other ways and draw attention (as the theory goes). Additionally, some commercial WiFi products can help venue owners detect and deal with rogue access points and other security threats. Captive portals applications can be made relatively safe for casual use. And, do visitors of such places really expect their traffic to be secure? I would guess the expectation of security is less than when connecting at home, work, school, or the city mesh - places where people feel comfortable and networks they use every day.
That’s not to say having a captive portal, or “walled garden,” isn’t beneficial even when using 802.1X. It can provide instructions on how to access the Internet using an existing account (of this or a roaming network, or voucher code) and how to obtain one if new to the network. Also to give general information about the community, the project, maps of the area, and where to find help.
Large scale WiFi networks should, of course, service their communities in a responsible way. I believe doing so is part technical: wireless security, part social: not promoting “all WiFi is good”, part legal: not a safe haven to do all the things you don’t want to do from home, and part business: don’t ruin the commercial and community WISP.
What is still needed is the ability to seamlessly access your home and community WiFi without having to compromise individual security. At the same time, being able to selectively share and use the access of others. Using your own credentials for 802.1X, in friends’ homes or in the city mesh, or captive portal in the community centers, cafes, hotels,… places you “trust.” As previously noted, we still need client software to balance security with ease-of-use, and that is coming. But, we also need for communities to be built and a public roaming network to be established. One step at a time.