Dreaming of open Wi-Fi

Was it just yesterday that people could just sit on a bench in a foreign city, scan the airwave, and just connect to an open Wi-Fi network? It wasn’t called Wi-Fi stealing then, and I know many people who enjoyed the connectivity. But you cannot do that anymore. Today, a scan of the Wi-Fi band reveals lots of protected networks. The networks that are left open are either commercial or hackers. Commercial networks want to charge you $10 for an hour of connection. Hackers want you to connect to their network so they can do something nefarious with your data or your computer. No wonder we end up paying through the nose for a flimsy cellular Internet connection.

I actually had a part in the closing of Wi-Fi networks. A few years ago, I was managing the development of the Wi-Fi stack in Windows, and it was pretty obvious that we needed to do something about Wi-Fi security. Many people may not object to sharing their Internet bandwidth, especially when they do not use it. But sharing your Wi-Fi connection does more. It provides direct access to all the computers in your home. Chances are that some of these computers or appliances are old, or unpatched, or poorly configured. So we made it really easy for Windows users to manage Wi-Fi passwords. Together with the networking industry, we engaged in an education campaign to ask people to secure their network. It seems that we were really successful.

Of course, we will not come back to a time when all network were open. Besides the security risks, there is also a potential liability. If someone connects to the Internet through your network and does something nefarious, the IP traces will point to your router. You may well have to go to court and try to prove that no, it wasn’t you. That defense may or may not work well. In fact, Germany just passed a law that requires that every Wi-Fi user secures their access point, precisely so that people could not hide behind open Wi-Fi connections. So, we have to accept that networks in the future will be protected. If we want to enable sharing, we will have to work through that.

All that does not mean we cannot enable Wi-Fi sharing. We just need to engineer a solution that is secure for the Wi-Fi owner and also secure for the visitors. The visitor’s traffic shall be properly isolated from the home network, in order to not expose the local computers and appliances. The visitor shall be kept accountable, which probably requires signing with a verifiable network identity, and keeping logs of who visited what when. The visitor shall be able to verify that the shared network has a good standing, if only to not waste time connecting to poorly connected services.

None of that seems overly hard to do. In fact, we have examples of such deployment between universities worldwide, with EDUROAM. When a student or a professor from some EDUROAM member, say “A.EDU” visits another university, say “B.EDU”, they can connect to the local network, say “B-WIFI.” They are requested to sign-in, and they do that by providing their identity at their home university, e.g. john.smith@A.EDU, and their own password. This is done using professional grade equipment and protocols. Wi-Fi authentication uses 802.1x, which is also used in most enterprise networks. The authentication requests are routed using RADIUS, and they are typically encrypted so that man-in-the-middle cannot access the password. It appears to work very well.

Of course, EDUROAM only services universities, and there are big differences between universities and homes. For example, EDUROAM does not make too many efforts to isolate visitors. Visiting scholars may well need to access local computers, so isolation would be counterproductive. Also, a university network is typically shared by thousands of students, and is thus not very isolated to start with. The consumer grade Wi-Fi routers often do not support 802.1x, this is considered a “professional” feature. RADIUS is an “infrastructure” protocol which is well suited for linking universities, but would be hard to deploy between millions of homes. But EDUROAM outlines one of the key components of the solution: network based authentication.

Now, we just have to fill the gaps. Can we deploy solutions that are simple enough for home routers, yet have all the good properties of EDUROAM? I have seen many people and company try, but they have yet to succeed. Maybe it is just too hard, and we have to try something else, like the mobile connection sharing developed by Open Garden. But we can still dream of open Wi-Fi…


About Christian Huitema

I have been developing Internet protocols and applications for about 30 years. I love to see how the Internet has grown and the applications it enabled. Let's keep it open!
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Dreaming of open Wi-Fi

  1. foo says:

    What you describe sounds a lot like what the French ISP Free did with their FreeWifi network. DSL customers are loaned a custom made DSL router with Wifi for home use. Customers can enable Wifi sharing: then, using credentials provided by the ISP, they can use Wifi from any DSL box of any other customer that also enabled Wifi sharing. The SSID for Wifi sharing is the same everywhere (FreeWifi), and separate from the “normal” Wifi for home use. Users of the FreeWifi get a public IP address from a pool of IPs separate from regular DSL customers, they are completely isolated. Also, bandwidth for FreeWifi users is limited, so as not to disturb owners of the DSL line.
    The only thing Free didn’t do so well is authentication: it uses a web portal and not a regular wifi authentication scheme. But in the end it works quite well, for millions of Free customers.

    • That’s certainly a good thing for Free’s subscribers., although it will only work for them, and only in France. I understand that Comcast is planning something similar in the US. What would be even better would be to find a way to “federate” these offers, in the way Eduroam federates university networks.

Leave a Reply to Christian Huitema Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s