Christian Huitema

Dreaming of open Wi-Fi


Was it just yesterday that people could just sit on a bench in a foreign city, scan the airwave, and just connect to an open Wi-Fi network? It wasn’t called Wi-Fi stealing then, and I know many people who enjoyed the connectivity. But you cannot do that anymore. Today, a scan of the Wi-Fi band reveals lots of protected networks. The networks that are left open are either commercial or hackers. Commercial networks want to charge you $10 for an hour of connection. Hackers want you to connect to their network so they can do something nefarious with your data or your computer. No wonder we end up paying through the nose for a flimsy cellular Internet connection.

I actually had a part in the closing of Wi-Fi networks. A few years ago, I was managing the development of the Wi-Fi stack in Windows, and it was pretty obvious that we needed to do something about Wi-Fi security. Many people may not object to sharing their Internet bandwidth, especially when they do not use it. But sharing your Wi-Fi connection does more. It provides direct access to all the computers in your home. Chances are that some of these computers or appliances are old, or unpatched, or poorly configured. So we made it really easy for Windows users to manage Wi-Fi passwords. Together with the networking industry, we engaged in an education campaign to ask people to secure their network. It seems that we were really successful.

Of course, we will not come back to a time when all network were open. Besides the security risks, there is also a potential liability. If someone connects to the Internet through your network and does something nefarious, the IP traces will point to your router. You may well have to go to court and try to prove that no, it wasn’t you. That defense may or may not work well. In fact, Germany just passed a law that requires that every Wi-Fi user secures their access point, precisely so that people could not hide behind open Wi-Fi connections. So, we have to accept that networks in the future will be protected. If we want to enable sharing, we will have to work through that.

All that does not mean we cannot enable Wi-Fi sharing. We just need to engineer a solution that is secure for the Wi-Fi owner and also secure for the visitors. The visitor’s traffic shall be properly isolated from the home network, in order to not expose the local computers and appliances. The visitor shall be kept accountable, which probably requires signing with a verifiable network identity, and keeping logs of who visited what when. The visitor shall be able to verify that the shared network has a good standing, if only to not waste time connecting to poorly connected services.

None of that seems overly hard to do. In fact, we have examples of such deployment between universities worldwide, with EDUROAM. When a student or a professor from some EDUROAM member, say “A.EDU” visits another university, say “B.EDU”, they can connect to the local network, say “B-WIFI.” They are requested to sign-in, and they do that by providing their identity at their home university, e.g. john.smith@A.EDU, and their own password. This is done using professional grade equipment and protocols. Wi-Fi authentication uses 802.1x, which is also used in most enterprise networks. The authentication requests are routed using RADIUS, and they are typically encrypted so that man-in-the-middle cannot access the password. It appears to work very well.

Of course, EDUROAM only services universities, and there are big differences between universities and homes. For example, EDUROAM does not make too many efforts to isolate visitors. Visiting scholars may well need to access local computers, so isolation would be counterproductive. Also, a university network is typically shared by thousands of students, and is thus not very isolated to start with. The consumer grade Wi-Fi routers often do not support 802.1x, this is considered a “professional” feature. RADIUS is an “infrastructure” protocol which is well suited for linking universities, but would be hard to deploy between millions of homes. But EDUROAM outlines one of the key components of the solution: network based authentication.

Now, we just have to fill the gaps. Can we deploy solutions that are simple enough for home routers, yet have all the good properties of EDUROAM? I have seen many people and company try, but they have yet to succeed. Maybe it is just too hard, and we have to try something else, like the mobile connection sharing developed by Open Garden. But we can still dream of open Wi-Fi…