Features

Comment: Wifi's derided WEP heads for trash can - or does it?

The trouble with security is not that it can't be achieved. It can. That is, if anybody actually cared, it could be. But do they? And if they do, will Protected Access really be more than a stop-gap before 802.11i becomes universal?

First company to announce support for the new WiFi "Protected Access" security system was Enterasys. Well, it was the first organisation to notify the NewsWireless Net that it was going to: the procession will become a carnival by February. And on the face of it, everybody should be pleased. And it seems they are.

"The much-criticized Wired Equivalency Privacy standard is officially on its way to the trash heap today," wrote Wireless Week enthusiastically.

"The patch was a must, as hackers, analysts and government officials blasted the WEP security standard as a joke, easily circumvented at times by free software downloaded from the Internet," it continued.

In reality, WEP is more security than most people want. Most people don't have information worth the effort of concealing. Yes, of course if you were prepared to spend the time and effort, you could crack WEP; but only if you felt it was worth the effort. But the fact is, to crack a single WEP - of the sort a home access point has with a single client - or two - you would have to spend a week or more, capturing data - with just an ordinary PC to crack the encryption.

For example, a friend of mine was in New York, and went for a walk in Central Park. There, he was delighted to discover, the authorities provide a public access network - an 802.11b network so you can access the Internet in the park itself. He contacted me from a bench, via instant messenger: "You'll never guess!" he said, "there are three people here in range, and I can see the contents of their hard disks! They've got file sharing on!"

I wondered what, on their hard disk, he regarded as worth snooping into. "Not a thing, why?" Well, then; why should they worry about security? Perhaps they should turn file sharing off, yes; but why would they bother with WEP? And by the same token, there are burglars, but most of us nonetheless have houses with windows made of glass. You wouldn't leave the door open, when you went out - but you wouldn't replace all the glass with sheet steel.

Malice, of course, does exist. There are people who write viruses; and you don't, if you have any sense, go around unprotected. But there really aren't a lot of people like that. Mostly, people who want to hack into computers want to do it for commercial reasons. You might, for example, want to sneak into the Microsoft wireless LAN and pry into their strategies ... and maybe find a way of selling inside information for a very great sum.

So that would be worth spending the time and resources to crack it in an hour or so. Which, of course, you can do if you're on a big campus and seeing a lot of wireless traffic from which you can snoop the WEP key.

But Microsoft, as we know, already has a secure wireless network. It has gone for an alternative method of securing the LAN which uses 802.1x authentication to avoid the need for other forms of encryption - and security chief John Biccum regards his WLAN as more secure than his wired network.

Will people like Microsoft switch to PA? Almost certainly not; they'll wait, at least, for 802.11i. Will they even switch from 802.1x to 802.11i? Maybe not, or at least, not easily or swiftly - the upheaval would be profound, and it isn't obvious what they'd gain. Will home users switch from WEP to Protected Access?

That's the good news; we won't have a choice. When Protected Access starts shipping, early next year, security will be optional. But within a specified period, the WiFi Alliance will not certify WLAN products unless they ship with security "ON!" out of the box.

Sometime between now and then, will someone find a way to crack PA? Possibly; it would be a rash gamble to bet that it can't be done. Will it matter? I can't think so. In a nutshell, those for whom security matters, have already found adequate protection from any real risks. For the rest of us, the risks aren't real. But at least the standard level of security will be that much better, and the risks, real or imaginary, less of a cause for complaint and headline.

That is, of course, assuming that people can be arsed to set the security up properly. And that is entirely another story ...