Protected WLAN

Tim Smith tim at electronghost.co.uk
Mon May 23 12:58:15 UTC 2011 

On Wednesday 18 May 2011 04:52:47 Genes MailLists wrote:
> On 05/17/2011 12:36 PM, Frank Murphy wrote:
> > Also if it's your home wLan, hide it, don't broadcast the ssid.
> > So those in your neighbourhood won't even know you have a wireless.
> 
>  As many have pointed out - you should not disable SSID broadcast.
> 
>  Disabling it offers zero security benefit and makes wifi work less well
> than it was designed. Especially when there are multiple AP's on the
> same SSID.
> 
> In fact hidden SSID may even worsen security. It also violates 802.11 -
> and I believe later versions states that a computer may refuse to
> connect to any AP which does not broadcast it's SSID in accordance with
> the standard ... someone can confirm that I'm sure.
> 
> For some reason this hidden SSID theory leaked from some bad well a long
> time ago and has managed to survive ... who knows why.
> 
>  If you do it and find things (phones perhaps) refuse to connect to your
> AP - dont be surprised.

Late to the party, but just for useful information, disabling SSID broadcast 
is NOT a violation of of 802.11 :-) It's mandatory to put the SSID information 
element in your beacons, but there's nothing that says you have to tell the 
truth, and likewise no explicit prohibition against including multiple SSID 
information elements. Enterprise APs use this as a means to support multiple 
SSIDs on one BSSID, with each SSID mapped to a different VLAN (after 
association, the mapping is maintained by Association ID, not SSID), but there 
is of course a tradeoff as many stations do not understand more than one SSID 
in a beacon/probe response. Sending multiple beacons is a no-no; the medium is 
crowded enough as it is.

The usual compromise is to advertise any "guest" SSID in the beacons (this 
also applies to encryption and other information), and to respond to probe 
requests which contain a particular SSID with the correct information for that 
SSID. A station which relies on being able to pick up the SSID off the air has 
a user-interface bug.

One problem lies in the fact that 802.11 does not specify a particular means 
of giving a NULL SSID so different APs do it in different ways. Some give a 
zero-length SSID. Some give an SSID of length 1 consisting of a zero octet (a 
C null-terminated empty string). Some use a single ASCII 32. Some use a number 
of spaces equal to the length of the real SSID. You will thus find all sorts 
of rubbish in your list of available APs when looking at it using a station. 
Some of the older ones may Go All Funny :-(

However, the SSID WILL be present in a probe response to a probe request which 
contained it, so it's available to anyone with a sniffer. This has to be the 
case or no stations would ever be able to find it to associate, as you 
obviously know :-)


-- 
But while the ant gathered food, the grasshopper contracted to a point on a 
manifold that was NOT a 3-sphere...

More information about the users mailing list