Protected WLAN

[Marko Vojinovic]

On Friday 20 May 2011 05:30:11 JD wrote:
> On 05/19/11 21:14, Tim wrote:
> > On Fri, 2011-05-20 at 12:19 +0900, Misha Shnurapet wrote:
> >> Nope, if you're a plain user like me using an applet to "scan" you'll
> >> only see what's broadcast.
> > 
> > Nope, depending on your client, you'll see them all.  Even Windows did
> > that.  You'd see a list of *all* transmitting access points, and the
> > ones with the so-called hidden SSID listed as "unnamed."
> > 
> > It really is bogus advice to hide it.
> > 
> >       1. Clueless user follows bogus advice, falsely believes it makes
> >          them safer.
> >       
> >       2. Clueless user, then, finds things that they want to connect to
> >          their WLAN, now, won't connect.
> >       
> >       3. Clueless user has to ask for help.
> >       4. Wastes all our time.
> >       5. Slightly clueful user, now, starts to broadcast their SSID and
> >          everything works fine.
> >       
> >       6. Or, pigheaded clueless user continues to hide their SSID, and
> >          continues to fight with WLAN and mailing list...
> 
> Tim, your points are way too generalized.
> No one said not broadcasting alone will make you
> safer. It is advised as part of the larger defense
> scheme

That is a very bad advice. Hiding SSID has *nothing* to do with any security, 
and suggesting that it does is just a mirage, giving a casual reader a false 
sense of security. It (a) breaks regular WLAN functionality and (b) gains 
absolutely nothing in terms of security. Such a setup can be useful only if 
you intentionaly want to break the regular functionality of your wireless 
network. There are some scenarios where that might be useful, but none of them 
have anything to do with security.

If you want to secure a wireless network, implement wpa2-psk/aes and use 
strong passphrases for everything. That is the *only* thing that makes your 
wlan reasonably secure. But hiding SSID, filtering MAC addresses, is just 
useless in terms of security.

I believe that was Tim's point as well.

> of choosing a strong protocol, a strong encryption
> scheme, a 63 byte string, preferably random if user can
> work with it, ...etc ...etc.
> You keep harping about a point that is just one of several
> to help individuals be as safe as possible, while keeping
> things manageable.

Tim is not harping, he is just trying to point out (as I did) that it is *not* 
one of the several things to help individuals be as safe as possible. It gains 
exactly *zero* in terms of wireless security.

If you think that hiding SSID will help with security, you might as well add 
that hanging a pack of onions in front of the house will also help make your 
wireless more secure (in case of a vampire hacker attack, I guess :-) ). It is 
advice of the same quality, securitywise. Iow, an urban legend (or a rural 
one, depending on your preference ;-) ).

> You proceed on the assumption that
> everyone who wants to connect to your wlan is a savvy
> hacker with the right tools.
> I do not think that that is the case.

Those without the right tools will not be able to break in, even if you have 
only a stupid plaintext password security implemented. Those with the right 
tools (even incompetent idiots with the right tools, aka script-kiddies) will 
not even notice that your SSID is hidden, because the tools just don't make 
the difference between hidden and public.

Anyway, I believe both Tim and I have made our point for the readers of this 
thread who wish to hear and understand. If you still think it's a good idea, 
go ahead. Everyone is allowed to dream as they like, there's no point in 
repeating "it's not real, it's not real" to a determined dreamer... ;-)

Best, :-)
Marko