Tuesday, January 15, 2008

To WPA or not to WPA?

Renowned security expert Bruce Schneier wrote a controvertial essay arguing about the benefits of keeping his home wireless network unsecured. He talks a lot about less important things like the possibility of someone using your network for doing bad stuff and getting you involved in legal proceedings. He is not concerned about it and neither am I.

However, as this article points out Bruce mentions the most important point only in passing: he has secured his computers in a way that the wireless link being unsecure does not matter to him(perhaps disk encryption and VPN). This is probably because he travels a lot and uses unsecured wireless access often. Many people don't. I don't use any public wireless network. I don't have a reason to use PGP or any other disk encryption techology on my laptop. I do however have a desktop at home which is accessible only from behind my internet firewall and since it is connected only via a wired link I do not have to lock it down (use long and difficult passwords, change passwords often, use disk encryption etc). If I make my wireless network open, drive-by hackers can easily hack into my desktop and laptop. Passive eavesdroppers can read my mail, instant messages etc. easily when I am using my laptop to access them. Choosing between taking that risk and enabling WPA is a no-brainer for me.

Regarding WPA Bruce says:
"This is not to say that the new wireless security protocol, WPA, isn't very good. It is. But there are going to be security flaws in it; there always are."
The question is not whether WPA has any flaws or not, it is whether any have been found and are easily exploitable by drive-by hackers. In his own words "security is a tradeoff". As a I mentioned above this tradeoff is a no-brainer to me.

The bulk of Bruce's argument centers on social politeness. He has an open network to provide people "stranded without internet access" the courtesy of using his network. If this can be done without jeopardizing my own security I won't mind. However, I am not going to encrypt my disks, use strict password policies etc in order to do that. Bruce already did that for other reasons and "sharing" is easy for him. Good for his neighbors!

However, the social politeness argument involves another party: the ISP. This article does a good job of explaining that factor. Under most ISP's terms of service, sharing your internet connection is analogous to sharing your cable TV: it is illegal. There may be other terms of service where you buy internet access "by the byte or by the hour" and in those cases it is perfectly OK to let others use your connection. However, how many people will continue to extend this courtesy if it cost them by the byte? It is easy to share something that doesn't cost you anything extra. Bruce uses economic reasoning particularly the concept of externality often to explain security issues. That concept applies here: the action of a subscriber to extend his internet access to neighbors and others has a consequence for the ISP. Charging by the byte or by the hour makes this externality "internal".

In conclusion, regarding the question of whether to use WPA on your home wireless or not, I find that it really depends on your situation. If your computers are secured and your ISP does not mind, you may decide to extend "internet access courtesy" to those in your wireless range. Otherwise, it is better to secure your wireless connection.