Dear Starbucks: The skinny on how you can be a security hero

See why we added comments to this site? Discussion isn’t just fun, it’s productive, too 🙂

OK, the article below isn’t such a great idea after all – having an open pre-shared key for WPA WiFi access points protects only those people who connect to the WiFi network before a miscreant comes along. Miscreants who sit in Starbucks all day nursing an UeberGrande Triple Height MegaVol can recover the session contents from those who join the WiFi network after they do.

Thanks to all those who commented. Scrub this plan. As many of you said, and as we have always agreed, the problem remains the lack of end-to-end encryption in web transactions which include personal data of any sort. Onwards and upwards!

The original article follows for completeness…

Starbucks secure WiFiThe recent hubbub around Firesheep has provided me with a golden opportunity to Venti my views on public WiFi hotspots and present my Grande Plan.

All of the attention (as intended) resulting from the release of Firesheep has been focused on the service providers and how they should be using SSL/TLS to protect users’ sessions. That’s great, even if I would have preferred a more delicate approach to proving the point.

But I think it’s the right answer to the wrong question.

The right question is this: why is “public Wifi” always synonymous with “unencrypted WiFi?” Encryption has been a basic component of WiFi technology since the first versions of 802.11 were approved. I wouldn’t suggest we go back to using WEP like we did in the early days, but even WEP is an improvement over nothing.

While Facebook and other companies should be providing us secure methods of connecting to their services, those companies kind enough to provide us with free internet access at cafes, airports and other public places are also part of the problem.

I propose standard adoption of WPA2 and a default password of “free”. Whenever you wish to connect to complimentary WiFi, you select “Courtyard Marriott” or “Starbucks” like you always have, but you are then prompted for a password.

Just type “free”. It’s not hard. In fact, operating system vendors could even program your PC to automatically try the password “free” before prompting you for a password on the assumption that you might be selecting a free service.

What is the value of a password if it is a “well-known secret?” WPA2 negotiates unique encryption keys with every computer that connects to it. This means you and I cannot spy on one another’s traffic even when sharing access on the same access point. This is not true for WEP, but nearly all 802.11g access points (the most common) support WPA2 and can provide safe, convenient, free internet access.

This is a golden opportunity for a high-profile provider of free WiFi to step up and show us how easy it is. I chose to call on Starbucks because they have a demonstrated policy of trying to do the right thing. In fact, their website says

“..we dedicated ourselves to earning the trust and respect of our customers, partners and neighbors. How? By being responsible and doing things that are good for the planet and each other.”

Starbucks partners with AT&T in the United States and Bell in Canada to provide their service. I am confident they both possess the expertise and staff to quickly convert Starbucks stores from providing fast, reliable internet access to providing fast, reliable and SECURE internet access.

Do you provide guest WiFi? Join my movement to provide a safer internet for everyone by making sure you provide secure wireless access. If you care enough to provide networking to your friends, neighbors, or customers, help them enjoy it securely.