The Myth of Captive Portal Authentication
There is a common misnomer that captive portal-based authentication constitutes "wireless security".
This is not only false, it is possible that the captive portal-based authentication leaves you
more exposed than running purely open wireless.
There are three aspects of wireless security: (1) user authentication, (2) over-the-air encryption, and (3) network authentication. A weakness in any one aspect lends the other areas, and the entire system, to being compromised.
Open wireless networks may employ a captive portal to fulfill #1, but cannot achieve #2 or #3. Without #2 or #3, the user authentication can be easily intercepted, spoofed, or bypassed. Until recently, open SSID proponents argued that user's should be aware of their network use and monitor the browser bar for proper use of HTTPS. In this argument, open SSID proponents argued that HTTPS would protect user's authentication to the network, banking sites, social media sites, etc.
While security experts have longed warned about the dangers of open wireless (with or without a captive portal), two recent developments have brought a visual to the weaknesses of open wireless. First, with phone apps, the user does not have visibility into the network traffic generated. Therefore, the user does not know whether an app is using HTTPS and, if so, if the server's certificate is valid. This defeats the argument that the user should be aware of the browser bar.
Second, the developers of Firesheep utilized the vulnerabilities of open wireless to create a user-friendly application for hijacking a number of social media sites. Firesheep provided an easy-to-grasp visual on the dangers of relying on an unencrypted wireless network, regardless of the user's awareness level.
Don't blame open wireless for all its vulnerabilities. After all, it has been around since the 1990s, when wireless was a play thing. Our stubborn reliance on it more than a decade later is to blame.
So how do you go about securing wireless? The WiFi Alliance has standardized it in the form of WPA2-Personal and WPA2-Enterprise. WPA2-Personal relies on a single pre-shared key (network key) to provide over-the-air encryption (#2). Due to its "personal use" focus, it does not attempt to address network authentication (#3).
WPA2-Enterprise relies on 802.1X to handle authentication and to provide over-the-air encryption (#2) on a per-user basis. It is the only form of wireless security addressing all three aspects of wireless security. As an IEEE standard, it is also the basis for new security standards, including dynamic VLAN, ACL, and bandwidth assignment.
XpressConnect can help with the adoption and support of both WPA2-Personal and WPA2-Enterprise. For WPA2-Personal, XpressConnect hides the network key from the user and provides self-service configuration on a wide variety of devices. For WPA2-Enterprise, XpressConnect automates the detailed configuration and assists the user with the authentication process. Either way, XpressConnect goes beyond simple configuration and ensures the user successfully gains connectivity to the secure network.
There are three aspects of wireless security: (1) user authentication, (2) over-the-air encryption, and (3) network authentication. A weakness in any one aspect lends the other areas, and the entire system, to being compromised.
Open wireless networks may employ a captive portal to fulfill #1, but cannot achieve #2 or #3. Without #2 or #3, the user authentication can be easily intercepted, spoofed, or bypassed. Until recently, open SSID proponents argued that user's should be aware of their network use and monitor the browser bar for proper use of HTTPS. In this argument, open SSID proponents argued that HTTPS would protect user's authentication to the network, banking sites, social media sites, etc.
While security experts have longed warned about the dangers of open wireless (with or without a captive portal), two recent developments have brought a visual to the weaknesses of open wireless. First, with phone apps, the user does not have visibility into the network traffic generated. Therefore, the user does not know whether an app is using HTTPS and, if so, if the server's certificate is valid. This defeats the argument that the user should be aware of the browser bar.
Second, the developers of Firesheep utilized the vulnerabilities of open wireless to create a user-friendly application for hijacking a number of social media sites. Firesheep provided an easy-to-grasp visual on the dangers of relying on an unencrypted wireless network, regardless of the user's awareness level.
Don't blame open wireless for all its vulnerabilities. After all, it has been around since the 1990s, when wireless was a play thing. Our stubborn reliance on it more than a decade later is to blame.
So how do you go about securing wireless? The WiFi Alliance has standardized it in the form of WPA2-Personal and WPA2-Enterprise. WPA2-Personal relies on a single pre-shared key (network key) to provide over-the-air encryption (#2). Due to its "personal use" focus, it does not attempt to address network authentication (#3).
WPA2-Enterprise relies on 802.1X to handle authentication and to provide over-the-air encryption (#2) on a per-user basis. It is the only form of wireless security addressing all three aspects of wireless security. As an IEEE standard, it is also the basis for new security standards, including dynamic VLAN, ACL, and bandwidth assignment.
XpressConnect can help with the adoption and support of both WPA2-Personal and WPA2-Enterprise. For WPA2-Personal, XpressConnect hides the network key from the user and provides self-service configuration on a wide variety of devices. For WPA2-Enterprise, XpressConnect automates the detailed configuration and assists the user with the authentication process. Either way, XpressConnect goes beyond simple configuration and ensures the user successfully gains connectivity to the secure network.
See For Yourself
Contact us to request a demo, request additional information, or to discuss the benefits of WPA2 and 802.1X in general.