How to do free Wi-Fi right

How to do free Wi-Fi right

Summary: Don't hassle your customers by making them log into Facebook or Twitter to get to the free Wi-Fi. The right way is simple, but not necessarily intuitive.

TOPICS: Wi-Fi, Security

I'm writing this at Starbucks. To connect to the Wi-Fi (provided by AT&T) I have to go through an annoying ritual, after connecting to the AT&T Wi-Fi network, of opening a browser, loading any web page with some ads, clicking the Accept and Connect button from AT&T Wi-Fi, watching an ad for a few seconds until the "Stop sponsor message" link shows up and then clicking another link to dismiss the whole stupid pretense and move on to the task I really did want to do.

I don't want to complain too much about this. It doesn't take long and, in exchange, I get free Internet access. I have my doubts of whether it benefits AT&T or just builds ill will for them (and maybe for Starbucks). Now small businesses that want to provide Wi-Fi for their customers can build that same ill will with routers that make the user sign on to the business's Facebook or Twitter page to get access to the Internet.

The upside for the business is that you automatically get a "Like" or something like it when the user logs on to your Wi-Fi. Once again, it seems like a small price to pay, but it pushes me over the line of discomfort. I don't casually go Liking around things, and what if I'm not a member of any of the services they support?

Purple Wi-Fi does the same thing, although they do a lot more too, like content filtering and analytics tools. Purple Wi-Fi has an optional registration page you can offer if users don't want to sign on with social media. This is better than not having access, but still sucks a little.

Purple Wi-Fi, incidentally, takes a really weird approach to their task of providing enhanced router services: They run as custom firmware which you must flash on your router. Here's their list of supported devices.

There's one more really big problem with these products: they all perpetuate the widespread problem of public Wi-Fi hotspots which are open and unencrypted. None of them solve the problem, which is perhaps a basic design flaw in Wi-Fi or perhaps just an intractable problem, that in order to provide the user with an interface to make connection easy you must first connect them to the network. If you're going to connect them to the network without any previously shared secret, you have to be unencrypted. Businesses generally avoid having a password that users must enter.

What's the right way for a small business, one not willing to pay real consultants and buy real business hardware, to provide free Wi-Fi? The answer is first that you don't have it open and unencrypted. Users don't generally understand, but when they are connected, as I am now at Starbucks, their connection is insecure. (I deal with it by using a VPN service, HMA Pro.) Just because you have to click "Accept" and watch an ad doesn't mean they're encrypting the connection. In fact, everyone else in the store, everyone connected to the same router, can sniff all your traffic (unless it's encrypted at the application layer, generally with SSL). They may even be able to co-opt your connections and inject traffic in them.

So here's what you do: Set up WPA-2 encryption on your router with a password, a.k.a. "shared secret." Then put up a sign with the SSID (network name) and password:


"But..." you may ask, "But if everyone knows the passcode isn't it insecure?" No, it's not. When WPA-2 is turned on, the router provides session isolation, which means that nobody can see anyone else's traffic, which in any case is strongly encrypted. WPA-2 has been heavily scrutinized for years and no real-world attacks on it worthy of the name "hack" have been published. Yes, maybe the NSA can listen in, but you can't worry about that.

I'm still sympathetic to the merchant and agree they should be able to get something more out of their provision of free Internet access. Unfortunately, cheap consumer routers just don't provide this capability. It all comes down to that design flaw I mentioned, that you can't provide a user interface until you've connected and you can't provide a secure connection until the user has provided credentials.

I think the answer is going to require some new SSL-based enrollment UI protocol that the client will have to support. I have questions out to a couple of router companies about it. Perhaps the problem can yet be solved.

Topics: Wi-Fi, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • McDonalds uses ATT

    My phone just auto connect to wifi no ads or anything
    • McDonalds isn't secure either.

      Just because they aren't displaying ads doesn't make them better than the next business. Your data traffic is still out in the open and another user on that network can attempt to hack your device. The point of the article is those offering wi-fi should provide at least minimal protection for the folks cconnecting. The author is absolutely correct in this regard.
      • You get nothing for nothing

  • You want "free" and "secure"?

    Didn't Ben Franklin say something about not deserving something similar to that?

    It's free wifi. If you want secure wifi, then pay for it, or secure your connections, yourself. If you aren't comfortable using the free service, then go home and enjoy your coffee and secure internet access, or take it to the office, like an adult.

    Whining about having to jump through a couple of hoops to take advantage of a free service reeks of an entitlement attitude that is slowly destroying our whole civilization.

    You're too old to think and act like a hipster millenial.
    • Something for nothing?

      Do you have a problem with ythe perception that people getting something of value for nothing? (beyond buying soem coffee and a donut)? This is NOT about "entitlement" at all. You probably think that social security is an "entitlement" even thougfh it is paid for by you and your employer.

      Please note that there is a Supreme Court definition and a layman's definition and they are not the same thing at all.
      • No it's not!!

        My Social Security (which starts in February) was not paid for by me. I paid for some people who are now dead. If you're working, you'll be paying for me. Thanks. Remember, Social Security is an unfunded liability of the government. It is an entitlement, because the law says I am entitled to it.
        • Entitlement?

          I guess you think that being able to get gas after you swipe your card is an entitlement too. I paid for it, so it's an entitlement. The term entitlement has clearly been made synonymous with handout when it comes to SS, Military retirement, unemployment insurance. SS is a contract between the Gov and the contributors. If the Gov had the slightest inkling on how to invest and manage money they wouldn't need to be borrowing from the future to pay your SS now.

          To the point of the article though, even if the WiFi is encrypted, that only covers the path from your laptop to the Access Point in the back room. If you are going to be using public WiFi, you should probably take steps of your own to protect your activity.
    • It's the end times....

      Not liking clunky internet signons is "destroying our whole civilization." Wow.
  • From a security perspective, this is wrong

    This article is dangerously wrong, potentially leading to an false impression of security in an encrypted wifi.
    Everybody who has the key can in fact still listen to traffic. It may even be possible to still alter the network data. See a simple Google is enough.
    • So true

      But who in their right minds would rely of a Ziff-Davis article to set their IT Policy?
    • Session Isolation

      Is a separate setting :-) Session isolation (which ONLY certain firewalls / APs / routers support) prevents traffic in one session from being repeated to other sessions. I regularly connect to WPA-2-secured wifi and do a full scan of the subnet, just to see what's out there.

      Ultimately, anyone can eavesdrop on the radio signals sent between the AP and the hosts, so even with session isolation, someone can listen at the beginning of the session and possibly decrypt the traffic that way.
      • Router Guest account

        I believe the guest account on routers prevents one from seeing other users computers. Using the guest account with WPA-2 should be enough to provide privacy. Most new routers have guest accounts - even if they are consumer ones.
  • Not Secure

    @domenuk has it right. This article is misleading. If I have the shared key, I can sniff other users traffic.
    • Yes

      Anyone who witnesses the association process of a new client can eavesdrop on their connection.

      As reassociations can be forced by a rogue host that sends a forged disassociation packet in the name of the target, it is practically always possible to listen in on all connections on a WPA(2) network with a preshared key.

      You can even try it for yourself in Wireshark: There is a built-in option to decrypt all transmissions in the 802.11 settings; as long as you know the PSK and the initial authentication is contained in the recorded traffic, Wireshark decrypts it automatically for you.

      The difference between WEP and WPA is that there is a different pairwise key (called the pairwise transient key) for every client, but as this key is always directly derived from the PSK, it doesn't really add any security at all. If you want that kind of security, you would have to use EAP and a RADIUS server (sometimes called "WPA enterprise), where the PMK is different for every client.
  • What You're Looking for Already Exists

    I am the network manager for a county government agency. We placed 3 of these throughout our location to solve the issues you bring up. One page (optional) is displayed, all you do is click 'ok' and it drops you to your home page. Each connection is not just encrypted, but separated from the rest. There is no access to our internal network even though I can still route all of the WiFi connections through our content filter. For a couple hundred bucks, you can't beat it.
    • Very slick!

    • Or for free...

      An old router + dd-WRT with correct settings (like session isolation) + free captive portal software. Set up a network exactly like you described for free just the other day.
  • You need an agreement to TOU

    You need a "click and accept" page, indicating that the user understands and accepts the terms of use. It's a liability thing -- open WiFi is great, until someone cyberstalks, or threatens someone, or even worse -- downloads some illegal material on YOUR network. There are several simple solutions that run on Linux, and maybe this can be configured on newer SOHO COTS routers these days, but "click and accept" means the user has the liability for how they use the network, NOT the business owner.
    • Part 2 - Logging

      There are two approaches to logging -- either don't log anything, or make sure you have complete logs. Tell people in the TOU (see above) that their internet traffic WILL be logged. Some firewalls (routers) can log individual connections, while others don't really log anything at all. "Full logging" means you log the workstation ID that connects to the WiFi device, you log DHCP (the protocol that assigns your IP address once connected to WiFi), and you run a transparent proxy that logs information about what URLs are being requested as people browse on your network. All of this is easy under Linux, but not really a feature set that you can get in a SOHO device -- higher-end, enterprise COTS devices DO support these features, but they are much less "plug and play".
  • "Free, secure, private"

    Free, secure, private - words which no longer have any meaning.