How to do free Wi-Fi right

I'm writing this at Starbucks. To connect to the Wi-Fi (provided by AT&T) I have to go through an annoying ritual, after connecting to the AT&T Wi-Fi network, of opening a browser, loading any web page with some ads, clicking the Accept and Connect button from AT&T Wi-Fi, watching an ad for a few seconds until the "Stop sponsor message" link shows up and then clicking another link to dismiss the whole stupid pretense and move on to the task I really did want to do.

I don't want to complain too much about this. It doesn't take long and, in exchange, I get free Internet access. I have my doubts of whether it benefits AT&T or just builds ill will for them (and maybe for Starbucks). Now small businesses that want to provide Wi-Fi for their customers can build that same ill will with routers that make the user sign on to the business's Facebook or Twitter page to get access to the Internet.

The upside for the business is that you automatically get a "Like" or something like it when the user logs on to your Wi-Fi. Once again, it seems like a small price to pay, but it pushes me over the line of discomfort. I don't casually go Liking around things, and what if I'm not a member of any of the services they support?

Purple Wi-Fi does the same thing, although they do a lot more too, like content filtering and analytics tools. Purple Wi-Fi has an optional registration page you can offer if users don't want to sign on with social media. This is better than not having access, but still sucks a little.

Purple Wi-Fi, incidentally, takes a really weird approach to their task of providing enhanced router services: They run as custom firmware which you must flash on your router. Here's their list of supported devices.

There's one more really big problem with these products: they all perpetuate the widespread problem of public Wi-Fi hotspots which are open and unencrypted. None of them solve the problem, which is perhaps a basic design flaw in Wi-Fi or perhaps just an intractable problem, that in order to provide the user with an interface to make connection easy you must first connect them to the network. If you're going to connect them to the network without any previously shared secret, you have to be unencrypted. Businesses generally avoid having a password that users must enter.

What's the right way for a small business, one not willing to pay real consultants and buy real business hardware, to provide free Wi-Fi? The answer is first that you don't have it open and unencrypted. Users don't generally understand, but when they are connected, as I am now at Starbucks, their connection is insecure. (I deal with it by using a VPN service, HMA Pro.) Just because you have to click "Accept" and watch an ad doesn't mean they're encrypting the connection. In fact, everyone else in the store, everyone connected to the same router, can sniff all your traffic (unless it's encrypted at the application layer, generally with SSL). They may even be able to co-opt your connections and inject traffic in them.

So here's what you do: Set up WPA-2 encryption on your router with a password, a.k.a. "shared secret." Then put up a sign with the SSID (network name) and password:

"But..." you may ask, "But if everyone knows the passcode isn't it insecure?" No, it's not. When WPA-2 is turned on, the router provides session isolation, which means that nobody can see anyone else's traffic, which in any case is strongly encrypted. WPA-2 has been heavily scrutinized for years and no real-world attacks on it worthy of the name "hack" have been published. Yes, maybe the NSA can listen in, but you can't worry about that.

I'm still sympathetic to the merchant and agree they should be able to get something more out of their provision of free Internet access. Unfortunately, cheap consumer routers just don't provide this capability. It all comes down to that design flaw I mentioned, that you can't provide a user interface until you've connected and you can't provide a secure connection until the user has provided credentials.

I think the answer is going to require some new SSL-based enrollment UI protocol that the client will have to support. I have questions out to a couple of router companies about it. Perhaps the problem can yet be solved.