On Jul 11, 2017, at 8:34 PM, Randy Bush <randy(_at_)psg(_dot_)com> wrote:
the noc sees a quite large number of associations to the unencrypted
ietf-legacy ssid as opposed to say the encrypted ietf ssid
some of us are wondering if those using ietf-legacy
o do not realize it is completely unencrypted over the air, or
This is not the case for me. I also run unencrypted at home but have
a large property where without a directional antenna you can not receive
my wifi. If you put that much effort into it, it still may not work due
I seem to recall (this may not be true) that ietf-legacy is also only
2.4ghz, so sometimes my device sees this first as there are fewer channels
to scan compared to the 5ghz + DFS frequencies while waiting for a beacon.
o don't care as their threat model sees runnin' nekkid over the air as
not a significant additional weakness, or
This is part 1. Model covers unencrypted SSID as that’s commonly given
out at hotels and other venues.
o believe that they are using sufficient encryption at higher layers
to meet their needs, or
This is happening, I’m using SSH, SSL and my DNS is tunneled through
a VPN (to a non dual-stack server, gah!)
these days, some meetings do not provide unencrypted wifi at all and
seem not to get complaints. maybe their attendees are just geekier
and/or more security conscious.
I tend to end up with all the SSIDs pre-programmed, including ietf-hotel
which is valuable as it permits me to not roam, but have a seamless user
My experience is with the conferences that encrypt WiFi 100% of the time,
I must re-enter the username/password or might not have them handy, or
my device says ACHTUNG regarding the certificate change and requires me to
take a manual action to join this seemingly “new” network, even if it’s
a familiar one.
This means I tend to have to force it once to rejoin the secure network,
but I’ve likely already fallen back to the insecure network first.
At least this is the way it’s generally presented to me via MacOS. I have
also had mobile devices, including Raspberry PI type things that join the
wifi when I’m doing other experimental things. They can be configured
to just join the first open SSID that is available. This is nice as I don’t
have to do as much configuration work to make it happen, and I’m already
using SSH or some other transport to access the devices.
If the open SSID were to go away, I don’t expect there to be any issues
other than a few newcomers needing to learn what the passwords are. This
caused me issues with one of my first meetings when presented with a non-
open wireless network, but I was able to ask what the password was and
easily received it.
If Con is doing his statistics board again of the SSIDs, perhaps putting the
username/password there would also be of value should the legacy ssid be phased