[chainsaw10]

> log in with some criteria more than just a username/password

The problem there is that captive portals don't add any extra link-layer security. The network is open, so literally anyone can sniff packets.

It's uncommon, but a network using WPA2-Enterprise and user/pass uses different keys for each person (not sure if per device or per user), so you don't have to trust everyone in the room.

[fyfy18]

Most portals I use intercept your request to a HTTP site and redirect you to their logic form which is served over HTTPS.

[icebraining]

Yes, but after authentication, all traffic can be sniffed - including unencrypted connections.

[ori_b]

How is this different from the case without a captive portal, again?

[icebraining]

Using WPA-Enterprise, each connection is encrypted separately, eliminating that hole.

[tinus_hn]

Now you don’t have to trust the other customers, only the bar you’re at, their ISP and a million other parties between you and the site you’re visiting.

[icebraining]

That's a reasonable point, but I'm speaking from the perspective of the bar owner - I feel I have a duty to provide better security even if the patrons have no reason to trust me.

[ori_b]

Using WPA-Enterprise, as I understand it, requires devices to be preconfigured to authenticate with the radius server, which makes it a non-starter for the kinds of networks that use a captive portal.

[icebraining]

No, there's no preconfiguration needed, it's just a username/password account. You choose the network, then the OS asks you for your user/pass, then you're connected.

It's the router that connects to the RADIUS server, not the device directly. And some routers have one embedded, so you don't even need to configure that, it "just works".

[lorenzhs]

Wouldn't it be nice if there was an encryption mode for Wifi that ensures integrity without requiring authentication? At CCC events, the workaround is to have a WPA2-Enterprise network that accepts every username/password combination, but that's going to be hard to explain to non-technical users.

I think WPA3 is going to support this use case.