Hacker News new | ask | show | jobs
by consto 2873 days ago
Even if encryption isn't worth it, the access controls it gives you are to most access point owners. By limiting who can connect an owner can reduce bandwidth usage, improve latency, and increase the quality of their connection.

Not to mention that most protocols in current use at minimum leak metadata. There would need to be a standard for an automatic authenticated VPN supported by hotspots and operating systems. Regular users shouldn't need to perform complex setup procedures.

And at that point, while I do like the seperation on concerns provided, why not just fix or replace WPA?
1 comments
zrm 2873 days ago
Even for that, it's not the ideal layer. A basic connection should generally be available for everyone even if it's a rate-limited logically-separated segment that only provides internet access. Then if you want special treatment for a specific subset of users they need something on top of that, but only that subset of users -- notably not the ones who come and go all the time -- and authenticating them has no real relation to the WiFi. A VPN to an endpoint on the same LAN works for this. There is also 802.1X, IPSec, etc., which common operating systems already support.

Meanwhile the guest users should have their own external VPN to protect them from you, which they should only have to set up once for all networks.

link
viraptor 2873 days ago
> A basic connection should generally be available for everyone even if it's a rate-limited logically-separated segment that only provides internet access.

As long as you're legally responsible for the traffic coming out of your network, this is not a good thing to do. Unless people explicitly get the same protection an ISP gets, I'll keep advising them to not to share their connection openly.

link
zrm 2873 days ago
> As long as you're legally responsible for the traffic coming out of your network, this is not a good thing to do. Unless people explicitly get the same protection an ISP gets, I'll keep advising them to not to share their connection openly.

That is obviously a jurisdiction-dependent legal question and anyone concerned about it should consult an attorney.

But if you're suggesting that, for example, the CDA or DMCA safe harbors only apply to Comcast and not book stores or auto shops or anyone else that provides public WiFi, I would be interested to see a citation for that.

link
viraptor 2872 days ago
I didn't mean DMCA only. Rather general dealing with law enforcement in general.

But even with just DMCA to be a safe harbour you need to: have a service policy, show it to the users, have the possibility to prevent access for identified violations, and effectively keep some kind of connection record to be able to identify which users you need to terminate. I doubt anyone fulfills that at home. (I don't think shops and cafes do either)

link
zrm 2872 days ago
I feel like this is why the advice is always to consult an attorney. If the law has some easy to fulfill requirement (service policy) then concerned people should have one even if they're only providing access to Uncle Bob and not the general public. It may not be likely that Uncle Bob would cause any trouble (though maybe his computer is infected), but it may not be likely that anyone with physical proximity would cause any trouble. If you're worried about it then why not do the thing that mitigates the risk regardless?

It's even possible that not providing public access may increase certain risks. If you restrict access and someone guesses/cracks the password and does something terrible, that may make it harder to argue that it wasn't you.

I'm also not sure where you're reading the requirement to identify the users. There are many sites (e.g. Slashdot) where users can post anonymously (and via Tor or equivalent). Are you saying they don't qualify?

They have some info here:

https://openwireless.org/myths-legal.html

But notice that half the page is dedicated to extra-legal ISP shenanigans, which brings us back to routing your whole internet connection (guest net included) through a VPN. Which, again, you probably want even if you're the only one on your connection. It's not as if copyright trolls are renowned for their accuracy in targeting only people who are actually infringing something.

link
viraptor 2872 days ago
> I'm also not sure where you're reading the requirement to identify the users.

Not identify as in get their names. Just identify enough to know when they come back. Knowing which MAC to filter would probably be enough.

http://digital-law-online.info/lpdi1.0/treatise39.html

> First, the service provider is expected to adopt and reasonably implement a policy for the termination in appropriate circumstances of the accounts of subscribers of the provider’s service who are repeat online infringers of copyright.

You'd need to also identify which device was infringing by getting a connection time/destination.

link
angry_octet 2873 days ago
Free.fr does exactly that. Any subscriber can use a small amount of bandwidth on any free.fr wifi nearby, with a lower traffic priority than the owner.
link