[tendom]

I love the idea, though the paranoid security conscious developer in me is really worried about the security for average users. I'm not worried about the individuals opening up their routers, there is always a risk, but that can be mitigated. I'm more worried about average people thinking that whenever they see an openwireless.org hotspot, they'll think it's safe. And it's obviously not, or I wouldn't know about my neighbours banana fetish. (joke, please don't arrest me) I know people sign in to any open network regardless, but this has a brand that can be exploited and then blamed.

[bsimpson]

Especially since most devices auto-associate with known networks.

Under the status quo, if I'm desperate for Internet I make a gut decision on how trustworthy I think the nearest random open network is based on the context of my present situation. If openwireless becomes the default, I might decide that in this random small town coffee shop, openwireless is probably trustworthy and associate with it. I do my business and leave. Then, I could be walking through an airport and pass someone who's set up a malicious base station using the openwireless SSID. My device could associate with it and put me at risk without me even knowing.

[toomuchtodo]

I've configured my Nexus 5 to auto-connect to any open "linksys" SSID. How would this be any different?

Don't rely on SSID for security. Rely on SSL/TLS and certificate pinning.

[bsimpson]

It's not different. It's not even necessarily bad. It's just worth considering while evaluating this proposal.

[psychometry]

And what if you need to login to a site that isn't SSL-secured? There's nothing the end user (you) can do about that.

[toomuchtodo]

You should never be using a site without SSL if you're passing authentication information.

Now, while I understand this is out of an end user's control, that shouldn't cause us to throw the idea of a shared wireless network out the door. That should cause us to look at non-secure sites accepting credentials, and how to prevent that behavior in the first place.

[INIT_6]

https://www.eff.org/https-everywhere

this site helps with this issue forcing sslany.

[psychometry]

Installing a browser add-on doesn't make websites lacking an SSL certificate magically acquire one. The fact is that there are still a lot of sites out there that don't have them.

[userbinator]

You use a VPN to tunnel to a trusted server and have it initiate the cleartext connection to the site, keeping the traffic between you and that server encrypted.

[mkesper]

Not easy as in everyone has access to a __trusted__ VPN tunnel server.