[bsimpson]

Especially since most devices auto-associate with known networks.

Under the status quo, if I'm desperate for Internet I make a gut decision on how trustworthy I think the nearest random open network is based on the context of my present situation. If openwireless becomes the default, I might decide that in this random small town coffee shop, openwireless is probably trustworthy and associate with it. I do my business and leave. Then, I could be walking through an airport and pass someone who's set up a malicious base station using the openwireless SSID. My device could associate with it and put me at risk without me even knowing.

[toomuchtodo]

I've configured my Nexus 5 to auto-connect to any open "linksys" SSID. How would this be any different?

Don't rely on SSID for security. Rely on SSL/TLS and certificate pinning.

[bsimpson]

It's not different. It's not even necessarily bad. It's just worth considering while evaluating this proposal.

[psychometry]

And what if you need to login to a site that isn't SSL-secured? There's nothing the end user (you) can do about that.

[toomuchtodo]

You should never be using a site without SSL if you're passing authentication information.

Now, while I understand this is out of an end user's control, that shouldn't cause us to throw the idea of a shared wireless network out the door. That should cause us to look at non-secure sites accepting credentials, and how to prevent that behavior in the first place.

[INIT_6]

https://www.eff.org/https-everywhere

this site helps with this issue forcing sslany.

[psychometry]

Installing a browser add-on doesn't make websites lacking an SSL certificate magically acquire one. The fact is that there are still a lot of sites out there that don't have them.

[userbinator]

You use a VPN to tunnel to a trusted server and have it initiate the cleartext connection to the site, keeping the traffic between you and that server encrypted.

[mkesper]

Not easy as in everyone has access to a __trusted__ VPN tunnel server.