Friday, April 23, 2010

Security and the appearance thereof

I'm traveling at the moment, which means I'm currently blogging at you courtesy of a hotel WiFi system. The WiFi is the usual hotel setup: you connect to an unsecured network and the system then intercepts your first web page request and replaces it with a login screen. At first blush, this may give the impression that the system is secure, except that the username/password are put together from the name of the hotel, its street number and the word "internet". They are the same for all guests.

An insecure network is not necessarily a security problem. Rather than expect the network itself, wired or wireless, to be secure, it's better to use some sort of end-to-end scheme which will be essentially equally secure whether or not the network is. The problem comes when a component that you think is secure actually isn't.

Is that the case with a hotel WiFi? It depends. If you take the login page as an indication of security, you've got a security problem waiting to happen. If you take the totally insecure user name and password as an indication of insecurity, then no problem. Unfortunately, it's perfectly reasonable for the non-technical user -- that is to say, almost any user -- to associate passwords with security. That's what they're supposed to be there for, after all.

1 comment:

Anonymous said...

The question is whose security it's protecting. It's the hotels: it wants to offer its services only to its guests. And eventually only to extra paying ones...