Also see my related post EFF’s “Open Wireless Movement” Could Get You Terminated
I discussed the issue of leaving your WiFi network open back in 2008 after reading an article in Wired were Bruce Schneier mused that an open WiFi network (that is, one without encryption) is nothing to worry about and went as far as to recommended that everyone open their WiFi up to the world.
It was a bad idea then and it still is but that does not stop the normally privacy and security conscious EFF from going against their own advice and publishing an essay that trivialities the effectiveness of WPA and implies that everyone should disable WPA (because it's not doing you any good anyway) and open up their WiFi for the greater good.
WPA is Secure
From the EFF essay [emphasis mine]:
The problem that's really killing open WiFi is the idea that an unlocked network is a security and privacy risk.
This idea is only partially true. Computer security experts will argue at great length about whether WEP, WPA and WPA2 actually provide security, or just a false sense of security. Both sides are partially correct: none of these protocols will make anyone safe from hacking or malware (WEP is of course trivial to break, and WPA2 is often easy to break in practice), but it's also true that even a broken cryptosystem increases the effort that someone nearby has to go to in order to eavesdrop, and may therefore sometimes prevent eavesdropping.
This essay explains why the progressive locking of wireless networks is harmful — for convenience, for privacy and for efficient use of the electromagnetic spectrum.
The essay never explains how securing WiFi is harmful to privacy. I really wish it had because that would have been a huge revelation to me. That statement alone is almost enough to call for a ceasing of donations to the EFF until they get their head on straight and print a retraction. I have never heard any security expert debate whether WPA and WPA2 "actually provide[s] security" even in his 2008 article Schneier admits that WPA is "very good." I've also never heard any debate about whether you should enable WPA, the answer (from those who know better) is always an unequivocal yes. To date WPA has not been cracked and the only effective means of breaking into a WPA protected WiFi network is if the password (i.e. pre-shared key) is a dictionary word and/or is too short.
From Aircrack-ng (folks who make software to crack WEP and WPA networks) [emphasis mine]:
The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable WiFi network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.
And that's for home networks, corporate networks are likely using WPA with a RADIUS Server that dynamically generates and assigns keys to clients, which adds another layer of security because it eliminates the use of a static key. In Episode 13 of his show Security Now! Steve Gibson said this about WPA:
even the weakest form of WPA encryption, if it's done properly, is absolutely uncrackable as long as no one gets your key.
The only know weakness in WPA is when weak passwords are used. For WPA to be effective you need to use a long, random password. Most people do not know this (or don't care) and use words or phrases that can be found in a dictionary which can be easily (and quickly) brute-forced. For the record, a proper WPA password should look like this:
That's 63 random printable ASCII characters (generated using GRC's Perfect Passwords) and for all intents and purposes would make for an uncrackable WPA password. The only known way to crack a WPA password that is not in the dictionary is to brute-force it. If the password is of a significant length and randomness a brute-force attack it grossly ineffective because it would take too long.
How long? Well, according to the Last Bit Password Calculator a 20 character password (the longest you can test) that has upper and lower case letters, numbers, and punctuation would take 1,000 computers, trying 1,000,000 (million) passwords a second: 779,503,646,902,420,500,000 (seven hundred seventy-nine quintillion, five hundred three quadrillion, six hundred forty-six trillion, nine hundred two billion, four hundred twenty million, five hundred thousand) years to crack. Of course, that's assuming, again, that the password is random and does not contain word(s) that can be found in the dictionary. The WPA cracking service that the EFF essay linked to uses a cluster of only 400 computers.
That said, most people do not choose sufficiently long and random WPA passwords. So the EFF is partially correct that "WPA2 is often easy to break in practice" but that does not mean that you give up on security and privacy and imply that everyone just turn it off because it's not doing them any good anyway. In reality, even poorly implemented WPA protects you against casual intrusion, even WEP (which is woefully broken and insecure) is better than nothing. It is possible that WPA could have an undiscovered weakness that could render it as insecure as WEP or worse but none has been discovered (and it's not for lack of trying) so WPA remains secure.
I agree with the premise of the EFF essay that having open WiFi networks serves the greater good and I agree with the idea that protocols need to be developed that allow people to easily secure their network while allowing them to share their connection if they so choose. But to suggest that people blindly open their networks in the interim is irresponsible and goes against the EFF's own creed to "educate the press and public". Today more than ever security is of primary concern for the average (i.e. non-technical) user. Network storage devices are becoming increasingly popular in the home and people are storing vast amounts of personal information and sharing it on their home network. Having an open WiFi network allows even the most causal intruder to gain access to those files. Not to mention people who have home business, or work out of their home, and have not just their personal and business files but client files assessable via their network. And that's just getting access to file shares, never mind that open WiFi makes tools like Firesheep and other sniffing tools that much easier to use.
I also agree with the EFF that "none of these protocols will make anyone safe from hacking or malware." That's true, no matter how secure WPA is if you venture out on the Internet your computer is at risk. Arguably, putting your computer on the Internet is a greater risk than having it connected to an open WiFi connection. But the insecurity of open WiFi is still a real concern for a number of reasons and just because one threat poses a greater risk does not mean that you ignore all the others. Would the EFF suggest that we not use antivirus software because it unnecessarily takes CPU cycles, causing our computers to use more power and thus contributes to global warming?
The EFF should have written an essay on why open WiFi contributes to the greater good and educated people on how they can give to that greater good while maintaining their security and privacy. They should have written an essay on why and how to properly implement WPA encryption. To write what they did, to trivilize WPA and suggest that its use is harmful for security and privacy is ethically irresponsible. The EFF should know better than to trivialize the security of WPA and the need for secure WiFi.
The EFF's essay is a slap in the face for those who have supported their mission to advance privacy and security. It may well undo a lot of work by those of us who have worked hard to educate users on why they should suffer the minor and temporary inconvenience of implementing WiFi security.
Let me make it clear, I agree with the basic premise of the EFF's essay: that open WiFi serves the greater good. I think it is great that the EFF is getting behind the effort to push for open WiFi standards and protocols. I do not agree with and feel it is ethically irresponsible to trivialize the need for WiFi security and to dismiss what is an effective way to secure a WiFi networks. I have no doubt that because of this essay a rash of people, with the best of intentions, will turn off WPA and blindly open their WiFi networks.
There will also be people who will use the essay as ammo against experts (people like myself) to challenge the assertion that securing WiFi is necessary. After all, if the EFF says the security protocols are infective and leaving my WiFi open serves the greater good, then why should I not? This places experts in the awkward place of having to decry the EFF's position on WiFi security. I don't think that I've ever felt at odds with the EFF, I've always been in step with their views and efforts but this essay is beyond the pale and the EFF should be ashamed.