Slashdot links to the proposal advanced by one security researcher to have safer wireless without necessarily denying access. The reasoning of Chester Wisniewski who works for security firm Sophos isn’t wrong. Firesheep is able to hijack sessions with popular web sites because the communication after login is done entirely in the clear. Using WPA or WPA2 should encrypt that traffic with a distinct key, even for users on the same hot spot. While WPA isn’t one hundred percent secure, it raises the cost of hijacking beyond the point-and-click ease of Firesheep.
Increasing the security of hot spots is a laudable goal in and of itself. Unfortunately, like the variety of mitigation tools that have cropped up, it is distracting from the main point Firesheep’s author, Eric Butler, was trying to make. The simplest, best solution is for web sites to ensure that session identifiers, usually encoded as browser cookies, are not easily snarfed by an attacker. Just turning on SSL encryption and making sure web applications behave well with it would be enough. All reputable online banks already do so. It is unclear why other services are so reluctant to do so, despite many of the costs and limitations of SSL being erased by beefier computers and devices coupled with faster connections.
Glenn Fleishman at BoingBoing has some further excellent analysis of Wisniewski’s proposal. Steve Gibson, a high profile security writer and developer, made the same suggestion but had enough time to contemplate possible flaws.
Gibson notes the key problem to this approach in the comments to his post: every user with the shared key can sniff the transaction in which another client is assigned its unique key, and duplicate it. Further, if you join a network with many clients already connected, you can use the aircrack-ng suite to force a deauthentication. That doesn’t drop a client off the network; rather, it forces its Wi-Fi drivers to perform a new handshake in which all the details are exposed to derive the key.
Fleishman goes on to explain how it may be possible to tweak a hotspot and clients far enough to overcome most of the further cracks, but ultimately ends with the same conclusion. Access points and end users aren’t in the best position to deal with a security problem known and largely ignored by web service developers and operators.