On GameSpot: $299 PS3 Slim and price cut announced!
BNET Business Network:
BNET
TechRepublic
ZDNet

February 6th, 2007

RSA proves security isn't usable by example

Posted by George Ou @ 4:20 pm

Categories: Infrastructure, Mobile/Wireless, Networking, RSA conference, Security, ~Events~

Tags:

In Focus » See more posts on: RSA 2007

The old axiom of more security and less usability couldn't have been more apparent at RSA conference 2007.  It took members of the press and attendees over an hour to get Wireless LAN access because username/password style wireless LAN security is employed.  Last year it was even worse when each member of the press had to have their own unique username and password.  It was a bit simpler this year because they handed out generic usernames and passwords but the lines around the Wireless LAN helpdesk remained a mile long much of the day.

The universally accepted way of providing guest hotspot access is to not have any kind of link-layer security at all and just running everything wide open.  This doesn't provide any security on the link between the client and the access point and users are expected to use secure protocols.  Since secure protocols are the exception and not the rule, hotspots are the most insecure and dangerous form of connectivity and the RSA conference is trying to lead by example.  The problem is that true wireless LAN security in an ad hoc environment isn't usable because there is no seamless inter-organization identity infrastructure in place.

Email communications work because you can hand anyone a business card with your email on it and expect to be able to email each other without IT intervention even if the two domains have never communicated with one another.  Until ID and authentication can be just as seamless as exchanging email, widespread security will be nothing more than a small niche market and a pipe dream for the masses.  The reason email is so seamless is because it's published in DNS, perhaps it's time we considering a similar mechanism for authentication.  If RADIUS authentication servers were published in a DNS record for a particular domain, this would allow seamless secure Wireless LAN authentication anywhere without the need for new and cumbersome user accounts on every new network you touch.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 33 Talkback(s)
Installations not allowed...
In the corporate environment, most laptops are locked up so tight that users can't install anything. No drivers, no applications, and certainly nothing that would affect the security of the system. (Read the rest)
Posted by: Marty R. Milette Posted on: 07/20/07 You are currently: a Guest | | Terms of Use
Confused?  Richard Flude | 02/06/07
You have to explicitly permit the domains on your wireless infrastructure  georgeou | 02/06/07
OK, so like OpenID  Richard Flude | 02/07/07
RADIUS delegation is very similar to WS-Federation  georgeou | 02/07/07
Hot Pockets  D. T. Schmitz | 02/06/07
Different purpose  georgeou | 02/06/07
no not really  D. T. Schmitz | 02/07/07
That covers the user's security, but not the network's security  georgeou | 02/07/07
Well if they knew how they would!  D. T. Schmitz | 02/07/07
So you are saying that reporters are increadibly inept?  B.O.F.H. | 02/07/07
No that's not what I said  georgeou | 02/07/07
Seeing as I quoted you, what did you actually say?  B.O.F.H. | 02/07/07
Why not Read the Article?  mejohnsn | 02/10/07
I've got an article coming up on how to do this safely and easily  georgeou | 02/10/07
Important factor in software design.  Anton Philidor | 02/07/07
Shibboleth  R West | 02/07/07
I have a couple of notions that might help  nucrash | 02/07/07
But wait  D. T. Schmitz | 02/07/07
Sorry you didn't like it  nucrash | 02/07/07
nucrash--it's me  D. T. Schmitz | 02/07/07
or....  D. T. Schmitz | 02/07/07
Sorry for thinking of Ease of Use  nucrash | 02/07/07
Well said  D. T. Schmitz | 02/08/07
What you're talking about is a Wi-Fi bridge with a USB interface  georgeou | 02/08/07
Why not simplify the hardware  nucrash | 02/08/07
The USB method only works for PSK mode  georgeou | 02/08/07
It would have to be a PSK  nucrash | 02/08/07
What's wrong with my method?  georgeou | 02/08/07
Nothing really  nucrash | 02/08/07
Actually, you forced me to rethink which is good  georgeou | 02/08/07
Installations not allowed...  Marty R. Milette | 07/20/07
Like your ideas, but there are a few problems  at1as | 02/11/07
Correction, I'm not using DNS for authentication  georgeou | 02/12/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    Click Here