OK, here's the scenario: You're getting on a public wireless-LAN network, and up comes the splash screen asking for your credit card number and expiration date, or your user name and password. The little Secure Sockets Layer lock glyph is on, so off you go. But the response is a message like "system down for maintenance" or, worse, you get connected.
I say "worse" here because you've just been spoofed-the access point you associated with is actually a soft AP on a notebook, and someone is now merrily capturing everything you send and receive. At best, your ID or credit card info has been compromised.
Has something like this actually happened yet? Not to my knowledge, but this hypothetical scenario can strike a cautionary note for one of the most important emerging elements of the wireless industry today. Private WLANs will play a critical role in the ubiquity of Wi-Fi, as well as in the future of cellular operators.
I'm very cautious when I use a private WLAN, which is rarely. The problem has its roots in two areas. First, operators want to allow essentially anyone with the right hardware to pay the (sometimes exorbitant) fee. This means that potential users aren't always pre-authenticated and, thus, otherwise secret data needs to be exchanged. The connection can be secured against eavesdroppers, except, of course, for the spoofer. The second problem is that users don't often check for the validity of digital certificates and, clearly, these can be spoofed as well. This is completely unlike the world of the cellular phone, where authentication information is pre-shared and the protocol for its exchange difficult to spoof.
The public WLAN industry doesn't yet view this as a major problem, and therefore isn't devoting the resources required to fix it. I think the solution will ultimately be in client software, like that available from PCTEL, Smith Micro and Boingo, to name a few. What's needed
is a single client that logs into the public wireless network, carefully checks certificates and builds the VPN tunnel to where the user really wants to go. There is, I must stress here, no such thing as absolute, total security-but such an approach would take much of the worry out of the process.
Craig J. Mathias is principal of Farpoint Group (Ashland, Mass.).