IBM is proposing a new approach to address WiFi security in the wake of the Firesheep plug-in for Firefox.
The Firesheep extension can be used to hijack the sessions of people using unencrypted sites such as Facebook and Twitter on an open wireless network. The tool was released less than a week ago at the ToorCon 12 conference in San Diego, Calif., and has since been downloaded more than 440,000 times.
In response, IBM's X-Force team has gone public with what it calls "Secure Open Wireless." In a joint blog post, Tom Cross, manager of IBM Internet Security System X-Force Advanced Research Team, and X-Force researcher Takehiro Takahashi, explained the company has been working on a secure way to "set up an open access point that has encryption and authentication of the network provider."
"If you think about how HTTPS works, you're establishing an encrypted connection to a Website, but you don't have to have a password set up with that Website in order to establish that encrypted connection," they blogged. "The security of an HTTPS session comes from the fact that the Website you are connecting to presents a digital certificate, signed by a trusted third-party certificate authority, demonstrating that the Website you are connecting to legitimately controls the domain name you are trying to reach."
In IBM's proposal, "the wireless networks would establish encrypted connections with their clients by presenting a digital certificate demonstrating that the operator of the access point is the legitimate user of the SSID associated with that access point," the researchers blogged.
Cross told eWEEK that X-Force has created a working demo using Linux machines and a consumer-grade access point with minor changes to a few open-source software packages.
"We have an approach that could allow home users and small businesses to use unsigned certificates with a security model similar to the one employed by SSH, where the first time you connect to an access point your client caches the certificate that was used in association with the access point's SSID, and then the next time you connect to that SSID your computer will warn you if the certificate has changed," he said. "This model has worked well with SSH and it is certainly preferable to not having any encryption at all."
In the blog post, Cross and Takahashi used the example of an open wireless network with the service set identifier (SSID) "ibm.com." When a user connects, "our access point would send down a digital certificate for 'ibm.com,' and your wireless client would establish an encrypted connection with us, knowing that because the name in the certificate is the same as the SSID, the network you are connecting to must be run by IBM," according to the blog.
"The result would be that when you open up your wireless client you could establish secure, encrypted connections to networks operated by people (or companies) that you trust, knowing that those networks are really operated by the people (or companies) that they claim they are operated by without needing to have a password," the pair blogged.
This approach goes beyond SSL VPN (secure sockets layer virtual private network) used by companies to enable remote intranet access because those VPNs do not protect access to the entire Internet, Cross told eWEEK.
Right now, Secure Open Wireless remains in the early stages - IBM has a patent pending, as well as a paper with a technical discussion on the subject that is a few months away from being published. In the blog post, the researchers urged certificate authorities, wireless access point manufacturers and others to get in touch with X-Force on the issue.
"Our proposal is actually very easy to implement...The real challenge is raising awareness about this approach and getting industry to adopt it," Cross said.