Shareware Beach

Almost all wireless networking products ship with WEP encryption turned off. Most people use them that way. Many industry pundits claim people should be more careful and take a few minutes to turn on the encryption. Users counter that they expect products to work properly out of the box, so if encryption matters, it should be on by default.

What is WEP anyway? WEP is an acronym for Wired Equivalent Privacy. In other words: it aims to equip wireless networks with the same kind of security that is (supposedly) inherent to wired networks. There is indeed a key difference between wired and wireless networks: to eavesdrop on a wired network, an attacker needs physical access to the wires. Traditional building security protects the wired network from outside attackers. Wireless network traffic can be picked up in the air, even outside buildings. WEP encrypts the signal as it is transmitted through the air, preventing attackers from eavesdropping or connecting to the network.

WEP would be all you need, if your network was restricted to a single building. But most people use wireless networks to connect to the Internet. No matter how secure your local network is, eventually whatever information you’re transmitting leaves your home or business to travels across the wide expanse of the Internet. Where you have no control over security. In other words: insecurity guaranteed. Whether you use a wired or wireless network to connect is irrelevant.

Protecting wires or air signals is futile. You have to protect the actual data. Many means are already at your disposal. When uploading or downloading sensitive information with a web browser, use the HTTPS protocol instead of HTTP. Most browsers will then display a padlock icon that you can click to verify the security. Use SFTP instead of FTP. Use SSH instead of Telnet. Etc.

When you use HTTPS, SFPT, SSH and other protocols designed with security in mind, your data will be secure when it travels between your own computer and the server at the other end. If the computer and the server are also sufficiently protected, at a minimum requiring a password to log on, then the whole system is secure. Even if somebody is tapping the network in your home or office.

Since you’re protecting your data by using secure protocols anyway, you might just as well leave the WEP stuff turned off. I leave it turned off myself, for the simple fact that my Netgear wireless router is a stupid thing that forgets its WEP settings if I turn if off at night (which I do–there are enough nuclear power plants already powering idle devices).

With WEP turned off, anybody in range of your wireless network (typically 100 meters) can indeed connect to the network. As long as your computers require a password to log on, as they should, it makes no difference–except for one thing: the Internet. If you have a broadband Internet connection, like most owners of wireless networks do, the Internet is “always on”, and doesn’t require any kind of password or special configuration (unless you went through the trouble of turning off the automatic stuff like DHCP).

How about that? With WEP turned off, anybody in the vicinity of your home or office can wirelessly connect the Internet. Is that good or bad? If I was passing by your house, and asked to use your bathroom, would you refuse? If I asked for a sandwich, would you give me something to eat? You pay for each sheet of toilet paper and each slice of bread. Sharing them with me takes up some of your valuable time. But I can share your internet connection without your intervention, and it does not add to your bill. If it does, you need to switch access providers. Even here in North-Eastern Thailand, not exactly a center of everything high-tech, flat fee ADSL connections are commonplace, at least in the cities.

Now if everybody kept WEP turned off, Internet access would become ubiquitous as more and more people and businesses buy wireless network gear. Ubiquitous electricity revolutionized our society in the 20th century. Ubiquitous information networks will revolutionize our society in the 21st century.

So I say: the pundits should stop annoying people about WEP, and instead educate them about other security measures like password-protecting a Windows PC and using Internet software that uses secure protocols for web, email, etc.