An Improvement to Connectivity But Not Security

Starting this Friday, Queens College will be “upgrading” how we connect to the campus-wide WiFi network.

In an effort to improve wireless connectivity and availability, we are making changes to the campus wireless infrastructure architecture that will affect the way you connect. The wireless network we have been using, which carries the network name (also called SSID) qclan, will no longer be available.

Currently, we all connect to the network named qclan. This is an open network and requires no password. After connecting, you arrive at a “landing page” where you authenticate with your QC username and password. In the past, I suspected that the traffic between my computer and the WiFi network was unencrypted, but after becoming more attuned to digital security in the last year, I began to worry that anyone could sniff my packets.

Maybe the new “wireless infrastructure architecture” will address the lack of security between my computer and the network.

Nope.

New networks corresponding to your affiliation with the college will replace qclan: qc-faculty, qc-staff, qc-student, and qc-guest.

To access your particular wireless network:

  1. Select the network associated with your affiliation (qc-faculty, qc-staff, qc-student, or qc-guest) and connect.
  2. Enter WEP Key (password) 12345.
  3. Open a web browser (Firefox, Safari, Internet Explorer, Chrome).
  4. Queens College login screen will appear
  5. Log in using your Queens College ID (except guests, who should use their email address).

Wow, this is absolutely appalling. They haven’t made any real changes to the security of our network. They’ve only made it slightly more difficult to get connected. We now have to connect to the network that corresponds to our affiliation (no cheating, anyone) and then enter a “passcode” that everyone knows.

Introducing a shared key introduces some level of security but not much. First, WEP is a deprecated security algorithm: it was declared insecure by the WiFi Alliance in 2003. Second, if everyone knows the key, anyone can get in and someone can sniff the data between a computer and the network. This is the real-world equivalent of locking up your home but taping the keys to the front door. Third, that WEP key is #20 on the list of most popular, worst passwords and note that it’s not all that different from #1.

The only real authentication happens in the fourth and fifth steps outlined above. We open a webpage and enter our QC username and password to gain access to the wireless network. That would keep unaffiliated users from accessing the web, but it doesn’t keep our traffic secure: web authentication does not provide encryption. Instead, it acts like a firewall that blocks all ports except those necessary for DHCP, to get an IP address from the router, and DNS, to get establish a basic network connection.

If this seems like a familiar way for connecting to a wireless network, it’s because you’ve likely done that in a public place, like a Starbucks, a Marriott, or an airport lounge. These are places where you have little expectation of privacy because you’re usually just passing through, and it’s why so many road warriors use a VPN to secure their digital traffic.

But as faculty, staff, and students, we are not the public. This is our campus-only WiFi network. We regularly traffic in sensitive data, such as research documents and student records, but are relegated to the status of a guest, like customers at a coffee shop or transients at a hotel or an airport. What’s more appalling is that they’re not the only university that secures its network in a similar way.

I wrote the QC help desk with my concerns. I’ll update if I get a response.

Leave a Comment