Hotspot vs Access Point
Access point is the generic term for network components which enable users to access a given network infrastructure through 802.11a/b/g WLAN equipment.
We will use the term
access point to refer to a setup where the group of possible users is defined by membership in an organization like a university or company department. In contrast, we will use the term
hotspot to refer to a setup where the group of possible users is defined merely by a common physical location, like customers of an internet café.
When setting up an access point, the existing social and technical infrastructure allows the use of certain technologies for implementing authentication, authorization and privacy measures. For example, when setting up a WLAN restricted to students of a given university department, WEP encryption could be implemented with the WEP keys being distributed via email regulary, since the set of possible users is known. Also, authentication keys can be assigned on a per-user basis, especially if a user database already exists. Lastly, an organization can simply require the use of certain software and protocols for accessing the WLAN, thus allowing the use of advanced authentification and accounting software.
When setting up a hotspot, a lot of restrictions apply. In the case of an internet café or a bar which offers internet access to its customers, users want to be given access on demand, without having to sign up for membership first. Also, the users can not be expected to use specific software or hardware, and the users should not be expected to be able or willing to setup their network parameters manually. The following lists evaluates authorization, authentication and privacy technologies for the application in a hotspot environment:
- WEP encryption
While almost all of todays consumer-grade hardware and software supports 40bit and 128bit WEP encryption, there are still two problems with using WEP encryption:
First, there is the question of key distribution. Although it would be possible to display the current key in a prominent place, the users still would be required to enter the key manually, which can be quite a hassle, depending on the operating system used. Second, not much can be gained from using WEP, since due to the semi-public nature of places like a café, virtually everyone could gain access to the WEP encrypted cell, thus defying the whole point of giving the users Wire Equivalent Privacy. Therefore, WEP should not be used with hotspots.
- MAC based authorization
Since the MAC addresses of the possible clients are not known up front, it is not possible to grant or deny access to the WLAN cell on a MAC address basis when setting up a hotspot.
- EAP authentication/ authorization
Authentication / Authorization software based on the Extensible Authentication Protocol, such as LEAP, PEAP, EAP-TLS or EAP-TTLS, can not be expected to exist on the users platform. Even if they are available, there still is the issue of them being enabled and properly configured.
Currently, only Microsoft Windows 2000 and Windows XP support PEAP out of box, but the user has to enable and configure them explicitly for the connection. Macintosh OS X supports LEAP, but also requires the user to choose it from a list of options before joining the network. To our knowledge, older versions of Microsoft Windows and Macintosh OS do not support any EAP dialect. In order to enable access for all possible customers, EAP should not be used with hotspots.
- VPN encryption
Similar to EAP, network layer encryption protocols such as IPsec or PPTP are only available on Microsoft Windows XP and Macintosh OS X and require extensive configuration before they can be used. For the same reasons like EAP, they should not be used when setting up a hotspot.
- SSL encryption
Luckily, SSL encryption [especially HTTPS] is available on all current platforms. Since all other encryption protocols can not be expected to be present, SSL will have to be used when implementing authentication on a hotspot.
Due to the nature of a publicly accessible WLAN cell, the hotspot environment lacks privacy almost by definition. This is not a problem as long as the users know about this.
