EarthLink plans to cover the local-link Wi-Fi security problem on municipal wireless networks by requiring authentication: Earthlink's director for municipal broadband deployment said in an interview this morning that all retail partners for EarthLink's wireless projects would be required to authenticate their end users using a method that assigns each customer a unique, temporary, and strong encryption key.
This requirement will prevent ready access to household information passing in the clear across Wi-Fi nodes that will be part of the network that EarthLink will build in Philadelphia and Anaheim. The company also has proposals in front of Portland, Ore.; is one of two finalists for Minneapolis (disclosed Friday); and is bidding in Denver, Long Beach, and San Francisco, to name a few others.
I and others have written before about our concern that this local link would doom the security of the entire network making it simple for someone with a high-gain antenna and the right cracking experience (read: not very much) to drive around and suck down private details left and right. EarthLink defuses this.
EarthLink will require what's known as IEEE 802.1X with EAP-TTLS. The 802.1X standard allows for an unknown network device (a laptop with a PC Card, a Wi-Fi bridge, or another adapter) to connect to a Wi-Fi network and then negotiate for access by providing credentials--most likely a user name and password. EAP-TTLS is one method of ensuring that the negotiation is encrypted, and then of providing a legitimate user with a unique encryption key. EAP-TTLS and the similar PEAP standard are widely used for corporate security and both standards are required for WPA and WPA2 certification.
By mandating strong security, EarthLink ups the technical support issues for their retail partners because an 802.1X client (known as a supplicant) will be required to access their network. However, such clients are widely available at low or no cost. There's an open-source project and Mac OS X 10.3 and later includes EAP-TTLS support out of the box. Windows XP users will have to install a simple client package available from at least two or three companies.
EarthLink has set a gold standard that other municipal network bidders will have to match or find an equivalent for in order to achieve the same level of effective security. Google's VPN offering, in testing, could provide non-mandatory protection beyond the local link, but it's not a baseline measure. EarthLink's approach should be mimicked.