Throughout my career deploying Wi-Fi, I have deployed countless guest/free Wi-Fi hotspots for clients. Whether that be corporate guest Wi-Fi deployments to public Wi-Fi at festivals and every situation in between. The biggest problem with it is the age-old battle between ease of access and security.

Most of the design I have done have been unencrypted Open networks that have a captive portal. This is great for the ease of access. As it is really simple to connect your device to the network. But from a security standpoint, it not so great. As all the traffic between the access point and the client device is not encrypted and therefore open to eavesdropping. the recommendation currently is if you are using an open network us a VPN to encrypt your data.

The great people at IEEE have seen this issue and have brought in Opportunistic Wireless Encryption (OWE) in their RFC 8110. They took the principle used in SSL/TLS used in HTTPS. When you connect to an HTTPS website, you don't have to enter a passphrase or have an input from the user. The Web browser negotiates a secure tunnel between your browser and the webserver. The same logic has been applied to encrypting the traffic between the client device and the access point.

Basically OWE will secure Open Hotspots automatically and enable users to join securely to the network without having to enter a passphrase or worse an 802.1X public key infrastructure to encrypt the data. This will be a massive leap forward in the security on public hotspots.

The is a catch that will slow down the adoption of OWE is what is needed to support it. The first item is a wireless infrastructure that supports WPA3 and is certified as supporting Wi-Fi Certified Enhanced Open by the Wi-Fi Alliance. Secondly, the client will also need to have this certificate from the Wi-Fi Alliance to support. On the network side, any kit from the last two years will either support it natively or have firmware updates to support it. With the clients it will be similar age of devices that support it. The key part is does the device support Mangement frame protection (MFP) which is covered under 802.11w standard.

MFP is where the management frames are encrypted along with the the actual data frames. this means that devices that cant support OWE can not receive the management frames and therefore participate and connect to the access point. This is where the compatibility issues comes from. So to conclude there is a new wireless security standard coming for public hotspots but it not quite there yet.