Morning, Courtesy of various blogs, and contributors....
Since your computer cannot passively listen for the SSID broadcast and automatically connect when it sees the SSID (which will not show in the beacon broadcast, since that is how hiding the SSID works), it has to actively send probe packets with the network's SSID, even if it is nowhere near the access point, and wait for a response. This means that, instead of the access point broadcasting its name all the time, you have all computers configured to automatically connect to it broadcasting its name all the time, no matter where they are. Not to mention that, to be able to roam between several access points with the same SSID, the computer has to know their BSSID (essentially, the AP's MAC address). Usually they do this by listening to the beacons broadcast by the access points. Since the beacons do not have the SSID (hey, it's hidden!), the computer has to periodically send probe requests even if it is already connected to the access point. Making it laughably easy for an intruder to find out the SSID if even one computer is connected to the network. Not to mention the desassociation attacks. So, it gains almost zero security (it is still way too easy to find the SSID) and loses a bit more security (the client computers constantly announcing to the world "hey, I am a computer belonging to someone who works at company XYZ!" even when nowhere near company XYZ). The net result is negative. The only way to reduce or even avoid the security loss is to have it connect manually instead of automatically. Which seems to be what Apple is doing. (Windows Vista and 7, from what I recall, warns you of the security issues when you try to set it to automatically connect. The NetworkManager used by most Linux distributions also seems to make you chose the saved connection from a dropdown manually.) In theory, it would be possible to save the known BSSIDs for each ESSID and only send the probe request when a beacon for one of them is received (that is, when you are near an access point which has in the past been used for that SSID). I do not know why nobody seems to have tried that yet. Cheers! `RobD... -- The WA Macintosh User Group Mailing List -- Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> Unsubscribe - <mailto:[email protected]>
