On Sat, 2008-04-19 at 15:09 +0200, Johannes Berg wrote: > > > Does anybody actually *want* that? I personally dislike the behaviour > > > of scanning for all previously known SSIDs actively when hidden SSIDs > > > are so uncommon, I see it as an information disclosure vulnerability. > > > > I can't speak for what others may want, but the Payment Card Industry > > security guidelines include not broadcasting the SSID as one of their > > requirements, if that is what you mean by "hidden SSIDs." > > So how would you feel if I told you that, after you have once used that > hidden network, your laptop will be broadcasting the SSID in probe > requests every time it scans, no matter where you are, even if you've > moved across the continent? I am not going to waste bandwidth debating the correctness of the PCI guidelines, because right or wrong, they are what they are. I was just trying to point out that the need to deal with access points which do not broadcast their SSIDs is real and likely to become more common in the future, at least for any systems using wireless in a retail or other credit card dealing environment. I'll leave it up to you (collective you, not necessarily a personal you), how to best deal with associating with APs which are not broadcasting their SSIDs. I agree with you (personal you this time) that roaming around the country broadcasting those SSIDs does not seem particularly desirable. So how should the ability to connect to non SSID broadcasting APs be implemented? My hope is that the more you are aware of the constraints on others who want to take advantage of all your hard work, the more likely you are to make the correct decisions and trade offs. I am not attacking your efforts, ability or motivation. I only wanted to point out that the design assumption in the first quotation that "hidden SSIDs are so uncommon" may need to be revised. -- Vincent C Jones <v.jones@xxxxxxxxxxxxxxxxxxxxxxx> Networking Unlimited, Inc. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
