Re: WiFi security is a mess
Passworldless-wifi hot spots are indeed just open invitations to join a raw network. If you use them, VPN over them to a known-good server. You're sharing an Ethernet cable with every random stranger and the guy giving you Internet.
Passworded wifi hotspots are, however, no better. If there's a common password and several people know it, the same thing happens - everyone can see what you're doing even if only by starting a Wifi network with the same name and password and blasting the other off-air (which can be easily done), thus forcing you onto an unknown network without you knowing. You're sharing an Ethernet cable with every one who has the password, and the guy giving you Internet.
However, if you own/control the network, and you own/control the devices, there are more than a few ways to secure them reliably, not least to make the Wifi nothing more than a transport medium for a secure channel (everything supports VPN these days, even smartphones). You can do this with certs on them, or with VPN, etc. but the greater principle is just "make sure your services aren't plain-text".
As we move towards everything being HTTPS, the problem begins to solve itself. We're treating *everything* as an insecure medium and encrypting everything with endpoint verification that can't be faked (without the user doing something incredibly stupid). HSTS, certificate pinning, etc. are guaranteeing that we're talking to even Facebook, let alone a corporate intranet.
Wifi is an insecure medium but so is just plugging a random Ethernet cable into a machine, you have no idea who's listening to it or what's happening. Even with the securest of wifi, there's an IT guy somewhere listening in. The trick is to treat wifi - all wifi - as exactly what it is... an untrusted transport medium exactly like connecting over the Internet. Trust nothing, verify your endpoints, encrypt everything you can.
The problem won't change. Because even with all the security of WPA3 or anything else you use, things get broken on a regular basis and even VPNs aren't safe. The trick is to never communicate over an untrusted medium as if it were trusted. And wifi and the Internet in general are untrusted. Even Google couldn't use raw Internet between their datacentres without the NSA snooping it, so they encrypted all traffic even between their own sites on private lines.
Biting the hand that feeds IT
