Secure Wi-Fi for visitors


An open network with a portal page is a popular implementation model for visitor Wi-Fi. When visitors connect to the network, they are forwarded to a portal where they must accept basic terms and conditions or, in certain cases, provide personal information (such as an email address or phone number) in order to access the Internet.

Since this network must be "open" (no passwords, no encryption) it is also very unsafe. A person with bad intentions who is in close proximity to this Wi-Fi user and the Wi-Fi access point, can easily take the user off the network and take over the connection to steal Internet access while remaining incognito.

Businesses like shops and restaurants want to make it simple for customers to access the Internet while still providing some form of security. Given open networks are not secure, they had no choice but to use a shared password (WPA2-PSK).

But the PSK method of authentication is also completely unsecure. An attacker can decrypt, store, and even alter all wireless traffic because the password is typically readily available and hardly ever changes. A hacker can also make a Wi-Fi network with the same name that users can connect to very easily. As a result, the attacker is able to intercept all of that visitors' traffic with every possible consequence.

So basically, password-protected networks (PSK) provide the same (non-) security as open networks.

But: there is a new solution that offers more security than the above systems: Wi-Fi CERTIFIED Enhanced Open™ with Opportunistic Wireless Encryption (OWE) , also known as 'Enhanced Open'.

OWE is an alternative to open networks and offers a higher level of security for public Internet access than WPA2-PSK will ever be able to.

Similar to connecting to an open network, all that is required is to click on the network. To a visitor, an OWE network appears to be an open network (i.e., without the padlock symbol in the network list). The main benefit, however, is that it is encrypted and provides security against the dangers of the previous options.

Even before the visitor is forwarded to the portal page when connecting to an OWE network, the user's device and the Wi-Fi access point exchange encryption keys. These unique keys produced from the OWE exchange protect all traffic, including frames forwarded to the portal page.

Once the connection is secure, the user can proceed with the necessary steps on the portal page certain that her/his data is encrypted along with the rest of the traffic.

Following the portal page's authorization, the visitor's traffic is kept encrypted using the OWE keys established during the connection. It is also impossible for an attacker to manufacture de-authentication frames to get access to the Internet because OWE encrypts all communication.

Backwards compatibility

With Enhanced Open - Transition Mode, two Wi-Fi network names (SSIDs) are advertised per network: an open SSID and a hidden ‘enhanced open’ SSID.

Older clients can still connect to the ‘open’ SSID, while devices that support OWE will use the enhanced open SSID.

Links and sources:

Opportunistic Wireless Encryption - Wikipedia

Opportunistic Wireless Encryption…Um, What’s That Again? | Aruba Blogs (


Peter Neyt