Allow Network Zone definition by wifi SSID

Add a new option under the Network Zones definition dialog to define a trusted wireless network by its SSID. Useful for laptop users who need to use file-sharing etc in an office environment but also frequently use wireless hotspots. See;msg230503#msg230503 for further background and current work arounds.

The obvious problem is that SSID isn’t necessarily unique and is trivial to spoof.
(Likewise the MAC addresses of wireless access points.)
You’ll often see such spoofing in public wireless hotspots.

I think it would probably make more sense to also base it on WPA authentication.


Clearly WPA is better than non-broadcast SSID and WEP, but they are a reasonable defence against “passive” attacks. (Or at least I haven’t heard of any malware which tries to distribute itself by spoofing all possible SSIDs.) Also WEP and SSID are already in wide use so Comodo should not just ignore it. Certainly if you use something sufficiently obscure for your SSID it is relatively unlikely to be spoofed, and I don’t see how it is any less secure than IP address based network zones. Of course maximum security is obtained by combining as many of these requirements as possible, and Comodo could encourage that by allowing definition of network zones along the lines of:

IP address A operating from MAC address B on a network named C on a wireless network named D hosted from MAC address E

regards BP

I agree that basing network security on SSID alone is not significantly less secure than IP address – both are completely insecure. Likewise WEP and MAC. (Non-broadcast of SSID does not improve security, a common myth. Likewise MAC filtering.)

Even without the spoofing issues…
It’s quite common for different networks to use the same private network address block. One might be trusted, another might not. There’s no way for CIS to know which is which.
It’s likewise quite common for different wireless networks to use the same SSID (e.g., “linksys”). One might be trusted, another might not. There’s no way for CIS to know which is which.

This is probably my biggest security issue with CIS.
My objection to adding SSID is to making a bad situation even worse.

My personal notebook computer uses ThinkVantage Access Connections to manage networking profiles. It gives me fine-grained control of all network settings (even the default printer).
The only automatic network profiles I allow are by strong WPA authentication.
All other network (inc. Ethernet) profiles are by manual selection only.

Adding additional insecure items does not provide much (if any) real additional security, and certainly isn’t anything like “maximum security”.