We have an non-encrypted wireless access point hanging off an interface dedicated for visitors to the office and managed by Captive Portal.
The visitors who need internet access can ask at reception for a username and password, all works well - so far so good.
However, we cannot justify buying a commercial SSL certificate for the CP login page.. I'm guessing it would be trivial for somone to sniff the login credentials (and all traffic) since the access point is open.
Short of encrpting wifi at the access point meaning users would have to login twice, is there anything else I could do?
Instead of username and passwords, why not using vouchers which expire after 24 hours ?
If you disable concurrent logins there could only be one client which is using this voucher.
Further - isn't it possible to create https certificates with openssl ?!
Maybe this will help. I know it did for me! Although the cert is self signed, it still works for securing things.
I'm using voucher 24h and also a password to enter the wireless network here where I work …. a hospital with multiple hits a day.
No complaints and everything works fine.
Using a self-signed cert isn't much better than using HTTP. You can get a trusted SSL cert for $9 USD/year at namecheap, you really can't justify $9/year? That's the only way to truly keep the credentials secure short of securing the wireless.
I'm using a StartSSL free SSL certificate on my home PFsense portal. I noticed it doesn't play nice with Firefox, but IE authenticates to it fine.
I would highly suggest a paid SSL certificate for a business environment.
Comodo is $8 a year and RapidSSL is $9. I'd go with RapidSSL, Comodo's CEO is an idiot.