Website: Walter Gregg

On this page: Main content. Firmware. Client Isolation. DNS. Protocols. SafeSearch. Logfiles. Privacy? Links

What are Good Practices for Open WiFi?

April 2016. A few years ago the Electronic Frontier Foundation began the Open Wireless Movement (EFF 2014). However, they have told me that they no longer update this work. That leaves many unanswered questions. What are good practices for WiFi routers accessible by unsupervised minors and untrustworthy adults?

Open Source Firmware

Should we switch to open source firmware? Factory firmware may be unsatisfactory. For example despite being registered I was never informed of a critical update to prevent WiFi clients from taking over my ASUS RT-10NP. I learned of it after my WiFi was apparently infected. The update restored control but removed the client list. I tried a Linksys EA3500 replacement. This unit wouldn't allow offline configuration, an open guest network, or an independent guest network ID. I switched to a GAC-252 TP-Link TL-MR3420 router running preinstalled OpenWRT firmware (GreatArbor 2016).

Installing open source firmware is not for the faint of heart. I installed Tomato by Shibby on my ASUS (Shibby 2016). But then I tried what turned out to be the wrong version of DD-WRT and bricked my router (DD-WRT 2016). I then installed OpenWRT on my LinkSys (OpenWRT 2016). This didn't include the graphical interface 'LuCI', so now I can only configure it with a ssh/telnet client (e.g., putty or qputty).

Client Isolation

Should we bar direct WiFi client to client traffic? Direct sharing over open WiFi might transmit private data in the clear and might facilitate local copyright infringement.

DNS Blacklisting

Should we blacklist known malware, phishing, and porn sites? My router now uses the 'policy 2' DNS servers of Norton's free ConnectSafe (Norton 2016a). Other DNS servers are firewalled. This doesn't prevent explicit search engine results pages but does prevent clicking through to blacklisted websites.

Blacklisting isn't benign. For example, Norton's stricter policy 3 servers may blacklist sites mentioning sexual orientation. This was reported in 2013-14 (Hunter 2013; McCormick 2014a) and reportedly Norton responded by killing the blacklist (McCormick 2014b). But that's not what today's FAQ says:

"Policy 3 ... also blocks access to sites that feature mature content, abortion, alcohol, crime, cults, drugs, gambling, hate, sexual orientation, suicide, tobacco or violence." [Emphasis Added]. (Norton 2016b).

According to a U.S. District Court, even Pennsylvia's blacklisting of a mere 376 flatly illegal web pages (E. Dist. Penn. 2004, 100) resulted in nationwide blocking (pp. 69-71) of in excess of 1,190,000 innocent pages plus some 500,000 pages at (p. 63).

Protocols (Port) Blacklisting

Should we blacklist all ports except for the basic web (HTTP/S)? A passer-by might otherwise accidently transmit private data in the clear if a client such as Apple Mail, Outlook Express, or Thunderbird was not safely configured.

Force Safe Search Blacklisting

Should we force safe search? Google facilitates this by allowing a WiFi operator to have a hosts file resolving any of Google's well known domains to the IP address of But this wouldn't be effective without blacklisting all other well-known search providers until they, too, offer this capability. And safe search de-indexes huge swaths of perfectly acceptable web content.

"SafeSearch blocks at least tens of thousands of web pages without any sexually-explicit content .... [including] sites operated by educational institutions, non-profits, news media, and national and local governments." (Edelman 2003.)

Logfiles (Spying)

Should we have and examine usage logs? If you are billed for usage above any certain allowance you obviously had better. Mine went up to 8 times normal (40 gigabytes versus 5 in a month) when my WiFi was apparently hacked. But how far dare you look? A router may show you every site a client visits and even every page viewed. That information is highly personal. Conceivably at least some of it might be protected by law. And there are some things it is better not to know.


Even home WiFi routers are powerful tools for spying and blacklisting. One answer to this is to download The Amnesic Incognito Live System and follow directions to create a bootable CD or USB stick (TAILS 2016). Another is to download, install, and run the TOR browser bundle directly (TOR 2016).

Do these tools make filtering pointless? No. Just as locking your doors greatly reduces the odds of crime even though the windows can easily be broken, filtering greatly reduces the risk of WiFi misuse even though it can easily be bypassed. Whether it's a good practice is left to the reader to decide.


, What are Good Practices for Open WiFi? (Apr. 2016) (available at . © W. Gregg 2016; /licenses /by-sa /4.0.

 No Privacy