Planned changes are in place for how devices connect to WiFi and how to make them more secure. The security requirements adopted by the WiFi Alliance have mandated these changes. These changes are soon to be (if not already) implemented on Android, Google, Apple, and Windows devices.
What are the changes?
The changes involve how your device will connect to WiFi. It will be compulsory for devices connecting to WiFi to install a certificate of authentication. Some devices may not allow you to connect to WiFi without the installation of the certificate.
How has the security on WiFi been enhanced?
Previous to the update in security, devices connecting to WiFi could connect without a certificate. Not validating a certificate is a security risk as it opens up the possibility of leaking user credentials. This can be done by hackers setting up a fake Wireless Access Point (WAP) and/or with a spoofed SSID (called WiFi Secure for example) to harvest valid user credentials.
As an example, on an iPhone, you may have seen this notification when connecting to WiFi for the first time, and selected "Trust" in order to connect.
A WiFi Certificate protects the registration process and encrypts log-in credentials when connecting to WiFi, ultimately providing secure network access and increasing trust in WiFi. There are three defining features of a WiFi Certificate:
Authenticates sign-up service providers
Encrypts user data during the sign-up process and communication between a mobile device and essensys server
Ensures that a user is communicating with the intended service provider (essensys)
What is Server Certificate Validation?
Server certificate validation is a security feature of WPA2-Enterprise that makes devices check the identity of a server before they attempt to authenticate to a network. Devices are able to verify the server by checking the CA (Certificate Authority) of the RADIUS server and making sure the CA belongs to the appropriate domain.
Devices typically have a “root store”, a pre-installed list of trusted CAs. In order for server certificate validation to function, the device and the RADIUS Server (the device that essensys uses to maintain user profiles and authentication in a central database) need to both trust the same CA that issued the server validation certificate.
Illustration of how end-user devices connect and authenticate to WiFi:
Why do I need to install this certificate?
Installing the essensys certificate guarantees your device is connecting to the essensys authentication servers when logging into WiFi Secure. The installed certificate verifies the certificate presented by the authorisation server during the handshake is who it says it is. Without this, it would be possible for a malicious actor to set up a bogus wireless device transmitting "WiFi Secure", when your device connects it will pass your credentials as normal, the malicious actor could then obtain and use to connect to your secure network.
Certificate validation, as part of the EAP protocol in RADIUS, is a fundamental security step. It ensures that the certificate presented by the server claiming to be the user's home server is signed by a CA certificate present on the user's device, ensuring that the user's credentials (username and password) are not exposed to a third party attempting a man-in-the-middle (MITM) attack.
What do you need to do?
When you connect to the Wi-Fi Secure with your device you will be prompted to trust the Certificate please see this guide here.