which do you think is safer: ssid broadcast on or off?

is it better to leave ssid broadcast on or is it better to turn it off?
i know that when ssid broadcast is off, your computer is invisible to novices but it also constantly sends signals to modem in order to discover wi-fi connection. and when ssid broadcast is on, you get visible to everyone in your modem's coverage area.
and i'm also aware of the fact that it doesn't stop computer savvy people from discovering your wi-fi connection.
but still, when all pros & cons taken into consideration, which do you think is a safer practise? ssid broadcast on or off?
thanks

 

Some people see it as added security, but really all you need is WPA2 AES with a strong wireless passphrase. In my case I keep ssid enable because I've added my D-Link router to my ISP's modem/wireless router combo (located in the basement - no choice in the matter due to the structured wire panel installed there) as a second wireless access point in the upstairs of the home. This gives us a choice, depending on where we are in the home, of using one or the other.

 

Common people can click on SSID name and without a password and an allowed MAC address they can not do a thing. A savvy person will find only a password problematic.

 

thanks for your opinions, guys.

 

It has nothing to do with security so it does not matter. The RF (radio frequency) signal is being broadcasted out in all direction whether you have SSID broadcasting enabled or not. So any wannabe badguy can search for RF signals and see your network regardless.

All disabling SSID broadcasting does is prevent your nosy neighbor from seeing your wireless network accidently. If you name your network something other than your dog's name or something the neighbor whizkid cannot associate with you, and of course use a very strong passphrase and the highest encryption your devices will allow, you will be fine.

That said, because any wannabe badguy can point a directional antenna at your house and "see" that you have a wireless network, and therefore can easily assume you also have valuable, pawnable computers inside worth stealing, I recommend Ethernet instead of wireless - even if it means punching holes in walls for the cables.

 

thanks for your contribution, b.b.

 

I've heard that disabling SSID broadcast actually makes you more susceptible to MITM (Man in the middle) attacks. Maybe someone more savvy can back that up or refute it. But either way, disabling it provides no real advantage just as those above stated. I just leave mine on.

 

All posts so far are good points BUT as usual I see the world differently.

I say turn it off NOT to save you from the real crooks with RF detectors but the snoopy teenager next door. Tell them nothing....

As well, rather than increase RF range I want to reduce mine to the minimum.

This way the crook will have to be sitting beside me!

Maximize router passwords and change the admin passwords placed there by vendors.

Better still scrap wi fi and go to hard wired.

 

Give your wireless network an SSID that will give pause to your nosy neighbors. Something like "SurveillanceVan055" or "VirusDistCenter".

 

Nah! Not possible. Why? Because who's in the middle? You! Your network's wireless access administrator. Disabling does not add or remove any layers of security, so it would not make it harder, or easier, one way or the other, for anyone looking for networks to hack.

 

thanks you all for your opinions, guys.

aamof, that's the exact same point i was trying to figure out. is it really better and worth it to turn ssid broadcast off NOT to prevent "real crooks" from bypassing the wi-fi security BUT the snoopy teenager next door? that's the real question for me.

i'm afraid no one's gonna buy that anymore, not even nana & papa

thanks again guys.

 

Potentially... anyone within range of the signal I'd reckon.

 

Even if we limited our discussion to the current generation of APs and their implementations, I wonder how consistent the behavior is WRT to how things actually work when "SSID broadcast" is disabled. I've read that with some APs at least, you can:

1) Completely disable the sending of beacons
2) Disable probe responses except in cases where the probe request was explicitly addressed to the correct SSID (ignore broadcast probe requests to the wildcard SSID) and was from an authorized client (apply MAC Address filtering), and even send a null SSID in the probe responses to those.

If that were done I think the focus would shift to wireless clients and how they behave. If they *only* probe (and attempt to associate with) that AP when you actually want them to connect to that AP, you'd be keeping things to a minimum. However, as is often brought up in discussions like these, due to client automatic connection settings (and some other implementation choices IIRC) wireless clients can be the leakers of information including even when they aren't near the AP. It wouldn't seem prudent to be out and about with a wireless device that is effectively broadcasting what SSIDs it prefers to connect to. Think AP databases, corporate wardriving, and the client side software (typically not disabled or even selectively used by average users, sigh) that feeds them.

There is also the question of how a client would respond if the desired AP were configured as above but a rogue AP with the same SSID, perhaps even the same MAC Address, were to be sending beacons and responding to all probe requests. If both APs had identical configurations I would think (assume) that it would simply boil down to signal strength/quality. However, if the client software immediately saw what it was looking for, perhaps some implementations would refrain from even probing for the hidden (and ultimately desired) AP?

 

Nice BUT I will know it is you and revert to carrier pigeons

 

There are more snoopy teenagers who want to piggy back their bullying on and porn your router than real crooks.

Guess who's door the police knock on.

QED

 

No. They are not in the middle, they are out in the fringes just like everyone else.

SSID enabled is the same thing as lighting up McDonalds' golden arches. Whether lit or not, everyone still knows McDonalds is still there. And whether you can get service at McDonalds or not depends on if McDonalds management grants you access and service - and not just because you want in.

Just because a nosy neighbor (or professional hacker) can "see" your network, that IN NO WAY means it will be easier for him/her to hack into it. The degree of difficulty hacking into a wireless network is not impacted in any way by the status of the SSID broadcasting.

 

Great post sir!

 

I am a retired Master Sergeant - no need to call me "sir" any more! But thanks just the same!

 

Bill/Sire:

Maybe so not harder or easier unless the user uses the ssid name as his password. but no one would do that would they?

My point is very very simple why point out the target at all and help them?

 

TWB brought up some great points. And that's really what I was getting at, but didn't possess the vocabulary or eloquence they did. Maybe not "in the middle", but having your card perpetually seeking a base, almost like saying: "where you at?" I could see making you more of a target.

I once saw people much smarter than any of us discuss this very subject, and it was decided that keeping SSID on was the better option all things considered. I'm sticking with that.

 

I just realized something. I left a big one out of that second sentence. Wireless network administrators often give their AP's an SSID which is descriptive, and these days many people take advantage of open WiFi networks. If one is careless about how they configure/use their wireless client, the SSID strings (alone) in probe requests could reveal where they work, where they go to school, where they take their car for service and what make it is, where they eat, where they live, what doctors offices they visit, and/or etc, etc, etc.

 

It is always good not to broadcast one's SSID. It is actually an added network security layer. For someone to break in to an "un-broadcast" SSID network, one must know the actual SSID and the password; that's two roadblocks instead of just one in the case where the SSID is indeed broadcasted.

Thanks.

 

Bill makes some excellent points, and to add to that...
http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43
The article is a little dated but should still be correct, for the most part anyway. On the SSID hiding:

 

I have never seen anyone do that on private networks. The worse case seen way too often is users not changing the default passwords. I have never seen anyone use the same PW as the SSID except at "free hotspots".

Exceptions don't make the rule.

That is not really a problem with later versions of Windows, as long as automatic connection has not been enabled. But even so, I don't see how disclosing that information is a threat - other than it tells badguys you have a wireless network you normally connect to. It does not them the physical location of your network, or grant them access. If I am at the Chicago's airport broadcasting the name (and a name is all SSID is) of my wireless network in Nebraska, what use is that to a badguy? None. How can it make his job of hacking my network or computer easier? It can't.

No it is not. See Is disabling SSID more secure?.

lol Well, smarter does not make it right and with no link to verify that discussion, that's just hearsay. Nevertheless, I agree with that statement and it is better to leave it enabled - but for convenience, not security.

Now I am not going to pretend I am smarter than your people, but you can follow the link in my sig to see if I might know a thing or two about network security. And the only real security issue with SSID broadcasting is the "name" you choose to call your wireless network. You don't want it be your dog's name as a nosy neighbor kid can then determine you have computers in your home, and then may start guessing your passphrase which better not be the super easy to determine default password, or your other dog's name.

 

I notice the "as long as automatic connection has not been enabled". How many people enable that? I can't provide useful comment on the various client configuration options and behaviors. I don't use foreign APs, I don't automatically connect to my own AP, and I've only used a couple of windows clients. There are many other types of WiFi client devices out there. All I'm certain of is that in at least some scenarios a client device can initiate a flurry of numerous probe requests addressed to SSIDs it has connected to before and those SSID strings (the "names") can be quite revealing to anyone that happens to be sniffing those probe requests. So in <TBD> scenarios where this would apply, there is an information security and privacy threat.

Theoretically, this might allow someone to gather information about the APs/SSIDs/descriptive names in use within an organization they are interested in targeting somehow. This might also assist someone in creating fake APs which would attract connections from a targeted person or just random people. I personally haven't thought through such potentials, but I suspect others have and some probably shared their thoughts on such threats. Its not like such issue(s) cropped up recently.