A question about how password protecting a WiFi service works.
If you connect to an open WiFi service, we're told that someone could monitor the traffic and see any clear-text info.
If you connect using a password, your traffic is encrypted.
Question: If two people are connected to the same Wifi, can they decode each other's traffic?
If the answer is "No", then why can't password-less "open" Wifi services be defined with a standard universal password?
Question: If two people are connected to the same Wifi, can they decode each other's traffic?
WPA2-Personal – yes, as long as they also capture each other's WPA EAPOL handshake as part of the traffic, they will be able to derive the correct encryption keys for that particular session.
(Sending a fake deauth frame is a common way to force the other person's device to reconnect and re-do the WPA handshake, though you will only be able to decrypt traffic after the handshake, not anything that was captured earlier.)
WPA3-Personal – I think the answer is no due to the new "SAE" protocol (not 100% sure).
Also, if you're on a corporate or university network that uses WPA2/WPA3-Enterprise – no, the encryption keys are generated through EAP and are unique to each client.
If the answer is "No", then why can't password-less "open" Wifi services be defined with a standard universal password?
For WPA2 the answer is "Yes", so a standard universal password wouldn't help much.
For WPA3, this was actually done: it's called OWE (Opportunistic Wireless Encryption) aka "Wi-Fi Enhanced Open".
With WPA2-PSK (a.k.a. WPA2-Personal), anyone who knows the network password, and starts capturing traffic just before a target client joins the network, can decrypt the WPA2 (AES-CCMP) encryption on that client's traffic, for that session. So any insecure HTTP traffic, as opposed to TLS-encrypted HTTPS traffic, that the target client sends or receives can be decrypted.
With WPA2-Enterprise (a.k.a. WPA2 with 802.1X), where each user has to enter their own login credentials, such as their own username and password, before they can join the network at all, there is no way to decrypt the WPA2 (AES-CCMP) encryption from other clients' traffic.
Note that networks that allow you to join but pop up a web form that makes you enter credentials are NOT WPA2-Enterprise. Those web forms are called "captive portals", and are a different thing that usually don't provide any kind of encryption.
A universal password for all public-access Wi-Fi networks would not secure anyone's traffic, because it would not be a secret, and encryption requires secrets.
If web traffic is of the form https:// ... then it cannot likely be sniffed and decrypted. Same for email as it is encrypted as well.
That said, the odd things are using http: // ... and if that is happening, that can be sniffed.
Wireless settings are now encrypted (WPA2, AES) .
then why can't password-less "open" Wifi services be defined with a standard universal password?
Open WiFi services or a known password can (and does) lead to hacking into open systems and from there, devices like unsecured computers. This is different from sniffing but is a good reason why WiFi should always be secured along with the computers behind the WiFi. If people have passwords they can break the WiFi security.
Otherwise this kind of security should prevent others on the same networks from seeing or tampering with each other's systems.
If people are on the same subnet of the same LAN, you need to be very careful about security of devices (inside the WiFi).
System security (WiFi and devices) is always being improved because hackers keep finding new ways around existing security