Per ThorsheimOvjeren akaunt

2) It is INCREDIBLY easy for anyone to connect and start using the Internet at our hotels. And we have absolutely all kinds of people staying with us. That includes people that are not tech-savvy at all.

3) Being a company who very actively seek to reduce our footprint on earth & measure our performance in "People, Planet & Profit" (not just profit), open wifi with no captive portal saves time, energy & money. It helps your mood as well.

4) We are using enterprise solutions for our wifi. Hey, we have APs with WPA3 support available! Flick the switch, and you got it. Oh, and we do client isolation. You doing a conference or a meeting? Ask us, and we can give you your own SSID. With encryption & a serious password.

5) At most of our hotels we don't do captive portals. We don't need it to provide you with Internet access. Guest wifi is a shared resource, and we provide plenty for each client (30/20). At some hotels even much higher speeds at optimal times.

6) We use RFC1918 private addresses for clients connecting to our guest wifi, so Internet villains cannot directly portscan or connect to your honeypot telnet server, should you have one.

7) We have (obviously) monitoring tools to look for APs that are not working, areas with massive spikes in traffic & signs of errors that shouldn't be there. But hey, we don't block ports or protocols: your VPN, Tor or corporate VPN connection works fine.

8) "BUT YOUR WIFI IS OPEN, THERE IS NO ENCRYPTION, ANYONE CAN HACK ME!" No. Most services you use online today are encrypted (HTTPS you know). Quite a few of them has even configured HTTPS to a level where MitM is very, very hard to do for an adversary. Even on open wifi!

9) DNS IS PLAINTEXT. We know. We are working hard to only use #DNSSEC resolving DNS servers, but of course you can use your own as well. Personally I want to provide our guests with DoT too, and you can use DoH as well with whatever provider you prefer.

10) About DNS: We @Nordic_Choice use #DNSSEC. We do #DNSSEC for our email with Google. Check our MX records: we use mailservers with the http://smtp.goog  (Google) domain, which is #DNSSEC signed. We ask our providers to use #DNSSEC. You should too.

11) We haven't had a single report coming in from anyone becoming a victim of "hacking", where lack of Client<->AP encryption in our guest wifi was the reason for the incident. *Not a single report.*

12) Yes, we are well aware of clients remembering open wifi SSIDs, & automatically connecting to those SSIDs, even if it is someone playing with Kali or their brand new Hak5 Pineapple. We can't help with your wifi history, and imho most devices have been on open wifi once.

13) Side note: two largest telcos in Norway ran massive campaigns warning against use of (open) wifi last year, promoting 4G instead. One of those telcos is also a BIG provider of open wifi in several countries. Paradox?

14) We have also experienced the confusion related to encryption & captive portals. Some even believe that captive portals are there to protect their security & privacy, and that a captive portal means there is encryption in place.

15) At one point I was told that without "double encryption" + login using a captive portal, we would violate #GDPR, and our wifi could not be used by employees of organisation X. Tough job trying to fix that one.

19) Obviously there are MANY ways to hack, bypass or make any wifi Client<->AP encryption irrelevant. Not to make that an argument against using encryption though, I personally prefer the encrypted version. But risk analysis is cool.

20) There are threats out there, we will always have vulnerabilities, and we have values to protect. As a provider of free & open wifi access for our guests, we try to evaluate all of those, looking at probability & impact, while also remembering UX.

21) I could have said lots more, and I probably forgot something important as well. A nudge to @boblord here is in place, as well as @schneierblog & many, many others I've learned from in terms of being sober when doing risk analysis. :)