Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Wireless Networking Privacy Security

With WPA3, Wi-Fi Security is About To Get a Lot Tougher (zdnet.com) 121

One of the biggest potential security vulnerabilities -- public Wi-Fi -- may soon get its fix. From a report: The Wi-Fi Alliance, an industry body made up of device makers including Apple, Microsoft, and Qualcomm, announced Monday its next-generation wireless network security standard, WPA3. The standard will replace WPA2, a near-two decades-old security protocol that's built in to protect almost every wireless device today -- including phones, laptops, and the Internet of Things.

One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices. WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated.
Further reading: WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago

With WPA3, Wi-Fi Security is About To Get a Lot Tougher

Comments Filter:
  • by davecb ( 6526 ) <davec-b@rogers.com> on Tuesday January 09, 2018 @11:44AM (#55893963) Homepage Journal
    I'd hope security would get better, but maybe it does just get tougher (;-))

    --dave
    [English, ambiguity is your middle name]

    • by Anonymous Coward

      "The standard will replace WPA2, a near-two decades-old security protocol"

      More ZDNet hyperbole. WPA2 was ratified 24 June 2004, which is roughly 13.5 years ago - nowhere close to two decades.

      • And it's going to use:

        a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems

        which decrypts to:

        a security suite created by a front for the NSA

        I think I'll stay with KRACK-patched WPA2, thanks.

    • by jrumney ( 197329 )
      Given that it relies on a new "CNSA" encryption algorithm (C for Circumventable), I think WPA2 is going to be with us for a while longer.
  • by MachineShedFred ( 621896 ) on Tuesday January 09, 2018 @11:46AM (#55893979) Journal

    Yes, this will prevent open-air sniffing of your packets.

    VPN or HTTPS is still better, because after those packets arrive at the access point, they are unencrypted over whatever wire the AP is plugged into. WPA only covers the wireless link; HTTPS or VPN (or both!) encrypt much farther through the network, if not the whole way.

    The first thing I do on an open WiFi network is connect to a VPN.

    • by Hal_Porter ( 817932 ) on Tuesday January 09, 2018 @11:50AM (#55894015)

      It doesn't hurt to have multiple redundant levels of security. I.e. HTTPS over VPN over WPA3.

      • by ledow ( 319597 ) on Tuesday January 09, 2018 @11:57AM (#55894093) Homepage

        Indeed. I used to VPN over my internal Wifi that only I knew the password for.

        WEP was cracked? Didn't matter.
        VPN software was cracked? Didn't matter.
        WPA was cracked? Didn't matter.

        So long as they aren't ALL cracked at the same time, you're safe. And there was no measurable latency or other additions, but full end-to-end verification and encryption, TWICE. I used to game CS over it.

        Give yourself enough layers and you don't have a window where you're vulnerable to compromise, whereas everyone just reliant on "WPA2 being secure" does. This gives you time to update, replace hardware, change settings, test if you're vulnerable, etc.

      • by Anubis IV ( 1279820 ) on Tuesday January 09, 2018 @01:05PM (#55894755)

        While all of that is good, nothing beats a wired Ethernet connection. That's why I always connect via Ethernet to wireless routers I bring with me that I've configured to act as bridges for the public WiFi hotspots I visit. I get the low latency and security of a wired connection while also gaining the benefits of wireless. It's the best of both worlds.

        Note that I said "routers", plural. For maximum convenience, I've purchased separate wireless routers for each public hotspot I visit, that way I don't have to waste any time reconfiguring them each time I visit a different hotspot. I just pull out the appropriate one, plug it into my UPS, and away I go with simple but secure Internet surfing. And adding VPN to the mix is as easy as using Ethernet to connect a VPN-serving router to the bridge-mode router, then using a cellular hotspot to connect to the VPN. You still get all the benefits of both a wired connection and VPN while being able to enjoy Internet access anywhere you can find a public hotspot. As a nice bonus, you only ever need one VPN-serving router and one cellular hotspot in total, rather than one device per hotspot as was the case with my bridge-mode routers, so it saves on costs.

        Some might try to suggest that even with those savings it still costs more than it's worth, but I don't think you can put a price on the level of convenience, security, and speed that I enjoy thanks to this setup.

    • by houghi ( 78078 )

      One does not exclude the other.

    • Yes, this will prevent open-air sniffing of your packets.

      Hey babe, you can sniff my packets anytime ;)

      But seriously, yes, going on public WiFi without a VPN is like having casual sex without condoms: Sooner or later, you're gonna get infected with something nasty.

      • by Strider- ( 39683 )

        But seriously, yes, going on public WiFi without a VPN is like having casual sex without condoms: Sooner or later, you're gonna get infected with something nasty.

        People keep saying this, but it's simply not true. Anything of any import, even damned cat videos, are secured by https these days. If someone sniffs your packets, all they see is cyphertext, basically indistinguishable from line noise. If they try to inject something your browser should be throwing up a big SSL violation warning. Besides, even if the wifi is secure, is the AP? The router? the next hop after that? Once it gets off the air, it's in the clear anyway.

        • Anything of any import, even damned cat videos, are secured by https these days. If someone sniffs your packets, all they see is cyphertext

          The ClientHello message that opens a TLS session contains the destination hostname in cleartext, so that the server can tell which name-based virtual host's certificate to present.

        • What? Fuck no. For starters, DNS requests.
    • by Njovich ( 553857 )

      A properly setup VPN is better, yes. However, in the real world many people either can't or won't use a VPN. For those cases this would be a massive security improvement.

    • by Strider- ( 39683 )

      The first thing I do on an open WiFi network is connect to a VPN.

      For better or worse, you do that on my network, you're going to to get QoS'd to hell. Not because I'm against VPNs, but just due to the nature of the QoS I'm running. At my choke point, I'm running weighted fair queuing. There are something like 2000 queues, and packets get dumped in a queue based on a hash of the source/destination ip and port number combos. Since all your traffic is goign through the VPN, it's all going through a single connection, and thus winds up in a single queue, while my https reque

      • If you're running a VPN over a satellite link, you've broken your TCP acceleration and are going to get very slow TCP connections in any event.
  • Eh? (Score:5, Interesting)

    by ledow ( 319597 ) on Tuesday January 09, 2018 @11:48AM (#55894003) Homepage

    "One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices. WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated"

    Sure. But your computer will still not know that the CoffeeShop SSID that they're connecting to was the one the shop set up, though, will they? There's no exclusivity for SSIDs and if there was, it'd be a denial-of-service opportunity.

    Once connected, and a secret shared, yes. But with no password the initial connection is still giving people a chance to shove you on THEIR connection rather than the one you think, and then you can be WPA3-authenticated to them rather than what you thought without having a clue.

    • That's an interesting thought. You can fit a mobile wi-fi hotspot into a pocket. Give it the same name as the shop and you'll get half the people logging into yours for sure.

      • by Anonymous Coward

        Google "Wifi Pineapple." These things have been around for a decade or so.

    • Re:Eh? (Score:5, Interesting)

      by VeryFluffyBunny ( 5037285 ) on Tuesday January 09, 2018 @12:43PM (#55894577)

      But your computer will still not know that the CoffeeShop SSID that they're connecting to was the one the shop set up, though, will they?

      Yes, this. Public Wifi needs something like unique domain names with signed certificates from an independent authority so that people know what they're connecting to and can be warned if it's insecure and therefore unsafe.

      • by Anonymous Coward

        > Public Wifi needs something like unique domain names with signed certificates from an independent authority...

        a) You already get this with EAP-TLS. All WPA2 needed (modulo KRACK) was for supplicants to make it easy to not give a fuck about validating the presented TLS cert

        b) If you protect the link between the wireless client and the AP, you're at parity with wired Ethernet for security. For the most part people really don't need better than that. (Never forget the thousands of miles of "wiring" betwe

      • Or, you know....you could just connect to a vpn when on a public hotspot.

    • Thats why you use VPN when connecting to a strange AP.
    • by Njovich ( 553857 )

      Very little is known about WPA3, so it's hard to say if it will do anything about SSID spoofing.

    • by Kjella ( 173770 )

      Allowing a random coffee shop to be your ISP is never going to be high security. But I think "Hey wait, why are there two CoffeeShop SSIDs?" is probably going to be an improvement. That could actually be a router feature, like if it detects another access point trying to send with the same SSID it'd send the manager some kind of alert. I think you'd pretty soon discover who's doing it...

      • It's called Rogue AP detection, and most (if not all) enterprise wireless systems already do this. But, it requires set up, monitoring, and then an action plan in place for what to do when an rogue AP is detected. Resources and skills typically missing from your CoffeeShop staff.
        • What I want is active rogue AP defense. That is rather than just alerting one to the fact the rogue AP exists, is that it starts sending deauthentication frames to anything associated with an AP pretending to be one of mine. That way the f@#kers are stopped dead in their tracks.

  • by Anonymous Coward on Tuesday January 09, 2018 @11:51AM (#55894025)

    There needs to also be some kind of certificate system added for open networks. Starbucks ought to be able to register their network with a CA, so that itâ(TM)s possible to verify that that open network with the SSID âoeStarbucksâ is not a phishing network.

    • by ledow ( 319597 )

      Don't give them ideas.

      Because then some naming authority will get involved and you'll have the domain-name debacle all over again about "who owns the name Starbucks for Wifi worldwide".

      • by Anonymous Coward

        Don't give them ideas.

        Because then some naming authority will get involved and you'll have the domain-name debacle all over again about "who owns the name Starbucks for Wifi worldwide".

        Uh... what makes you think it wouldn't be the exact same PKI that we already use for HTTPS, except the certs would be issued separately for HTTPS and WIFI. Want a public wifi cert? Then you'd self-sign or use Let's Encrypt, and you'd put a QR code of the cert on your menu.

      • Why not just using the existing one? Or even the existing infrastructure? If the SSID is called open.starbucks.com, the protocol could involve the same kind of certificate as you'd use to sign a website https // open.starbucks.com

        All that's needed is the protocol. The who-owns-what bit's already done.

        • All they really need is a public key posted on the wall (in the form of a 2D barcode) to provide a key to authorize that you are actually connecting to the correct access point. Or they could have an LCD screen that changes the key every 24 hours to allow for rotating keys to keep them more secure and stop people from just switching out the piece of paper.

    • by fisted ( 2295862 )

      ...which could get tricky when it comes to checking whether the presented certificate has been revoked or not, because you're going to have to assume the certificate hasn't, in order to get the Internet access you need to actually check; and you're going to have to do that through my rogue AP.

      It would seem safe at the first glance because both CRLs and OCSP responses are (mostly) signed by the issuing CA, but I could at least deny you access to either, so you can never know for sure.

      OSCP-stapling the AP cer

    • There needs to also be some kind of certificate system added for open networks. Starbucks ought to be able to register their network with a CA, so that itâ(TM)s possible to verify that that open network with the SSID âoeStarbucksâ is not a phishing network.

      Who cares if it's a "phishing network" as long as it reaches the public Internet? They can watch my SSH and TLS streams all they like (just like the NSA does). I don't care. I don't give a damn what open network I connect to, in Starbucks or anywhere else. The wireless part of the link is just one of many many parts of the link, all of which are vulnerable to eavesdropping. The TLS Everywhere initiative exists for a reason.

  • I believe that in some countries like Germany it is illegal to run an open wireless network. (Crazy but true!) Would this proposed new standard address that, since the network would now be encrypted and no longer 'open'? Or does the law define an open network as one where users don't have to register for a username first? In that case, open Wifi would sadly remain illegal in Germany.
    • I don't believe it would. The network would still be "Open" in the sense that anyone can connect and use it without authorization.
    • Authoritarians got to authoritarianate

    • by fisted ( 2295862 )

      I believe that [...] (Crazy but true!)

      Yeah, it is actually crazy (and apparently sadly true) that you believe this kind of bullshit.

      Oh wait, you were saying the thing you believe is actually true, not the fact that you believe it? Then why start with "I believe" and not "it is a fact"? Oh yeah, because it's just a belief after all--so don't fucking call it true. Because it's not.

      Love,
      a triggered German

      • by Ed Avis ( 5917 )
        This article summarizes the situation: http://www.spiegel.de/internat... [spiegel.de] So it's not a crime to operate an open Wifi network, but the network operator becomes liable for anything a user does. (Whereas the postal service, for example, is not liable for slanderous letters that may be posted.)
        • by fisted ( 2295862 )

          Yes, open wifi operators used to [bundestag.de] be potentially liable.

          • by Ed Avis ( 5917 )
            That's great news, thanks for the update. I found when in Germany recently that wireless network operators still seemed to want you to register and provide a password, but that may be a holdover from the old situation, or just the German love of registering things.
            • My impression is that Germans in general are extremely wary of registration and very privacy-conscious, especially those with family in the former DDR.

              It's a stark contrast to Denmark, where we have a shared 2-factor login system for all public services, and to uniquely identify yourself for online banking and other secured services, as well as a unique social security number (CPR -- Central Person Register). All correspondence with public services (and a number of private services, too) goes to an encrypte

    • by Anonymous Coward

      Here in the US, your IP address is considered positive identification and proof beyond a reasonable doubt of activity, so if someone's open Wi-Fi is used for illegal business, the owner faces criminal and civil charges for it. This was a very common occurrence when the *AAs were doing their crackdowns on piracy around ten years ago.

  • We should be on WPA4 or 5 by now or moved on to another 3 letter security like WTF.

    I wonder what caused the 13 year wait?

    • WPA2 was good enough. For most things, it still is.
      • by AvitarX ( 172628 )

        Isn't their a replay attack disclosed now, I would hope WPA3 has something to mitigate that.

        My understanding is that only non standard behavior on clients can protect against the replay attack.

        https://techcrunch.com/2017/10... [techcrunch.com]

        • Yeah, the KRACK Attack (love that name).

          Most major vendors have patched their software and devices by now, but that still leaves a bunch of legacy devices in harm's way.

          As always, don't trust wireless with sensitive data, use additional encryption everywhere you can, and you really should use a VPN when using wifi.

    • by Anonymous Coward

      I worked for a place that used WTF as the acronym for "waterfall." We had an acronym database somewhere, the entry in it was:

      WTF: Waterfall. WTF did you think it stood for?

  • by Anonymous Coward

    I'd love to see something like WiMax come back with open support so anyone can run something with longer range. It sucks that wifi has such a short range, but LTE can go so far, costing you a fortune per gig. It would be nice to have something that anyone can setup that covers longer distance, even if it's at a reduced speed.

    • Wi-Fi's shorter range isn't necessarily a bug; it's usually a feature. Go to a high rise apartment building and *try* to use 2.4ghz Wi-Fi. Good luck with that. There's literally a hundred routers in range, all trying to talk over each other. 5ghz is at least somewhat better, half because of the higher channel quantity, but half because of the shorter range and reduced wall penetration.
      If wimax took off at a consumer level, it would be great for rural areas, but suburban and urban areas would find it useless

    • Distance is a function of power and frequency. Wimax would NOT be easier to deal with for just a few clients, you need many to get the benefits. Also, it's not designed for co-location/interference with other equipment you don't have timing control over. 802.11 outdoor gear has had long distance timing for 40km+ for a decade and a half. If you want to be super cheap about it, check ubnt gear.
  • by Anonymous Coward

    Backport for the WRT54GL when?

Don't hit the keys so hard, it hurts.

Working...