Forum > Blogs > Idle Threats - Wireless Security Misconceptions
Idle Threats - Wireless Security Misconceptions
avatar
Country: US
Comments: 6470
News Posts: 413
Joined: 2008-06-21
 
Mon, 24 May 2010 01:47:23
0
There has been a lot of confusion for a long time on the relative effectiveness of wireless security, even among the otherwise tech-savvy crowd.  Last week, the other developers at work got on a conversation relating to wireless, and the typical dismissal of WPA and WPA2 was thrown into the mix as well.  Simply put, this is wrong.

This attitude likely stems from the genuinely broken Wireless Equivalent Privacy (WEP) standard.  WEP uses the RC4 cipher, which over time has had an increasing number of weaknesses found, but that's not really the primary problem with WEP.  RC4 is a stream cipher, so it requires an initialization vector in order to produce proper pseudo-random results.  WEP's initialization vector is too short, and not sufficiently random, and this is the source of the most successful attacks.  WEP can be cracked in a matter of a couple minutes on an active wireless connection.

Wi-Fi Protected Access (WPA) is a protocol created to address the critical weakness in WEP.  WPA required the use of the TKIP protocol for encryption, while WPA2 refers to WPA with the use of CCMP with AES for encryption.  There have been proof-of-concept attacks against certain configurations with WPA with TKIP due to somewhat similar issues as WEP, but to a much lesser extent.  The short conclusion is that with insufficiently short key renewal times, a connection with TKIP could potentially be broken in about 12 minutes.  Set a key renewal time of less than 12 minutes, and there is no issue.

Meanwhile, WPA with AES encryption (WPA2) has had no such proof-of-concept attacks and remains, with a sufficient password, is perfectly safe.

There is also some confusion as to the nature of personal versus enterprise, as if having the distinction means one of them is insufficient.  Enterprise is there for the use of an authentication server (RADIUS) such that user account-specific certificates are distributed.  It's irrelevant to the home or small business user, and it's not a concern for safety.

Perhaps it's a bit naive, but I do believe we can, with dedication and sacrifice, keep our mouths shut unless we know what we're talking about.  Someday, someday...

---

Tell me to get back to rewriting this site so it's not horrible on mobile
avatar
Country: UN
Comments: 17323
News Posts: 2811
Joined: 2008-06-21
 
Mon, 24 May 2010 03:31:55
0

Yodariquo said:

Meanwhile, WPA with AES encryption (WPA2) has had no such proof-of-concept attacks and remains, with a sufficient password, is perfectly safe.

That's good to know. I've been using WPA2 for years now. Happy

The VG Press

avatar
Country: UN
Comments: 48515
News Posts: 59786
Joined: 2008-06-21
 
Mon, 24 May 2010 10:29:44
0
Explain that so a soccer mom could understand.

avatar
Country: UN
Comments: 17323
News Posts: 2811
Joined: 2008-06-21
 
Thu, 27 May 2010 20:32:20
0
^
WPA2 = Good

WEP/WPA = Bad
Edited: Thu, 27 May 2010 20:34:53

The VG Press

avatar
Country: US
Comments: 6470
News Posts: 413
Joined: 2008-06-21
 
Thu, 27 May 2010 23:09:21
0
Ravenprose said:
^
WPA2 = Good

WEP/WPA = Bad

I'll have to take the non-joke route and point out that WPA is effectively just fine.  The tools are not so easily available, even in the cases where your configuration is vulnerable.  Also, not all routers make the distinction between WPA and WPA2.  And lastly, some routers allow WPA2 with TKIP/AES, meaning if the client doesn't support AES, the router will allow TKIP, meaning the theoretical threat persists.

So in short, your options in order from best to worst

WPA with AES only
WPA with AES/TKIP
WPA with TKIP with < 12 minute key renewal
WPA with TKIP
WEP
Open network

---

Tell me to get back to rewriting this site so it's not horrible on mobile
avatar
Country: UN
Comments: 19377
News Posts: 9401
Joined: 2008-08-18
 
Fri, 28 May 2010 07:21:22
0

I've had no problems since you told me to turn off my wifi security (since I'm in the middle of no-where).

Web related security note, if you want your google searches to be encrypted you can add an "s" to the http in http://www.google.com and your searches will be between your hardrive, google and you and no-one inbetween.  More for when you are using an open wi-fi, or if you just want to be paranoid.

avatar
Country: UN
Comments: 17323
News Posts: 2811
Joined: 2008-06-21
 
Fri, 28 May 2010 21:46:04
0
^ That's a nice tip, aspro. I did not know that. I can't imagine ever needing to use it, but it's a good option to have, I guess.

The VG Press

avatar
Country: US
Comments: 6470
News Posts: 413
Joined: 2008-06-21
 
Fri, 28 May 2010 23:16:12
0
Yeah, they just launched the TLS option for Google.  No good for me, though, as Google.ca doesn't provide it.  But the concept works for a lot of sites.  Just change it to https and often you can browse encrypted.

---

Tell me to get back to rewriting this site so it's not horrible on mobile
Log in or Register for free to comment
Recently Spotted:
*crickets*
Login @ The VG Press
Username:
Password:
Remember me?