On Tue, 17 Oct 2017 08:43:00 +0530 "tv.deb...@googlemail.com" <tv.deb...@googlemail.com> wrote:
> On 17/10/2017 00:49, Celejar wrote: > > On Mon, 16 Oct 2017 21:27:30 +0530 > > "tv.deb...@googlemail.com" <tv.deb...@googlemail.com> wrote: ... > >> the world. After Bluetooth a few weeks ago, now wpa2 wifi, most of the > >> wireless consumer electronic have it's base covered and ripe for > >> cracking... > > > > It's crucial to understand that there's a huge difference in severity > > between BlueBorne and and KRACK: the former "allows attackers to take > > control of devices", and "does not require the targeted device to be > > paired to the attacker’s device, or even to be set on discoverable > > mode" (!) [https://www.armis.com/blueborne/], whereas the latter > > 'simply' breaks WPA2, and can't really hurt you insofar as you're using > > secure higher level protocols (ssh, SSL/TSL, HTTPS). > > > > I don't mean to say that KRACK isn't nevertheless a huge problem, > > but it doesn't seem to be nearly as serious as BlueBorne, and it isn't > > going to be catastrophic to anyone not treating WiFi as a really secure > > protocol. E.g., on my home network, I do use WPA, but I still require > > SSH and so on for internal communication between my local hosts. > > > > Celejar > > > > Agreed, my post was just a quick reaction to an 'OT' labeled thread, not > a lecture on the respective merits of those vulnerabilities, or an > attempt to spread F.U.D.. Sorry if it came out this way (not a native > speaker). I actually do agree with what you wrote, I was just trying to add a bit of detail. > That being said, for a lot of the common use cases having an attacker > sit on the assumed-to-be secured wifi and able to intercept traffic for > days, weeks, months maybe since the patching will be as usual "patchy", > is bad enough. It is not the same as the "bombing the dhcp server and ... > So using https or better for communications on the local network is a > good idea, but is it the norm? Many router firmwares or built-in > webservers from cameras to printers default to http, sometime don't even > offer https as an option. Yes, after I sent my mail I realized that my wirelessly networked printer is going to be a problem. Some printers apparently support access via SSL/TLS (IPPS), but it looks like mine (Brother HL-2280DW) does not. And what are the odds that Brother will do a firmware update to patch WPA for this some 6 years old model ;) > This isn't as bad as blueborne but it is nonetheless another of the most > widely used wireless standard being broken in a short time. Certainly. > It's patched in most distributions, and in router firmwares like LEDE > already, was patched in some BSD even before publication, but how long > before we see a patches for all affected devices? Never - for many / most Android devices, my printer (probably), etc. > By the way, since we are security OT'ing, check your RSA keys if you > used Infineon products to generate it.[1] > > [1] https://lwn.net/Articles/736520/rss Yeah, just saw that on Ars this morning: https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ Another day, another critical vulnerability ... Celejar
