Hi. On Tue, Jul 30, 2019 at 07:06:08PM -0400, Celejar wrote: > On Mon, 29 Jul 2019 13:57:25 +0300 > Reco <recovery...@enotuniq.net> wrote: > > ... > > > WPA2's (that's your conventional WiFi standard) secure configuration is > > fiendishly difficult. > > I take your point, but "fiendishly difficult"? I think you're > exaggerating.
WPA Enterprise. 802.1r. An "interesting" choice between CCMP and TKIP (yep, it's hardware dependent). De-authentication attacks. "Evil twin" attacks. I meant it when I wrote "fiendishly difficult". > > You have beacon frames that are broadcasted without any encryption. > > True, but is there any evidence that this constitutes a security risk? Some people believe that hiding AP name gives them another layer of security. Beacon frames prove otherwise. > > You have authentication frames that can be intercepted (so WPA > > passphrase can be bruteforced). > > Lots of things (such as TLS, ssh) can theoretically be brute forced - > the question is whether such brute forcing is sufficiently practical to > be a threat. I have seen nothing to indicate that properly configured > WPA2 can be realistically brute forced. For WPA2 it's not that hard really, assuming pre-shared key usage. Can be expensive (all those videocards and ASICs have their cost), but definitely doable. > > You have several encryption algorithms, but: > > a) They are not equally good. > > Of course not - they never are ;) The trick is to pick a good one, and > for wifi, that's WPA2 using AES. See above. > > b) You may have a hardware that lack support for a good ones. > > I suppose, but my impression is that most hardware from the last few > years is fine. Cheap smartphones and tablets. Whatever they put instead of a proper WiFi in printers (yep, I'm looking at you, HP). Oh, D-Link and Linksys. There are *always* some exceptions to "newer is the better" rule. Reco
