Discussion on:

WPA/WPA2 encryption: A possible workaround

It appears there is an exploit that allows WPA2-encrypted 802.1X Wi-Fi traffic to be captured.

is to use a wired connection if one is available. I realize lots of public places are wireless only since they are so easy to deploy, but many hotels, especially big ones, have connection ports in every room. Use them and a VPN too if you can.

I think wireless sacrifices too much for the sake of convenience. Wired connections are typically more secure and faster to boot. I always choose to plug in if the option is there.

VPN or a SSL proxy at least. I do that regardless of wired or wireless. One never knows what is happening to your traffic, even on a wire.

I already clicked when I saw Michael's response.

Been using ssh for VPN out from untrusted networks for years now. So far, this is just a MITM from an already authenticated client. Encrypt your own traffic and your good.

Is the complexity and inconvenience using this approach causes the normal user.

This is the main reason why I can not wait for CryptoLink (https://www.grc.com/stevegibson.htm) to be released by GRC.com. VPN is the safest way to use Wireless Networks and currently HotSpot VPN does do a decent job of securing Wireless Network Traffic.

So I placed our companies access points on the outside of our company network, and require VPN to access it.

I think that road warriors should consider all non-corporate WiFi traffic to be unprotected because to get individual session encryption requires enterprise authentication services which are not normally going to be provided even if the access point is using WPA/WPA2.

Bill

Will this mean the attacker can view my SSL Traffic with my Bank? Let's say if I am at a hotel doing online banking?

nt

Moxie Marlinspike's WPA Cracker web site will crack the password of a ZIP file as well as crack passwords for WPA/WPA2 wireless AP.

So I submitted a PKWare PKZip file which contains an encrypted file. IIRC, the file was not encrypted before it was compressed, but by PKZip, which created the output .ZIP.

The price went from $17 to $68 and the time from 20 minutes to 2 hours, because, the site said that cracking the password of a compressed file that contains only one file is "more time consuming". Paying that much is not worth the content of that particular file, assuming that the WPA Cracker does crack the password.

Currently, I am using PKWare for Windows version 9. It is possible to have (1) a password that must be entered to view the list of files which are in the compressed file (it includes the filenames and other data about them), and (2) another password which must be entered to extract the files which it contains and/or to add files to the compressed file. The respective passwords can be either the same or different. I have no idea whether WPA Cracker can handle that situation, and I don't have the budget to find out from experience.

It seems you may want to post this on Chad's post about WPA Cracker.

I can see why you asked. I probably had your article and Chad's article opened on adjacent tabs, and posted my message in reply to yours although it does seem as though it should be in reply to his.

But I think that I accessed the WPA Cracker web site by using the link in your article, which I read after reading Chad's. I did not know that it also offered cracking .ZIP file passwords until I read the FAQ on WPA Cracker (that capability is not mentioned in either article). But I had to bail during the process of setting the job up when the web site reported the cost and time as so much more than the original expected cost. So I probably returned to your article from whence I came.

FWIW, I will post a copy in the discussion of Chad's article. I doubt that it will draw much response.

I admit, I was quite concerned until I read this. I have not enabled my router wireless until I got one that supported wpa2 recently (the Verizon / Actiontec one, much improved over my old outdated one). Now we have enabled all our iphone / itouch / wii devices along with all the laptops (that support wpa2).

Another warm-and-fuzzy, I was surprised to see the Cisco/Linksys Ex000 series router offers private AND public wpa2 networks (2 seperate keys), where the public will not see your local lan that has file/print sharing enabled. It's a great feature for family / friends who visit and want to get online, I always recommend it now. The one pitfall, is the short key it provides I assume for convenience - that had to be replaced with the brute-force "cloud" crackers out there that exist nowadays.

cheers

Make sure to keep the router up-to-date. There is a vulnerability in those that is being readily exploited.