
Wi-Fi Gets More Secure: What You Need to Know About WPA3 - NicoJuicy
https://spectrum.ieee.org/tech-talk/telecom/security/everything-you-need-to-know-about-wpa3
======
reaperducer
_Everything You Need to Know About WPA3_

Things I know about WPA3:

\- None of my routers support it, and I'm not gonna buy all new routers.

\- My printer doesn't support it. Heck, it doesn't support WPA2.

\- None of my IOT doohickies support it. Not gonna buy all new devices.

In this instance, I feel I'm more aligned with Joe Lunchbucket than Zap
McTechburg. I still use my PSP. It's 14-years-old and not going to work with
WPA3. My wireless printer is 15-years-old, and doesn't even do 5GHz.

By the time the average person upgrades all their gear to WPA3 stuff, it'll be
cracked and we'll be on WPA5.

~~~
dikkechill
If you're using something like OpenWRT, you most likely don't need to buy new
hardware.

The WPA3 functionality is already added to hostapd and wpa_supplicant [1].
Look for the terms SAE (Simultaneous Authentication of Equals), DPP (Device
Provisioning Protocol) and OWE (Opportunistic Wireless Encryption).

The current experimental wpa_supplicant Debian package has this enabled [2]. I
think the main challenge is upgrading clients, especially when vendors no
longer provide updates.

[1]
[https://w1.fi/cgit/hostap/log/?qt=grep&q=SAE](https://w1.fi/cgit/hostap/log/?qt=grep&q=SAE)

[2]
[https://packages.qa.debian.org/w/wpa/news/20180722T152029Z.h...](https://packages.qa.debian.org/w/wpa/news/20180722T152029Z.html)

~~~
reaperducer
_If you 're using something like OpenWRT, you most likely don't need to buy
new hardware._

Awesome! Point me in the direction of the firmware upgrade portal for my
15-year-old wifi printers, computers, and game machines from companies that no
longer exist.

~~~
dikkechill
I agree, you have a good point with respect to a large amount of older
hardware and I do not have a solution for that problem. What I can say is that
I try to buy hardware which has support for open source software and has a
community around it. So far this helped me to extend the life of these
devices, as it does not depend on the vendor alone.

I'm not really sure how to interpret your 'Awesome!'. If it was meant snarky
and if you're willing to, please have a look at the HN guidelines for comments
[1]. We can then improve the quality of the discussion.

[1]
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
reaperducer
_I 'm not really sure how to interpret your 'Awesome!'. If it was meant snarky
and if you're willing to, please have a look at the HN guidelines for comments
[1]. We can then improve the quality of the discussion._

You're right. I'm sorry about that. Sometimes I forget which web site I'm
posting on.

~~~
dikkechill
Thank you, I appreciate that!

Actually, thinking a bit longer about the problem, the issue in my mind is
that vendors/producers do not have an incentive to update software if you only
pay for the hardware once. For them it's just a cost. It's more interesting to
sell more hardware. My strategy as consumer is to go to open source for such
devices. But perhaps there are better strategies.

I'm aware of Cisco having a model to pay for software updates, but this is
mainly for business clients. Does anyone know other vendors that have business
models, that create incentives for updating devices? Perhaps even for
consumers?

I remember that in the past MacOS updates had to be purchased, but this no
longer seems to be the case. Is there actually a consumer market for such
business models, where hardware and (paid) software are tied together for a
longer life cycle?

------
Someone1234
I'm most excited about "Enhanced Open."

The reason Open WiFi never had encryption is essentially because people argued
that if a connection cannot be perfectly secure then it shouldn't try to be
secure at all. Or the exact opposite of defense in depth.

Enhanced Open does what we should have been doing since WPA1, Opportunistic
Wireless Encryption. It is imperfect, but a substantial improvement over
current Open WiFI.

To quote Voltaire "Perfect is the enemy of good."

~~~
lucb1e
This so much. Same with https errors (so people keep using http) and client
side hashing in password forms ("but an active attacker could replace the
Javascript and make you submit the unhashed version of your password" so we
should just let passive listeners listen?)

~~~
nothrabannosir
_> Same with https errors…_

That's a branding issue: we've been selling "[https://"](https://") as secure,
so we can't go back now and reeducate users. We should have decoupled the idea
of security from the protocol used (https can be insecure) and used a separate
channel entirely to communicate security, e.g. what browsers are doing now
with padlocks or colour schemes. But it's too late to change the SSL UX.

~~~
jazoom
Seems what Chrome is doing is a good idea. "Secure" is being phased out, then
there will only be "insecure" for http, which it most certainly will be since
there's no encryption.

------
baby
Didn't they use the backdoored PAKE algorithm from the NSA?

[https://www.ietf.org/mail-
archive/web/cfrg/current/msg03554....](https://www.ietf.org/mail-
archive/web/cfrg/current/msg03554.html)

Looks like no one was supporting this algorithm and it still got adopted for
wpa3. What can we do about this? Are vendors this corrupt?

~~~
yuhong
I think this is probably a misinterpretation.

~~~
yjftsjthsd-h
Why? Is there good support for it that we're missing?

~~~
yuhong
WPA3 Personal seems to be another name for SAE that was defined in 802.11s.

------
mavhc
Can we see the details of this protocol? Not without paying. Good job they
have a track record of not being the people who gave us WEP, we should totally
trust that this time their open processes allowed for a secure system to be
developed.

------
smiley1437
I looked desperately in the press release for some version of Aerohive's
Private PSK (PPSK) where you can have multiple PSKs for the same SSID (Ruckus
and Cisco have their own versions too) but couldn't find anything.

The ability to have multiple PSKs and revoking\changing one of them but not
the others would be really convenient for small and even medium-sized wifi
deployments...

~~~
yjftsjthsd-h
I'm confused. I run my home wireless off a Debian box using hostapd, and
there's specifically an option where you can have multiple passwords on the
same SSID, either per-client (by MAC) or for anyone. Is that what you mean? Is
this a rare feature?

~~~
zamadatix
Hostapd is probably how Cisco, Aerohive, and Ruckus are doing it. It's not
that it's exceedingly rare it's just not everywhere as it's not part of
wireless standards.

~~~
EvangelicalPig
I thought there were patents in this area, preventing implementation without
licensing/getting sued?

~~~
zamadatix
I'm only aware of patents related to certain systems which implement more than
just the base idea of using more than one security key for a given SSID e.g.
the Ruckus patent on how Dynamic PSK automatically creates and assigns
multiple PSKs from a controller portal.

------
IshKebab
I'll be happy if it just has a proper "incorrect password" message rather than
"couldn't connect for some reason, could be any reason really but maybe your
password is wrong?" that we have to deal with now.

------
tyc85
Has anyone ever consider bringing up a private LTE network (over unlicensed or
shared spectrum), either at home, enterprise, or even MDU?

Density and security are less of a concern on LTE, and the peak throughput is
catching up.

The question I have has always been: are we seeing a world moving towards a
more controlled wireless network architecture or a evolved version of Wi-Fi
type of ad-hoc architecture.

~~~
lucb1e
Are there LTE routers you can buy at reasonable prices? Would I then need a
custom SIM card in my phone that only works at home? Does my device even look
for mobile carriers on unlicensed spectrum? Basically, is this a real,
consumer-grade thing or something you can only do with sdr and osmocom?

~~~
tyc85
I think the short answer is no, currently there isn't a reasonably priced LTE
routers that you can deployed by yourself. There are products available
though. That's why the question can be interesting to be figured out to a
certain extent.

Whether device look for carrier in unlicensed spectrum: the answer is yes,
Licensed Assisted Access is happening, though slowly, as with any things
related to carrier. See this link:
[https://support.t-mobile.com/thread/144981](https://support.t-mobile.com/thread/144981)

Finally, it's certainly not something you can only do with SDR, but then doing
it with SDR could be what makes it appealing though, it the price can be
somewhat brought down. Good Wi-Fi routers nowadays cost a lot anyways, and
some even wants you to pay monthly fee, no?

------
caust1c
I look forward to using this in 20 years.

~~~
mcny
I see current generation wi-fi routers being discounted already. It could be a
co-incidence but I am sure vendors would LOVE to sell you newer routers and
will implement it within years, not decades.

As for devices on the other end, apparently it is possible to skimp out and
have 1x1 instead of 2x2
[https://superuser.com/a/323778](https://superuser.com/a/323778) I don't even
know why 1x1 is an option at this point. Don't make me think! In any case,
mobile SoC manufacturers should incorporate this new technology much faster so
I would assume the new WiFi will be readily available in mobile hardware not
more than three years after the standard is final.

~~~
philjohn
Or, get a router that supports OpenWRT (which a lot do, Netgear are pretty
good about third party firmware) and you can have WPA3 now, for free.

------
lsh123
The security of WiFi is much less of a concern for my home network today than
it was during WEP time. Today everything I care to protect already runs over
SSL and all the sensitive resources (documents file server, for example) are
protected with authentication. This the only actual attack vector for me is
WiFi or internet connection which I already share through public WiFi.

Same applies to WiFi in the coffee shops (do you remember the time when FB
didn’t use HTTPS?) and other places. Thus the WPA3 upgrade brings much smaller
benefits compared to WPA2 upgrade.

~~~
e12e
> Today everything I care to protect already runs over SSL

Dns? Wins? Bonjour ?

> and all the sensitive resources (documents file server, for example) are
> protected with authentication.

But are the files streamed in plaintext? (samba, nfs3, nfs4 without
encryption)?

------
tgsovlerkhgsel
The previous encryption methods didn't rely on asymmetric encryption, and VPN
software nowadays often provides an option to use an additional symmetric-only
key to protect the handshake. (This makes it quantum-resistant against
attackers that don't have the symmetric key, while allowing to use DH to get
forward secrecy against non-quantum attackers that later gain access to the
key).

Does WPA3 maintain this protection, or is it now open to quantum attacks?

Also, is there a mode to allow connecting to open networks with authentication
based on TLS certificates and domain names? For example, the SSID of the
network could be a domain name, and the network would present a certificate
for that domain (or some well-defined subdomain) to prove that it's indeed
that network. This way, if you know the domain of the entity you're connecting
to (e.g. a hotel), and see a WiFi with that name (and have a client that
doesn't allow unicode for this mode), you could connect securely.

------
badrabbit
Wifi is a layer2 standard. Always felt like security should be handled by
upper layers. Layer2 secures one data-link segment at a time,layer3 secures a
network connection at a time. There is a missing .5 protocol(.5== inter-
layer,e.g.: arp,ndp,mpls and dhcp) that could use layer2 parameters to
establish layer3 security.

Or maybe all that is needed is a feature-stuffed version of dhcp that would
configure a default gateway and a secure l3 tunnel to that default gateway as
well as on-demand tunnel establishment parameters for intra-vlan endpoints.
This would secure wired and non-wifi wireless IP networks as well.

------
combatentropy
Society has hit a new low when the Institute of Electrical and Electronics
Engineers succumbs to clickbait headlines.

Compare:

    
    
      Everything You Need to Know About WPA3
    

and:

    
    
      WPA3
    

What is the difference, besides a creepy parental claim of knowing what I need
to know? It's empty filler and often a lie. It should be struck from every
title.

\- " _Everything You Need to Know About_ the Electrodynamics of Moving
Bodies", by Albert Einstein

\- " _Everything You Need to Know About_ My Early Life", by Winston Churchill

\- " _Everything You Need to Know About_ Harry Potter and the Deathly
Hallows", by J. K. Rowling

~~~
Jonnax
It's pointing out that the article is a summary.

It's a common phrase in ending.

------
Avamander
The only thing I like about the new standard is mandatory protected management
frames, no longer can some s __ __y enterprise access point determine mine
should be killed with deauth.

------
nsgi
Seems like this has some good security features, but with the move towards
universal Https connecting to an unsecured WiFi network no longer carries the
same level of risk it once did (other than exposing LAN shared resources). As
good as prefect forward secrecy is, anything sensitive should already be being
encrypted by the client (router passwords notwithstanding until that problem
is solved).

I'd rather move towards a world where you don't need a password to access a
WiFi network and people share their internet access freely. This would improve
not only access to the internet, but also increase privacy because you
wouldn't be able to rely on an IP address indicating someone's identity.

------
mangix
Everything you wish or need to know?

~~~
reaperducer
Agreed.

Every time some headline tell me a "need" something, I keep going. Obvious
clickbait.

And insulting. You don't know what I "need."

------
jiveturkey
shit. all i need to know about it is that my airport is soon to be obsolete.

------
rauar
curious if existing hardware can be upgraded later. i guess technically it
might be feasable but vendors will try to make money and sell new hardware
anyway. hoping for open router firmwares...

~~~
yjftsjthsd-h
That would probably be radio firmwares; open router firmware isn't rare
(openwrt, dd-wrt, tomato, etc.). And yes, it would be nice to get open radio
firmware, though I'm not sure how that would play with FCC certification? I
suppose if enough stuff is regulated in hardware it could work.

~~~
djrogers
You don’t need new radio firmware - this isn’t that low in the stack.

------
AnaniasAnanas
No chacha20 support.. Only 128-bit encryption in personal mode..

~~~
bjoli
The 128 bit encryption is probably going to be the last thing to break if
there is an active attack against your network.

------
homero
This will take a decade to even begin deploying. There's billions of chipsets
right now that will never support it. Does wpa3 support leaving wpa2 on?
Otherwise I can't turn it on for a decade.

~~~
TulliusCicero
> My old stuff doesn't support this new standard, and it will take a long time
> to proliferate!

I mean, yeah? How's that different from every other time there's a new
standard?

~~~
danmg
We're about a decade further in the adoption of Wifi from when WPA2 was
released. It's a completely different ballpark now that wifi is considered
part of the basic infrastructure everywhere and baked in to exponentially more
devices.

It took several years for people to pitch their old dell laptops and nintendo
consoles that couldn't support the then-new standards. People aren't going to
replace their thermostats, baby-monitors, security systems, home entertainment
systems, and juicers over night.

