

Sophos Researcher Suggests Password 'Free' to Spur Wi-Fi Encryption - daten
http://nakedsecurity.sophos.com/2010/11/09/dear-starbucks-the-skinny-on-how-you-can-be-a-security-hero/

======
daten
Yes, it is still possible to decrypt WPA if you know the password and capture
the beginning of the users' session. You can also spoof a de-auth to cause a
user to reconnect if you weren't present for the start of their session.

This doesn't address problems with arp-spoofing, fraudulent DHCP servers or
fraudulent access points, but it does raise the bar in the complexity of the
attack.

HTTPS with a valid signed certificate would still be necessary to deal with
the other attacks. Or maybe a VPN connection to a network you trust.

