- None of my routers support it, and I'm not gonna buy all new routers.
- My printer doesn't support it. Heck, it doesn't support WPA2.
- None of my IOT doohickies support it. Not gonna buy all new devices.
In this instance, I feel I'm more aligned with Joe Lunchbucket than Zap McTechburg. I still use my PSP. It's 14-years-old and not going to work with WPA3. My wireless printer is 15-years-old, and doesn't even do 5GHz.
By the time the average person upgrades all their gear to WPA3 stuff, it'll be cracked and we'll be on WPA5.
If you're using something like OpenWRT, you most likely don't need to buy new hardware.
The WPA3 functionality is already added to hostapd and wpa_supplicant [1]. Look for the terms SAE (Simultaneous Authentication of Equals), DPP (Device Provisioning Protocol) and OWE (Opportunistic Wireless Encryption).
The current experimental wpa_supplicant Debian package has this enabled [2]. I think the main challenge is upgrading clients, especially when vendors no longer provide updates.
Did you say the same thing when WPA2 came out? And WPA? Or, are you still on WEP?
Nobody is claiming you'll be on WPA3 tomorrow, just that it's here, and that you'll eventually migrate to it unless you never buy anything new again...
When wpa2 came out, most cellphones didn't even support wifi, and smartphones were still years off. I had exactly one device at the time that needed wifi and I'm a "nerd".
In 2018, off the top of my head I can get to 30 devices connected on WiFi at my house. VERY much a different discussion than 2004.
Cellphones have a typical 2-4 year life, so these will disappear pretty quickly. I expect many of those 30 items to have a relativly short lifespan - maybe 5-10 years at best.
We're adding more and more connected devices:
Phones, tablets, desktops, laptops all typically have a short life..
Smart home devices with WiFi, well, those claim an incredible life - but I really pity anyone putting today's consumer "IoT" devices in. Those things are often out of support before you even buy them. I doubt they are lasting 10 years, and even when I do, I doubt they'll still be safe to leave in place.
TVs and TV set top boxes - this one really bugs me. I want a good quality dumb panel, because the smarts are out of date well within two years, and the TV itself should be good for way longer. TV Boxes, they go out of date too - but there cheap, so get replaced way more often.
Long story short - I think the devices we're buying today are not designed to stand the test of time. They will IMO die out or be removed from your home much faster than we all hope.
Edit addition: also, forgot to mention - I had lots of stuff that was WEP only. Much of it well after WPA2 came out. There all long gone, I expect the same will happen to the vast majority of people.
> relativly short lifespan - maybe 5-10 years at best
If you had to keep the door to your house unlocked for 5-10 years would you still consider it relatively short? How about if you couldn't patch your OS for the same length of time?
Being stuck with such vulnerabilities for years is only short if nothing that tech touches is of much value to you.
Same song and dance as USB 1.1, USB 3, USB C, Lightning Cables (relative to iPod dock connectors), and all of our evolving standards. It sucks for a year or two and we move on.
For the purposes of WPA transitions, I’m willing to bet slick dual hand routers will support WPA2/3 split between each channel.
Very true. I don’t think we have a better option though. Like a lot of standards updates you have to cycle from old to new. Cutting support for old SSL cyphers/versions/certificate key requirements without a notice and replacement implementation period would be painful and disasterous.
I turn off whatever insecure protocols exist on my router and will do the same once everything I care about can do WPA3. Getting the population at large to do the same is difficult. I’ll evangelize the benefits of switching, but the best way to loose support is to break use cases by pushing people onto something that prevents their positive device experiences.
If you're using something like OpenWRT, you most likely don't need to buy new hardware.
Awesome! Point me in the direction of the firmware upgrade portal for my 15-year-old wifi printers, computers, and game machines from companies that no longer exist.
I agree, you have a good point with respect to a large amount of older hardware and I do not have a solution for that problem. What I can say is that I try to buy hardware which has support for open source software and has a community around it. So far this helped me to extend the life of these devices, as it does not depend on the vendor alone.
I'm not really sure how to interpret your 'Awesome!'. If it was meant snarky and if you're willing to, please have a look at the HN guidelines for comments [1]. We can then improve the quality of the discussion.
I'm not really sure how to interpret your 'Awesome!'. If it was meant snarky and if you're willing to, please have a look at the HN guidelines for comments [1]. We can then improve the quality of the discussion.
You're right. I'm sorry about that. Sometimes I forget which web site I'm posting on.
Actually, thinking a bit longer about the problem, the issue in my mind is that vendors/producers do not have an incentive to update software if you only pay for the hardware once. For them it's just a cost. It's more interesting to sell more hardware. My strategy as consumer is to go to open source for such devices. But perhaps there are better strategies.
I'm aware of Cisco having a model to pay for software updates, but this is mainly for business clients. Does anyone know other vendors that have business models, that create incentives for updating devices? Perhaps even for consumers?
I remember that in the past MacOS updates had to be purchased, but this no longer seems to be the case.
Is there actually a consumer market for such business models, where hardware and (paid) software are tied together for a longer life cycle?
Is that snark or is it just somewhat obvious sarcasm? Occasional usage of sarcasm, hyperbole, facetiousness, does not diminish the quality of a discussion.
Fine, then don’t upgrade. I don’t know why you’re making a big deal out of something you’re not going to do anyway. As long as you are aware of the risks of using old and less-secure hardware and protocols, and you’re fine with that, you shouldn’t care what new thingy comes out. Just be careful you don’t turn into “I don’t even OWN a TV!” guy.
You can't stop caring about security just because you can't upgrade everything. You could instead just keep a secure and insecure network if you're concerned about backwards compatibility and still want security.
>Awesome! Point me in the direction of the firmware upgrade portal for my 15-year-old wifi printers, computers, and game machines from companies that no longer exist.
Well, some people with OS/2, Atari STs, and VAX mainframes are not gonna get extended WiFi security either.
Those that have newer stuff and can afford to switch to new printers and everything after 10 or 15 years, can use it tho, and those would still be tons of users (and more going forward). We moved from old wifi standards anyway (or you don't use WAP2 either?).
For most people it's just their laptops and phones (which they change every few years), printer (which is easily replaceable since the ink replacements they have to do regularly cost more than the main unit (or close) anyway), and maybe some TV or media player unit.
The idea of keeping an increasingly insecure radio open for legacy hardware makes me itch. I'd sooner cat5 or usb these devices into the network than risk the rest of it.
If it doesn't make you worry, there's nothing to do here. WPA3 gives you nothing.
I guess if WPA2 get blown apart (to the degree WEP was) there might be a market for super-low-power APs that you put on or right next to the device. Not sure that'd be enough without additional shielding.
Most WPA2 devices do support 802.1x which —depending on the crack— may help extend the lifetime.
Most modem/routers these days seem to support a 'guest' network. I'm sure you could set it up so the guest network runs WEP or whatever and your main network runs WPA3, and that way at least it's more secure for some of your devices.
So, we aren't going to be hindered by chipset (not firmware, but hardware) dependencies?
Then, for certain networked things, such as printers, maybe we can hang a Pi-like device off of one of their physical interfaces and have a WPA3 connection, if we so desire and are willing to go through the contortions?
I have a modern router for WPA3 and an older router that does WPA1 but is firewalled from the rest of the network and only allows access to a small range of IPs.
If you're on a network that has both WPA2 and WPA3 enabled, are you really even benefiting from all of the WPA3 security improvements? Any attacker can just fall back to your WPA2 SSID and crack your network that way. And once they have access to your network, unless you're doing some advanced network segmentation, does it matter which version of WPA you're using?
Many wireless networks have multiple segments to them, for example a company has a "guest" network and a company network. Make the WPA2 network like a guest network, i.e. it's basically like being outside the company at a coffee shop.
I think you overestimate what is "common". It might be "common" for the network admins or highly technical people browsing this website. It is not common whatsoever for the vast majority of the public that uses WPA for home networking or small businesses. Security is significantly decreased for everyone if it's only practical for those that are highly technical.
It would be great if it actually was common, and such features came pre-configured out of the box for users. Unfortunately, most of the routers I'm aware of that are given to users from ISPs don't even support guest modes.
Uh, sure, if you're only talking about home users then of course current and future products are a disaster. That's more a function of the markets than the standard.
You're right, and that's a problem even for companies. Security is a game of weakest links. Your company can spend billions of dollars accomplishing 99.99% vulnerability coverage on their networks, but it will be meaningless if your employees go home and connect their work laptops to a compromised home network.
I don't think there's an easy fix for this and I'm not criticizing WPA3 or anything. Ideally we could just update/throw out old, incompatible devices, but realistically I know that's not going to happen. I'm just pointing out that the suggestion to "keep WPA2 enabled for your old, WPA3-incompatible devices" kinda misses the point about WPA3 in the first place.
I don't see how "keep WPA2 enabled for your old, WPA3-incompatible devices" is any more of a problem than "keeping WPA2 enabled" was a problem yesterday.
If you're vulnerable to compromised coffee shop or home networks already, you're likely to also be vulnerable tomorrow. The only change is a slight increment in the standard. And the worst companies are not going to be saved by any change in the standard.
I guess I don't really see the point of this entire subthread.
>I don't see how "keep WPA2 enabled for your old, WPA3-incompatible devices" is any more of a problem than "keeping WPA2 enabled" was a problem yesterday.
There's a false implication here that "keeping WPA2 enabled yesterday" isn't a problem. But it is. There are flaws in WPA2, and fixing those flaws is the entire point of developing WPA3. Security is supposed to get better as time goes on (hackers are certainly getting better whether your security is or not). But security isn't getting better if you just keep using the old standards.
Would you feel comfortable enabling WEP on all your company's routers with the justification "well we're not any more vulnerable today with WEP than we were in 1998 with WEP"?
>I guess I don't really see the point of this entire subthread.
Obviously not all, but at least it would benefit from the forward secrecy of the new handshake, even if the user does nothing else.
For ordinary users, setting a strong passphrase is all they need to do to have network with improved security, even in the mixed mode.
In addition, you can isolate the WPA2 SSID away (for all those printers, Internet of Trash, some old smartphones that are never going to receive security updates, etc) from the rest of the network, and use strong, and independent passphrases for each network, the compromise of WPA2 would not affect WPA3 to a large extent.
Sometimes you have to spend money on security. You can decide whether you use daily your 50 years old oldtimer BMW or you buy the latest Volvo (or whatever) with the best security package available. At least you have to option to choose.
Also: the "latest Volvo" may have lots of UX regressions compared to your "old Volvo". Like, all that cloud SaaS bullshit and bloated vendor apps home printers now ship with. So, beyond having to upgrade everything else around you, you may be simply facing the problem of degrading your experience to keep yourself secure.
This! For printers in particular, i'm struggling to find entry-level things with only physical buttons. Why the heck are (cheap) touchscreens everywhere?
This is a good point but how certain are you that WPA3 can’t be shipped as a software upgrade? At least Eero appears to be claiming that will happen and I’d be surprised if they were the only ones because the vendors also know that upgrade curves are glacial if it requires new hardware.
I do think we’re going to see more mixed networking with modern access points supporting multiple networks so you can have your primary devices stay secure while the botnets controlling your IoT fridge and TV duke it out on a different SSID.
how certain are you that WPA3 can’t be shipped as a software upgrade?
I'm pretty sure that the wifi devices I own that were EOL'ed a decade ago aren't going to get a software upgrade. Nor are the ones from companies that are no longer in business.
Is everything you own EOLed? If your router is that old you’re probably open to security issues and definitely leaving performance on the floor.
For most people, I’m expecting primary devices (phones, laptops) to get updates along with newer routers (at least the higher end ones).
The big question is how common the practice of segregating old devices will be since it’s still easy to find things which don’t even do 5GHz and that includes a majority of TVs, Android devices, etc.
Of all my printers in the past 20 years none has lived from more than three years. I had the cheap ones as well as the more expensive ones with 3 years warranty.
My HP laserjet 1010 still works like a charm with cups (windows drivers that work are hard to find). I have had zero issues with it since the first purchase in 2003 (?), despite printing hundreds of pages per month.
>None of my routers support it, and I'm not gonna buy all new routers.
I think we are moving into the future where ISP provides the router to you, or basically a Unit that combines Modem / ONT / Wireless Router into one. So you will (hopefully) get upgraded every 5 - 8 years.
They’ve been doing that forever and it’s a $15/mo charge for a device that costs maybe $100. You think educated consumers want to pay $15/mo for 60 months = $900? Fewer and fewer fall for that trick.
At least I expect the way forward will be ISP giving them for free. The price difference for an ONT / Modem or ONT/Modem + Wireless Router are minimal.
None of this applies to most people though... and the thing you need to know is that the vast majority of humanity is better served with updated standards than people with “IoT” devices and know what routers are.
I don't get the downvotes; that is essentially what the parent post said. Counterpoint would be that "WPA2 is fine" - but still, for HN I don't understand how a reactionist non-technical comment is at the top of an article about new crypto specs.
The reason Open WiFi never had encryption is essentially because people argued that if a connection cannot be perfectly secure then it shouldn't try to be secure at all. Or the exact opposite of defense in depth.
Enhanced Open does what we should have been doing since WPA1, Opportunistic Wireless Encryption. It is imperfect, but a substantial improvement over current Open WiFI.
This so much. Same with https errors (so people keep using http) and client side hashing in password forms ("but an active attacker could replace the Javascript and make you submit the unhashed version of your password" so we should just let passive listeners listen?)
That's a branding issue: we've been selling "https://" as secure, so we can't go back now and reeducate users. We should have decoupled the idea of security from the protocol used (https can be insecure) and used a separate channel entirely to communicate security, e.g. what browsers are doing now with padlocks or colour schemes. But it's too late to change the SSL UX.
Seems what Chrome is doing is a good idea. "Secure" is being phased out, then there will only be "insecure" for http, which it most certainly will be since there's no encryption.
The problem with client-side hashing in password forms is that the hash is now the password; as such, it provides no defense at all against even a passive attacker impersonating you. The only attack it provides any defense against is password reuse.
This is digest encryption. While it's a great alternative to sending passwords in cleartext, it does have some major disadvantages.
> It prevents the use of a strong password hash (such as bcrypt) when storing passwords (since either the password, or the digested username, realm and password must be recoverable) [1]
Much better to have bcrypt'ed passwords stored on the server and your private SSL keys. If your compromised, revoke the SSL keys, and force users to change their passwords. With strong bcrypt'ed passwords, you can be reasonably sure passwords can't be recovered, but best to enforce resets anyways. With digested passwords, those will be recovered and end up in Troy Hunt's Pwned Passwords database.
I can't help but wonder if we couldn't have used the CA system as a way to provide security for open wifi hotspots.
I know the CA system isn't perfect, but with the certificate transparency efforts it's pretty good. It would give me a trust point for the network I'm connecting to.
That won't work, setting aside how to get the coffee shops to do CA magement, how can a client know that momnpopshop.localcoffee.com is a valid cert for that access point, but momnpopshop.mallory.com isn't?
Opportunistic encryption without authentication is a major step up, and probably good enough for this scenario.
You could at least have Trust On First Use and rely on clients save the domain name<->SSID association. It stops someone from implementing a MITM on the network later on and is a significant improvement in security.
Having said that, there's no need for a CA as such to make that work.
Couldn't home routers come with a certificate from the manufacturer?
I guess manufacturers could even issues certificates for globally unique SSIDs by allowing costumers to register a sub-domain with them.
my-net.my-router.com
Yeah, dealing with CAs is probably overkill for local coffee shops and home networks.
Cisco Wireless Lan Controller came with a certificate so the access points knew they were connecting to a real Cisco device. It had an expiry date of 10 years. Which occurred for us a few months ago, and then after a power failure nothing would connect, fun times. Turned out you had to upgrade to the latest firmware, then disable the security check
It's more than imperfect it's practically useless in its current state. It provides exactly 0 proof of identity or trust. It's basically "oh, you're advertising an SSID with <name>? I'll connect to you and we can make up a trust after that".
It means that someone else in the area can't listen to your traffic and decrypt it, among other things. That might not be perfect, but it's far better than nothing.
It does that like putting a wad of money behind a window protects your cash. If I'm going to walk into Starbucks to sniff the guest wireless all WPA3 changes is I have to make my laptop advertise itself as "Google Starbucks" and you send me all of your traffic with an encryption key we both know.
People act like there is 0 harm in prematurely releasing a security feature in a network standard not remembering the various network hardware that will be made based on this don't follow a software development lifecycle where you just publish sprint 2 a few weeks from now with improvements and the world moves on. Even when things get updated wireless clients that are easily updatable (e.g. iOS/Windows devices) are only just recently using TLS 1.2 in their PEAP sessions. We shouldn't be playing fast and lose with security implementation in a future standard just because it sounds nice at first glance and assume sounds nice is better than nothing. What if we decide the next iteration of this design is to rely on PKI to create a chain of trust and now we've created 5 years of shit not working because wireless implementations are so shotty? Similar things have happened with other wireless standard revisions already... hell 802.11ac spent a lot of time and planning on MIMO (which is well established in other radio specifications already) and we still got an entire generation of wireless hardware that worked better without it enabled due to lack of real world vetting.
The best hope in this case is everyone realizes this doesn't provide any meaningful security in the current revision even though it's already available and being pranced around as a great security benefit.
But—correct me if I'm wrong—it does help in the case where you have a home wifi network, that your devices all connect to, and remember the network. It will encrypt all the traffic of your devices. An attacker can't create a different network with the same SSID and trick existing devices to connect to it, right?
If I'm right, then this is quite valuable. It means that most home users can have an encrypted LAN without having to remember the password and tell all their guests what it is whenever they have a visitor.
That wouldn't help - Its trivial to configure an access point to advertise a user-selected MAC address, and the MAC address of an AP is broadcast in the clear even on WPA2 encrypted networks.
I think it also protects against people injecting content into the stream such as with the (possibly acryphorial, but IMO hilarious) goatse attack at Defcon 12[0]. Yes, people can still impersonate the AP, but that attack takes a little more effort and hardware.
David, don't troll. I get the joke, but most HN readers (justifiably) are not up-to-date with IETF CFRG drama.
For everyone else's benefit:
* The "new" PAKE in WPA3 is Dragonfly.
* Dragonfly was designed by Dan Harkins, not Kevin Igoe.
* Dan Harkins does not work for NSA.
* Dragonfly isn't backdoored; it just sucks.
* The "NSA" drama around Dragonfly is that Igoe co-chaired CFRG, the IETF crypto review board, when Dragonfly was introduced, and encouraged its advancement.
Vendors aren't corrupt. Standards bodies are, intrinsically. Harkins lobbied hard to get Dragonfly added to IETF protocols and didn't get anywhere, because Trevor Perrin freaked out about it (good for him!). IEEE standards bodies don't have a Trevor Perrin right now, so all sorts of wacky shit will be standardized. But don't let IETF people be smug about that: the IETF's process admits a whole different class of wacky shit, and has its own terrible track record.
I think in the end either I disagree radically or I can't parse this the way you intended. Can you maybe clarify? One thing in particular, "standards bodies" is a very broad term, which encompasses everything from industry consortia like W3C through government agencies like NIST and whatever the IETF is. Are these all "intrinsically corrupt"? How so?
And the IEEE actually have done better in some cases, including when they decided to adopt AEAD for WPA2/802.11i which led to WPA2-CCMP still being used today. This Dragonfly SAE algorithm came from 802.11s from 2011, BTW.
Can we see the details of this protocol? Not without paying. Good job they have a track record of not being the people who gave us WEP, we should totally trust that this time their open processes allowed for a secure system to be developed.
I looked desperately in the press release for some version of Aerohive's Private PSK (PPSK) where you can have multiple PSKs for the same SSID (Ruckus and Cisco have their own versions too) but couldn't find anything.
The ability to have multiple PSKs and revoking\changing one of them but not the others would be really convenient for small and even medium-sized wifi deployments...
I'm confused. I run my home wireless off a Debian box using hostapd, and there's specifically an option where you can have multiple passwords on the same SSID, either per-client (by MAC) or for anyone. Is that what you mean? Is this a rare feature?
Hostapd is probably how Cisco, Aerohive, and Ruckus are doing it. It's not that it's exceedingly rare it's just not everywhere as it's not part of wireless standards.
I'm only aware of patents related to certain systems which implement more than just the base idea of using more than one security key for a given SSID e.g. the Ruckus patent on how Dynamic PSK automatically creates and assigns multiple PSKs from a controller portal.
Our second home WiFi setup has that - it’s by Plume. I can set up a time-based PSK for our SSID, and the APs can even firewall off specific devices or the whole home network (leaving each device in an Internet-only island) for certain PSKs.
I wish they would provide a way to assign PSKs to VLANs. The SuperPods and self-optimization are appealing but their system just doesn't fit into how I want to manage my network.
It has use in large environments as well, there are plenty of old/shit vendor devices in many businesses that aren't getting replaced any time soon just so they support 802.1x in a working manner.
I'll be happy if it just has a proper "incorrect password" message rather than "couldn't connect for some reason, could be any reason really but maybe your password is wrong?" that we have to deal with now.
Has anyone ever consider bringing up a private LTE network (over unlicensed or shared spectrum), either at home, enterprise, or even MDU?
Density and security are less of a concern on LTE, and the peak throughput is catching up.
The question I have has always been: are we seeing a world moving towards a more controlled wireless network architecture or a evolved version of Wi-Fi type of ad-hoc architecture.
Are there LTE routers you can buy at reasonable prices? Would I then need a custom SIM card in my phone that only works at home? Does my device even look for mobile carriers on unlicensed spectrum? Basically, is this a real, consumer-grade thing or something you can only do with sdr and osmocom?
I think the short answer is no, currently there isn't a reasonably priced LTE routers that you can deployed by yourself. There are products available though. That's why the question can be interesting to be figured out to a certain extent.
Whether device look for carrier in unlicensed spectrum: the answer is yes, Licensed Assisted Access is happening, though slowly, as with any things related to carrier. See this link: https://support.t-mobile.com/thread/144981
Finally, it's certainly not something you can only do with SDR, but then doing it with SDR could be what makes it appealing though, it the price can be somewhat brought down. Good Wi-Fi routers nowadays cost a lot anyways, and some even wants you to pay monthly fee, no?
I see current generation wi-fi routers being discounted already. It could be a co-incidence but I am sure vendors would LOVE to sell you newer routers and will implement it within years, not decades.
As for devices on the other end, apparently it is possible to skimp out and have 1x1 instead of 2x2 https://superuser.com/a/323778 I don't even know why 1x1 is an option at this point. Don't make me think! In any case, mobile SoC manufacturers should incorporate this new technology much faster so I would assume the new WiFi will be readily available in mobile hardware not more than three years after the standard is final.
1x1 is still an option for the same reason your laptop will be 2x2 even though 802.11ax supports up to 8x8 - it's cheaper to put fewer radios in and someone always wants to buy the cheapest PoS.
Technically less power as well but I doubt anyone who cares that much about power is using 802.11.
The security of WiFi is much less of a concern for my home network today than it was during WEP time. Today everything I care to protect already runs over SSL and all the sensitive resources (documents file server, for example) are protected with authentication. This the only actual attack vector for me is WiFi or internet connection which I already share through public WiFi.
Same applies to WiFi in the coffee shops (do you remember the time when FB didn’t use HTTPS?) and other places. Thus the WPA3 upgrade brings much smaller benefits compared to WPA2 upgrade.
The previous encryption methods didn't rely on asymmetric encryption, and VPN software nowadays often provides an option to use an additional symmetric-only key to protect the handshake. (This makes it quantum-resistant against attackers that don't have the symmetric key, while allowing to use DH to get forward secrecy against non-quantum attackers that later gain access to the key).
Does WPA3 maintain this protection, or is it now open to quantum attacks?
Also, is there a mode to allow connecting to open networks with authentication based on TLS certificates and domain names? For example, the SSID of the network could be a domain name, and the network would present a certificate for that domain (or some well-defined subdomain) to prove that it's indeed that network. This way, if you know the domain of the entity you're connecting to (e.g. a hotel), and see a WiFi with that name (and have a client that doesn't allow unicode for this mode), you could connect securely.
Wifi is a layer2 standard. Always felt like security should be handled by upper layers. Layer2 secures one data-link segment at a time,layer3 secures a network connection at a time. There is a missing .5 protocol(.5== inter-layer,e.g.: arp,ndp,mpls and dhcp) that could use layer2 parameters to establish layer3 security.
Or maybe all that is needed is a feature-stuffed version of dhcp that would configure a default gateway and a secure l3 tunnel to that default gateway as well as on-demand tunnel establishment parameters for intra-vlan endpoints. This would secure wired and non-wifi wireless IP networks as well.
Society has hit a new low when the Institute of Electrical and Electronics Engineers succumbs to clickbait headlines.
Compare:
Everything You Need to Know About WPA3
and:
WPA3
What is the difference, besides a creepy parental claim of knowing what I need to know? It's empty filler and often a lie. It should be struck from every title.
- "Everything You Need to Know About the Electrodynamics of Moving Bodies", by Albert Einstein
- "Everything You Need to Know About My Early Life", by Winston Churchill
- "Everything You Need to Know About Harry Potter and the Deathly Hallows", by J. K. Rowling
The only thing I like about the new standard is mandatory protected management frames, no longer can some sy enterprise access point determine mine should be killed with deauth.
Seems like this has some good security features, but with the move towards universal Https connecting to an unsecured WiFi network no longer carries the same level of risk it once did (other than exposing LAN shared resources). As good as prefect forward secrecy is, anything sensitive should already be being encrypted by the client (router passwords notwithstanding until that problem is solved).
I'd rather move towards a world where you don't need a password to access a WiFi network and people share their internet access freely. This would improve not only access to the internet, but also increase privacy because you wouldn't be able to rely on an IP address indicating someone's identity.
curious if existing hardware can be upgraded later. i guess technically it might be feasable but vendors will try to make money and sell new hardware anyway. hoping for open router firmwares...
That would probably be radio firmwares; open router firmware isn't rare (openwrt, dd-wrt, tomato, etc.). And yes, it would be nice to get open radio firmware, though I'm not sure how that would play with FCC certification? I suppose if enough stuff is regulated in hardware it could work.
It requires stronger encryption but assuming your hardware is up to the task it'll work. If you're using OpenWRT recent builds with an up to date hostapd support it.
This will take a decade to even begin deploying. There's billions of chipsets right now that will never support it. Does wpa3 support leaving wpa2 on? Otherwise I can't turn it on for a decade.
Yes, there are additional modes "WPA3 Personal Transitional" and "WPA3 Enterprise Transitional" which allow WPA2 on the same SSID and relax some of the WPA3 requirements like PMF.
We're about a decade further in the adoption of Wifi from when WPA2 was released. It's a completely different ballpark now that wifi is considered part of the basic infrastructure everywhere and baked in to exponentially more devices.
It took several years for people to pitch their old dell laptops and nintendo consoles that couldn't support the then-new standards. People aren't going to replace their thermostats, baby-monitors, security systems, home entertainment systems, and juicers over night.
Things I know about WPA3:
- None of my routers support it, and I'm not gonna buy all new routers.
- My printer doesn't support it. Heck, it doesn't support WPA2.
- None of my IOT doohickies support it. Not gonna buy all new devices.
In this instance, I feel I'm more aligned with Joe Lunchbucket than Zap McTechburg. I still use my PSP. It's 14-years-old and not going to work with WPA3. My wireless printer is 15-years-old, and doesn't even do 5GHz.
By the time the average person upgrades all their gear to WPA3 stuff, it'll be cracked and we'll be on WPA5.