There has been a lot of confusion for a long time on the relative effectiveness of wireless security, even among the otherwise tech-savvy crowd. Last week, the other developers at work got on a conversation relating to wireless, and the typical dismissal of WPA and WPA2 was thrown into the mix as well. Simply put, this is wrong.
This attitude likely stems from the genuinely broken Wireless Equivalent Privacy (WEP) standard. WEP uses the RC4 cipher, which over time has had an increasing number of weaknesses found, but that's not really the primary problem with WEP. RC4 is a stream cipher, so it requires an initialization vector in order to produce proper pseudo-random results. WEP's initialization vector is too short, and not sufficiently random, and this is the source of the most successful attacks. WEP can be cracked in a matter of a couple minutes on an active wireless connection.
Wi-Fi Protected Access (WPA) is a protocol created to address the critical weakness in WEP. WPA required the use of the TKIP protocol for encryption, while WPA2 refers to WPA with the use of CCMP with AES for encryption. There have been proof-of-concept attacks against certain configurations with WPA with TKIP due to somewhat similar issues as WEP, but to a much lesser extent. The short conclusion is that with insufficiently short key renewal times, a connection with TKIP could potentially be broken in about 12 minutes. Set a key renewal time of less than 12 minutes, and there is no issue.
Meanwhile, WPA with AES encryption (WPA2) has had no such proof-of-concept attacks and remains, with a sufficient password, is perfectly safe.
There is also some confusion as to the nature of personal versus enterprise, as if having the distinction means one of them is insufficient. Enterprise is there for the use of an authentication server (RADIUS) such that user account-specific certificates are distributed. It's irrelevant to the home or small business user, and it's not a concern for safety.
Perhaps it's a bit naive, but I do believe we can, with dedication and sacrifice, keep our mouths shut unless we know what we're talking about. Someday, someday...
This attitude likely stems from the genuinely broken Wireless Equivalent Privacy (WEP) standard. WEP uses the RC4 cipher, which over time has had an increasing number of weaknesses found, but that's not really the primary problem with WEP. RC4 is a stream cipher, so it requires an initialization vector in order to produce proper pseudo-random results. WEP's initialization vector is too short, and not sufficiently random, and this is the source of the most successful attacks. WEP can be cracked in a matter of a couple minutes on an active wireless connection.
Wi-Fi Protected Access (WPA) is a protocol created to address the critical weakness in WEP. WPA required the use of the TKIP protocol for encryption, while WPA2 refers to WPA with the use of CCMP with AES for encryption. There have been proof-of-concept attacks against certain configurations with WPA with TKIP due to somewhat similar issues as WEP, but to a much lesser extent. The short conclusion is that with insufficiently short key renewal times, a connection with TKIP could potentially be broken in about 12 minutes. Set a key renewal time of less than 12 minutes, and there is no issue.
Meanwhile, WPA with AES encryption (WPA2) has had no such proof-of-concept attacks and remains, with a sufficient password, is perfectly safe.
There is also some confusion as to the nature of personal versus enterprise, as if having the distinction means one of them is insufficient. Enterprise is there for the use of an authentication server (RADIUS) such that user account-specific certificates are distributed. It's irrelevant to the home or small business user, and it's not a concern for safety.
Perhaps it's a bit naive, but I do believe we can, with dedication and sacrifice, keep our mouths shut unless we know what we're talking about. Someday, someday...
Recently Spotted:
robio (1m)
That's good to know. I've been using WPA2 for years now.
WPA2 = Good
WEP/WPA = Bad
I'll have to take the non-joke route and point out that WPA is effectively just fine. The tools are not so easily available, even in the cases where your configuration is vulnerable. Also, not all routers make the distinction between WPA and WPA2. And lastly, some routers allow WPA2 with TKIP/AES, meaning if the client doesn't support AES, the router will allow TKIP, meaning the theoretical threat persists.
So in short, your options in order from best to worst
WPA with AES only
WPA with AES/TKIP
WPA with TKIP with < 12 minute key renewal
WPA with TKIP
WEP
Open network
I've had no problems since you told me to turn off my wifi security (since I'm in the middle of no-where).
Web related security note, if you want your google searches to be encrypted you can add an "s" to the http in http://www.google.com and your searches will be between your hardrive, google and you and no-one inbetween. More for when you are using an open wi-fi, or if you just want to be paranoid.