A critical problem I see that needs solving is the Starbucks style open wifi login pages that fail to redirect when trying to visit HTTPS sites.
A new secure authentication system is needed for these set ups.
I’m blanking on the name of them but clearly they are widely deployed and likely causing lots of regular people to have trouble connecting to pages because they tried to connect to Facebook instead of an HTTP site.
I would keep a wary eye open until actual specifications are announced and publicly available.
If history is any guide, some parts of it might become security mis-features, like Wi-Fi Protected Setup (WPS) which became a security issue because it allows WPS PIN recovery.
Also note that the IEEE controls the actual wireless specification as IEEE 802.11 and also specifies the actual encryption standards used during wireless transmission and reception (this used to be called IEEE 802.11i-2004 ).
My educated guess is that WPA3 won't change the block cyphers used to encrypt data (AES-CCMP) and the initial handshaking protocol as that is part of the IEEE Spec and cannot be changed by the Wi-Fi Alliance. Instead, it may specify additional requirements that clients have to fulfill before connecting (like public key certificates and proof of identities).
Where can I actually read the spec? I'm not even much of a cryptographer, but I'm curious --- and the closed attitude is a contributing factor to things like this:
Is WPA3 going to require new hardware (wifi client cards/chips, wifi routers) or will it be possible to add WPA3 support via a software update in common operating systems?
> Another feature will strengthen user privacy in open networks through individualized data encryption.
WPA1 can arguably be forgiven a lot of shortcomings given its circumstances, but I never understood why this wasn't in WPA2. I understand that the station can't authenticate the AP in this case, but it still seems like it's strictly better for the traffic to be encrypted. What am I missing?
One feature I wish to see is some form of AP authentication, maybe with TOFU and some PK pinning. That is currently, name an AP the same as another and a machine that had the AP name saved will try to connect to it. If you name an AP "Apple Store" or "Starbucks" you can watch devices connect (with their real MAC even, defeating MAC randomization used when scanning for APs), and if it's an open AP or you got hold of the passphrase, monitor and possibly MITM connections.
Now if only I could run `apt-get update && apt-get upgrade` on my router's firmware to support this.
Fine, but in addition everything you do should be encrypted end to end as well as you can. Use httpseverywhere. Use privacy badger.
Can anyone comment on the efficacy of the CNSA algorithm they are planning to use?
Just in time for CES!