On Mon, 2017-10-16 at 08:54 -0700, Jonathan Ryshpan wrote: > I am about 97% ignorant about encryption. However... > > It seems that these attacks are directed at clients rather than > servers. Is this correct? No. > If so, it's a good thing for me, since I use an old Belkin wireless > router whose firmware will surely never be upgraded. The attack is against *anything* using WPA2 encryption. The severity of the vulnerability depends on implementation details. wpa_supplicant (used in Linux and Android) is particularly bad. Ironically, recent versions of Windows and IOS are less vulnerable because they implement WPA2 incorrectly. Note that in all cases the problem is limited to nodes sharing the same wireless access point, i.e. it's not going to bite you over the Internet. That said, a cursory reading of the actual paper (rather than the rather sensational press release) shows that although there is a problem with the protocol handshake allowing certain kinds of relay attack, the potential issues depend on what actual (local) encryption protocol is used after establishing the connection. And of course using a higher-level secure protocol such as HTTPS or OpenVPN makes all this irrelevant. poc _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
