Bug#760712: WEP vs WPA2

To: 760712@bugs.debian.org
Cc: Ben Hutchings <ben@decadent.org.uk>, Cyril Brulebois <kibi@debian.org>, Chris Tillman <toff.tillman@gmail.com>
Subject: Bug#760712: WEP vs WPA2
From: "Stefan Lippers-Hollmann" <s.L-H@gmx.de>
Date: Wed, 17 Sep 2014 06:24:33 +0200
Message-id: <[🔎] 201409170624.34593.s.L-H@gmx.de>
Reply-to: "Stefan Lippers-Hollmann" <s.L-H@gmx.de>, 760712@bugs.debian.org
In-reply-to: <[🔎] 1410817621.3040.75.camel@decadent.org.uk>
References: <[🔎] CAO299FvP970APp22geGX4EV9QW9g8ThWf3MDFZ6DRrFYY6n9yA@mail.gmail.com> <[🔎] 201409152308.52945.s.L-H@gmx.de> <[🔎] 1410817621.3040.75.camel@decadent.org.uk>

On Monday 15 September 2014, Ben Hutchings wrote:
> On Mon, 2014-09-15 at 23:08 +0200, Stefan Lippers-Hollmann wrote:
> > On Monday 15 September 2014, Cyril Brulebois wrote:
> > > Stefan Lippers-Hollmann <s.L-H@gmx.de> (2014-09-15):
[...]
> > [...] but the udeb
> > should support:
> > 
> > - no encryption
> > - WEP64
> > - WEP128
> > - WPAPSK v1 TKIP/ CCMP
> > - WPAPSK2 TKIP/ CCMP
> > 
> > More advanced setups, like IEEE8021X (using certificates and per-user 
> > encryption, e.g. eduroam and other commercial setups), smartcards and
> > are not supported by the udeb (nor would netcfg know how to configure
> > these).
> 
> WPS would also be nice to have.

Actually plain WPS support[1] (not allowing for external registrar 
functionality or NFC config methods) should already be supported by
wheezy's wpasupplicant packages (1.0-3). However I have not tested WPS
support (it was only enabled due to dependency issues of the udeb build
config) and I'm pretty sure that netcfg doesn't know how to configure 
this. WPS using pin numbers or push-button (QSS) support is horribly
insecure and should be strongly discouraged, even though it is 
convenient for the user (unfortunately many commercial access point 
firmware don't allow to disable this option completely).

[...]
> The built-in world regulatory domain allows *passive* use of channels
> 12-13 and other channels that are not permitted in all countries.  That
> is, the kernel will allow passively scanning on those channels and
> connecting to an AP, on the assumption that the AP is following the
> local rules.
[...]

Of course you're right, passive scanning mitigates this problem to 
quite some extent. Active scanning (which is faster and would be 
required for connecting to hidden SSIDs (which are a bad idea, but 
still common; of course netcfg would have to learn to support this 
as well) and 802.11d aren't available this way.

Regards
	Stefan Lippers-Hollmann

[1]	This should cover most consumer routers/ access points

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Bug#760712: WEP vs WPA2
  - From: Chris Tillman <toff.tillman@gmail.com>
- Bug#760712: WEP vs WPA2
  - From: "Stefan Lippers-Hollmann" <s.L-H@gmx.de>
- Bug#760712: WEP vs WPA2
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Processed: Re: Bug#761923: netcfg: please enable wpa_supplicant syslog and debug flags
Next by Date: Re: Please ignore some warnings in jenkins
Previous by thread: Bug#760712: WEP vs WPA2
Next by thread: hw-detect_1.102_amd64.changes ACCEPTED into unstable, unstable
Index(es):
- Date
- Thread