Re: [OT] Breaking WPA2 by forcing nonce reuse
On Tue, 17 Oct 2017 19:20:08 +0100
Brian <ad44@cityscape.co.uk> wrote:
> On Tue 17 Oct 2017 at 10:57:15 -0400, Celejar wrote:
>
> > On Tue, 17 Oct 2017 08:43:00 +0530
> > "tv.debian@googlemail.com" <tv.debian@googlemail.com> wrote:
> >
> > > So using https or better for communications on the local network is a
> > > good idea, but is it the norm? Many router firmwares or built-in
> > > webservers from cameras to printers default to http, sometime don't even
> > > offer https as an option.
> >
> > Yes, after I sent my mail I realized that my wirelessly networked
> > printer is going to be a problem. Some printers apparently support
> > access via SSL/TLS (IPPS), but it looks like mine (Brother
> > HL-2280DW) does not. And what are the odds that Brother will do a
> > firmware update to patch WPA for this some 6 years old model ;)
>
> I, and you, probably, are not dealing with printing confidential
> documents. Those entities which are should be more concerned.
I'm not? What happens when I need to print out some sort of financial
statement?
...
> > > It's patched in most distributions, and in router firmwares like LEDE
> > > already, was patched in some BSD even before publication, but how long
> > > before we see a patches for all affected devices?
> >
> > Never - for many / most Android devices, my printer (probably), etc.
>
> A timely fix arrives in Debian. Users who update are once again safe.
> What more could you ask for? What can you say apart from "thanks"?
? Yes, my Debian installations are now safe, and I'm duly thankful to
the Debian maintainers, the wpa_supplicant developers, the LEDE
developers, etc., but why should I not be worried and upset about the
situation with my phone, printer, etc.?
Celejar
Reply to: