WPA no longer considered reliable?

November 6th, 2008 by Scott Ullrich

There are a number of stories making the rounds today about how WPA has been cracked, though “it’s not as bad as you think…yet”.

WPA2 when using TKIP is also affected.

Running a VPN on top of your wireless encryption can offer additional protection, and you may want to consider such a deployment regardless of the wireless encryption deployed in your network. Whether pfSense is your AP, or your APs connect to it, it can provide VPN services to internal users on your wireless network, and you can restrict all traffic coming in from your wireless network to only access the VPN. Then after successfully authenticating to the VPN, users can access your internal network and/or the Internet.

Edit:  SANS has a good webcast on this topic for those interested in details.

8 Responses to “WPA no longer considered reliable?”

  1. blak111 Says:

    I believe this weakness is just with TKIP, which was just basically WEP on steroids. It’s very similar to WEP to avoid conflicts with needing better drivers or better hardware to support anything better like AES.

  2. Chris Buechler Says:

    I updated Scott’s post with some additional information.

  3. resmo Says:

    I wonder why people are so surprised about this “WPA cracked” story. Anybody knows WPA is WEP improved and so this can’t not be secure.

    I think the reason is, that WPA and WPA2 looks almost like the same for common people. They only see WPA and remember they also used something called WPA, obviously WPA2 and start screaming.

  4. p1nged Says:

    yea, what blak111 said is true… they broke TKIP

    in any case, the most secure for now is WPA2-Enterprise with AES & RADIUS authenication + using an L2TP/IPSec VPN on top of that… can all be done using pfsense

    thats just being paranoid, but maybe required for certain applications

  5. RasKal Says:

    Fully agree with p1nged and I’d also use x509 user certificate if L2TP/IPSec is not an option.
    Bgrds.

  6. Scott Ullrich Says:

    Just because your paranoid does not mean they are not out to get you ;)

  7. hawk Says:

    It’s not really true that “WPA2 is not affected”, TKIP (the thing that has started showing cracks) is part of the WPA2 spec as well as the WPA spec.

    However CCMP (AES), only mandatory in WPA2, is unaffected, so it is not as bad as it sounds.

  8. Chris Buechler Says:

    Thanks hawk, I updated the post. That was from the first day when the details weren’t so clear and I never went back and reviewed the content of the post.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply