On 9/22/14, coderman <coderman@gmail.com> wrote:
...
Please elaborate. TKIP has not been identified as a ‘active attack’ vector.
hi nymble, it appears no one cares about downgrade attacks, like no one cares about MitM (see mobile apps and software update mechanisms). [0]
to be specific about the problems, in case not concise enough above: 0. lack of a way to enforce TKIP disable. 1. lack of visual signal of TKIP downgraded security in WPA2 to users. 2. insult to injury with "unspecified" bozofail TKIP transition to ON flaws in some hw.
i would like to clarify that #0 is a driver domain behavior, your "suggestions" from userspace via wpa-supplicant are meaningless against the motivated. also, the definitive paper at http://www.isg.rhul.ac.uk/tls/ still insists, "For WPA/TKIP, the only reasonable countermeasure is to upgrade to WPA2." which is either incompetently incorrect, or intentional indirection. best regards, 0. "no one cares" - this is not strictly true; people care a bit more if you have done significant and detailed analysis of the sort that eats lives by the quarter-year. i have long since quit giving freebies freely, and instead pick my disclosures carefully with significant limitations. perhaps i should re-state: "no one working in the public interest cares". there is a roaring business for silence and proprietary development, and these people care quite a bit.