Donate
KRACK proves we need more encryption on the Internet Thumbnail
‹ Back
Encryption 16 October 2017

KRACK proves we need more encryption on the Internet

By Mat Ford Technology Programme Manager

A serious weakness in Wi-Fi security was made public earlier today. The Key Reinstallation Attack (KRACK) can break Wi-Fi encryption, opening your data up to eavesdropping. This, combined with issues in Linux and Android, make it possible for attackers to change websites you view. This is a serious problem for Wi-Fi Protected Access 2 (WPA2), a protocol used in millions of networks worldwide.

Luckily, the use of Transport Layer Security (TLS) is on the rise. Mozilla’s data shows that over 60% of pages loaded in Firefox use TLS. More and more companies are using encryption for all traffic and removing the ability to connect to unencrypted versions of their sites. When connecting to these sites, KRACK isn’t as big of a deal, because the data is encrypted before it’s sent across Wi-Fi. Even if WPA2 is broken, the data is still secure.

Unfortunately there are still millions of sites that don’t provide this security. Their users are vulnerable to eavesdropping, fake content, malware injection, and more. We need more companies and operators to use TLS and HTTP Strict Transport Security (HSTS) to mitigate the potential impact of KRACK.
Internet traffic exists in layers, which makes it possible to use more than one kind of encryption to build defense-in-depth. When a problem is found in one layer, we can lean on the other layers to provide security. So, while encryption is fundamentally important, multiple layers of encryption are necessary to provide robust online security over time.

We expect to see software updates in the coming days to address the issues with WPA2. Sadly, given the widespread use of Wi-Fi, and how rarely many hardware devices are updated, KRACK is going to be a problem for a long time to come.

The need for an easy way to update Internet of Things devices is on the agenda at the next Internet Engineering Task Force (IETF) meeting. We need to develop new and more widely-supported solutions to the need for Internet-connected devices of all kinds to be easily updated. KRACK will certainly not be the last widespread vulnerability of this kind.

What You Can Do

1. Update Your WiFi Devices. Check to see if your connected devices have updates. In some cases, this may require figuring out how you login to or administer those devices. If no updates are available, look at the vendor’s website (or contact the vendor) to find out when an update will be available. Note that you may need to keep checking over the days and weeks ahead.

2. Check How Well Your Website Supports TLS. If you operate a website, test it (also here) to see if it has the best possible level of TLS support. Make whatever updates you can to support TLS and HSTS.

3. Use a VPN On WiFi Networks – Whenever you connect to a WiFi network, use a virtual private network (VPN). This will add another layer of encryption to ensure an attacker cannot see your traffic.

4. Encourage vendors to support the Online Trust Alliance (OTA) IoT Trust Framework. In embracing this framework, vendors agree to provide patching and support capability in their devices.


Image credit: Matt Artz on Unsplash

‹ Back

Related articles

Encryption and Law Enforcement Can Work Together
Encryption and Law Enforcement Can Work Together
Encryption26 October 2017

Encryption and Law Enforcement Can Work Together

The Internet Society and Chatham House will be hosting a roundtable of experts to deconstruct the debate on encryption and...

Encryption is critical for business communication
Encryption is critical for business communication
Encryption6 April 2017

Encryption is critical for business communication

Imagine if all your business contracts were sent to customers written on postcards. Everyone who happened to see the postcard...

Rough Guide to IETF 96: All Things Encryption
Rough Guide to IETF 96: All Things Encryption
Encryption17 July 2016

Rough Guide to IETF 96: All Things Encryption

IETF 96 finds us back in Berlin still talking about how to strengthen the Internet by improving the deployment and...

Join the conversation with Internet Society members around the world