KRACK proves we need more encryption on the Internet Thumbnail
Encryption 16 October 2017

KRACK proves we need more encryption on the Internet

By Mat FordTechnology Program Manager

A serious weakness in Wi-Fi security was made public earlier today. The Key Reinstallation Attack (KRACK) can break Wi-Fi encryption, opening your data up to eavesdropping. This, combined with issues in Linux and Android, make it possible for attackers to change websites you view. This is a serious problem for Wi-Fi Protected Access 2 (WPA2), a protocol used in millions of networks worldwide.

Luckily, the use of Transport Layer Security (TLS) is on the rise. Mozilla’s data shows that over 60% of pages loaded in Firefox use TLS. More and more companies are using encryption for all traffic and removing the ability to connect to unencrypted versions of their sites. When connecting to these sites, KRACK isn’t as big of a deal, because the data is encrypted before it’s sent across Wi-Fi. Even if WPA2 is broken, the data is still secure.

Unfortunately there are still millions of sites that don’t provide this security. Their users are vulnerable to eavesdropping, fake content, malware injection, and more. We need more companies and operators to use TLS and HTTP Strict Transport Security (HSTS) to mitigate the potential impact of KRACK.
Internet traffic exists in layers, which makes it possible to use more than one kind of encryption to build defense-in-depth. When a problem is found in one layer, we can lean on the other layers to provide security. So, while encryption is fundamentally important, multiple layers of encryption are necessary to provide robust online security over time.

We expect to see software updates in the coming days to address the issues with WPA2. Sadly, given the widespread use of Wi-Fi, and how rarely many hardware devices are updated, KRACK is going to be a problem for a long time to come.

The need for an easy way to update Internet of Things devices is on the agenda at the next Internet Engineering Task Force (IETF) meeting. We need to develop new and more widely-supported solutions to the need for Internet-connected devices of all kinds to be easily updated. KRACK will certainly not be the last widespread vulnerability of this kind.

What You Can Do

1. Update Your WiFi Devices. Check to see if your connected devices have updates. In some cases, this may require figuring out how you login to or administer those devices. If no updates are available, look at the vendor’s website (or contact the vendor) to find out when an update will be available. Note that you may need to keep checking over the days and weeks ahead.

2. Check How Well Your Website Supports TLS. If you operate a website, test it (also here) to see if it has the best possible level of TLS support. Make whatever updates you can to support TLS and HSTS.

3. Use a VPN On WiFi Networks – Whenever you connect to a WiFi network, use a virtual private network (VPN). This will add another layer of encryption to ensure an attacker cannot see your traffic.

4. Encourage vendors to support the Online Trust Alliance (OTA) IoT Trust Framework. In embracing this framework, vendors agree to provide patching and support capability in their devices.

Image credit: Matt Artz on Unsplash

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Strengthening the Internet 12 March 2024

Nevada Wants to Reduce Online Protections for Children: All Internet Users Should Benefit from Strong Encryption

Protect children online by supporting end-to-end encryption in Facebook Messenger. Join us in the fight against weakening online protection...

Strengthening the Internet 31 January 2024

Keeping Kids Safe Online: Navigating the New Parents’ Guide to Encryption

Do you know how you're keeping your kids safe online? Using encryption, there are simple changes you can make...

Encryption 21 September 2023

Techxit: The UK Declares Its Exit from the High-Tech Startup World

No one in their right mind would now want to start up a high-tech company in the UK. With...