And what should I do now?
A new attack on the WPA2 protocol, used to encrypt wifi connections, has recently been published. Unfortunately, the attack is something that has been around for over a decade!
Security researcher Bruce Schneier states:
This meets my definition of brilliant. The attack is blindingly obvious once it’s pointed out, but for over a decade no one noticed it.
So that sounds really serious. What can I do about that now?
First of all: Don’t panic. Even though this is a serious vulnerability and you cannot do something about the actual vulnerability yourself, this probably won’t affect you too much. An attacker can decrypt your Wi-Fi traffic when he is so close to you that he can physically listen to your Wi-Fi signal. However, it can only decrypt the wifi signal. He cannot join the wifi network or decrypt any further encryption that is in use.
Therefore: Use TLS encrypted connections (if your browser says https:// that’s it) whenever possible, especially when you enter login information in your browser or do anything else that might be sensitive. The Electronic Frontier Foundation, for example, offers the browser plugin HTTPS Everywhere, which will redirect all your traffic to the encrypted version of a website whenever possible.
The researcher Mathy Vanhoef released a youtube video that illustrates the attack. It shows how the attack works to eavesdrop on a login form if you do not use the https version of a web application:
For solving the actual vulnerability, make sure that you update your wifi drivers when a patch becomes available. You can check the status of the different vendors here: https://github.com/kristate/krackinfo.
As a company, it is important to provide a good encrypted version of your application. Check out our free security scanner to test the provided TLS encryption of your website.