And what should I do now?
A new attack on the WPA2 protocol, used to encrypt wifi connections, has recently been published. Unfortunately, the attack is something that has been around for over a decade!
This meets my definition of brilliant. The attack is blindingly obvious once it’s pointed out, but for over a decade no one noticed it.
What can I do about that now?
First of all: Don’t panic. Even though this is a serious vulnerability and you cannot do something about the actual vulnerability yourself, this probably won’t affect you too much. An attacker can decrypt your Wi-Fi traffic so close to you that he can physically listen to your Wi-Fi signal. However, it can only decrypt the wifi signal. He cannot join the wifi network or decrypt any further encryption that is in use.
Therefore: Use TLS encrypted connections (if your browser says https://, that’s it) whenever possible, especially when you enter login information in your browser or do anything else that might be sensitive. The Electronic Frontier Foundation, for example, offers the browser plugin HTTPS Everywhere, which will redirect all your traffic to the encrypted version of a website whenever possible.
The researcher Mathy Vanhoef released a youtube video that illustrates the attack. It shows how the attack works to eavesdrop on a login form if you do not use the https version of a web application:
To solve the actual vulnerability, make sure that you update your wifi drivers when a patch becomes available. You can check the status of the different vendors here: https://github.com/kristate/krackinfo.
As a company, providing a good encrypted version of your application is important. Check out our free security scanner to test the provided TLS encryption of your website.