On 9/22/14, coderman <coder...@gmail.com> wrote: > ... >> Please elaborate. TKIP has not been identified as a ‘active attack’ >> vector.
hi nymble, it appears no one cares about downgrade attacks, like no one cares about MitM (see mobile apps and software update mechanisms). [0] > to be specific about the problems, in case not concise enough above: > 0. lack of a way to enforce TKIP disable. > 1. lack of visual signal of TKIP downgraded security in WPA2 to users. > 2. insult to injury with "unspecified" bozofail TKIP transition to ON > flaws in some hw. i would like to clarify that #0 is a driver domain behavior, your "suggestions" from userspace via wpa-supplicant are meaningless against the motivated. also, the definitive paper at http://www.isg.rhul.ac.uk/tls/ still insists, "For WPA/TKIP, the only reasonable countermeasure is to upgrade to WPA2." which is either incompetently incorrect, or intentional indirection. best regards, 0. "no one cares" - this is not strictly true; people care a bit more if you have done significant and detailed analysis of the sort that eats lives by the quarter-year. i have long since quit giving freebies freely, and instead pick my disclosures carefully with significant limitations. perhaps i should re-state: "no one working in the public interest cares". there is a roaring business for silence and proprietary development, and these people care quite a bit. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography