"Sweetser, Frank E" <fs@WPI.EDU> writes:

Nothing so simple, unfortunately. This class of vulnerability is actually a collection of 10 CVEs, which encompass both the AP side and client side. If you've patched the AP side, for example, the attacker may still be able to compromise the set of session keys on the client side, and decrypt all of the client sent traffic.

You've got to patch both sides to be fully secure.

You've got to avoid computers to be fully secure. But let's not get that paranoid. I pulled Cat 5 cable through the house years ago and never use wireless, but WPI has its hair on fire, and sent Professor Diane email (through Microsoft cloud service) to install "upgrades" immediately. I told her to at least wait until she has her computer back in the office and plugged into WPI cable. I have a friend who has been without a computer for a month or two because he tried to upgrade firmware and could not re-boot. This is very embarrassing for the authors of the standard, but is it really a big problem? Several meetings ago, somebody brought a device to the WLUG meeting that, as I understood it, pretends to be a wireless router and interposes itself into any nearby connection. If things like that exist, why care about encryption vulnerability? If you need to patch both sides to be secure, then you are not secure in the coffee shop no matter what you do. In any case, if you are using the wireless to connect to a web site or "cloud" server, then the wireless connection is the least of your insecurities. -- Keith