WPA2 was never intended to be anything more than a "nuisance preventer." It is relatively easy to eavesdrop on another conversation in a coffee house – but if, for example, the connection is to an https web-site, or uses ssh or a VPN, the packets that you could intercept by WPA2 eavesdropping would be otherwise-encrypted anyway.

WPA2 was built to work within the very limited capabilities of wireless interfaces – what began with a simple, unchanging "WEP Key" slightly-matured into a protocol which would periodically re-negotiate the session key. But the hardware isn't really capable of much more.

Packets ought not be sent across the ether "in the clear," because "it's nobody's business but yours," so you should use WPA2, warts and all. But you should never rely on any (civilian ...) wireless-device security feature for primary security.

Agreed. But is it a drawback?

Same question for identifiability.

A security hole which is presented later than possible because they need to make a website first is a bad sign. And that happened in the past.

Ah, I see, thanks for explaining. I was under the impression that it was presented later due to the idea of Responsible disclosure, nothing to do with the website per se.

Is this actually what happened? Do you have a source?

You all might be interested in what the EFF has to say about this. https://www.eff.org/deeplinks/2017/1...-you-need-know

They are not in a panic.

EFF's web site should be regular reading for everyone.

The most important thing ... and by-the-way this is generically true ... is that your computer should never "simply trust" any computer "because it is on the 'local' network." This is a throwback to the "wired" days, when it was hard to connect a computer to the physical network. Today, every other computer in the coffee shop is "on your local network," and you should port-scan your own machine ... from another machine ... to see exactly what services it might be exposing to everyone.

I vividly remember hitting the Windows "network list" screen while setting up a new network at a client's place of business – this was very early in the days of always-on ISPs – and being astonished to find many unprotected Windows shares listed. (Some apparently were related to a lawyer's office. I presume that neither the lawyer nor the lawyer's clients had any idea.)

There were also plenty of printers. I admit that I was sorely tempted to send a "Kilroy Was Here" to one of them at random.

It's actually a very good idea to use VPN within(!) your company, such that everything that passes through your local airwaves and wires is both encrypted and station-identified. You really shouldn't assume that the file-server you're talking to really is the one you think. But, if you are talking to it through VPN, and only through VPN, you can be, because a VPN server positively identifies both itself and every client that it allows to connect, provided that(!) you use unique digital certificates, as you always should.

Yes. The site is worth checking on a regular basis. Though with Brand Named Bugs, it can be hard to track down the CVE number(s) even at the EFF site.

The EFF post above links to an explanation of the process that created the bugs in the first place. Rick Falkvinge puts it in plain language in that it was caused by closed standards. He inadvertantly also makes a case for open access publishing at the same time, but the gist is that because the standard was behind what amounts to a paywall, few could examine or evaluate it.

A silent confirmation of the frequently-made statement that "open peer-review" of any and every cryptographic technology is essential. Had the WPA2 folks not subscribed to the false-doctrine of "security through obscurity," they would not face this exposure today. The problem would have been identified and fixed, and along the way the protocol would probably have been "gratuitously greatly strengthened."

WPA2 was hacked in one or two days. There was not much security anyhow.

WPA3?

It appears there is more where that came from:

https://asecuritysite.com/encryption/ssid_hm

That's the same attack as what you mentioned in post #5, right?

I don't think WEP2 is dead, as such, any more than having a lock on your front door is pointless or using a hotel safe means your valuables will be stolen.
There never will be complete security but the key is to use as much security as you can use practically -- so make sure HTTPS sites are used, use VPNs on public WiFi spots if you use them at all and that kind of thing. The main thing is to look out for signs that your security has been compromised, such as messages showing that a secure site has been accessed at a time you know you didn't access it (many now show the last access date, time and IP address) then act accordingly. And, of course, use passwords as strong as you feasibly can.
Don't get me wrong, this is worrying and I hope it gets patched inn Android ASAP, but it doesn't really change anything.

Has "Chicken Little" been re-released ... ?

It's very closely related.

https://marc.info/?l=openbsd-misc&m=153372522315681&w=2

https://hashcat.net/forum/thread-7717.html