So Long InsecurityBy CWNP On 06/18/2010 - 6 Comments
My wife has a book on her bedside stand called So Long Insecurity, by Beth Moore. I [figuratively] have a press release on my bedside stand called “So Long Insecurity,” by the Wi-Fi Alliance. You may have already read or heard that the compass of the Wi-Fi Alliance is pointed due north on a path to prevent support of insecure security solutions on Wi-Fi certified (read: any Wi-Fi device in the competitive marketplace) devices.
It should come as no surprise that these changes are coming, and it’s good that they are. However, in my typical, critical [of the Wi-Fi Alliance] fashion, I contend that the schedule is on the weak side. :) Here is said schedule.
- Jan 1, 2011 — WPA-TKIP is no longer permitted on certified APs. WPA2-AES and WPA2-Mixed Mode (AES-CCMP & TKIP) are required.
- Jan 1, 2012 — WPA-TKIP is no longer permitted on any certified devices. WPA2-Mixed Mode is no longer required.
- Jan 1, 2013 — WEP is no longer permitted on certified APs.
- Jan 1, 2014 — WEP is no longer permitted on any certified devices. WPA2-Mixed Mode is no longer permitted.
Along with these changes come much stronger messages from the Wi-Fi Alliance about recommended practices. Specifically, as of Jan 1, 2011, the Wi-Fi Alliance recommends using WPA2-AES and, provided that you are seeking backwards compatibility with legacy devices, WPA2-Mixed Mode. They no longer recommend using WPA or WEP. As of Jan 1, 2013, the stamp of approval for WPA2-Mixed Mode for legacy devices is removed.
These changes by the Wi-Fi Alliance have no bearing on WEP or WPA devices that are already certified and deployed. This impacts new devices only, though it will force some early upgrade cycles and/or redesign steps for enterprises that still rely on legacy security. I’m a little torn on these dates, especially as I ask why WPA-TKIP is out the door so far ahead of WEP—that is, as a “permitted” security solution. Maybe someone who is smarter than me can defend these dates in the comments section and educate me. :) I know there are a lot of WEP devices out there still, and I suppose it will take some time to replace them, but WEP is the old clunky car that hasn’t started for years, and TKIP is the temperamental but still operable family sedan. Why are they abandoning the one that works and preserving the rust bucket for so long? 2013 is two and a half years from now, and it’s after the end of the world in 2012. The economy is still pretty sad, but I think they could’ve been a bit more aggressive in their phase-out dates. If companies don’t want to upgrade from WEP, they won’t have to. But, as I opine, the Wi-Fi Alliance should be phasing out WEP in newly certified devices sooner.
Anyway, that’s the news of the week. The course is set. The anchors are up. The Wi-Fi Alliance is saying so long to WEP and TKIP...eventually.Tagged with: wi-fi alliance, WPA, WEP, legacy security, WPA2