During Security Field Day, Aruba gave a great presentation about the new Wi-Fi Protected Access version 3 protocol, henceforth referred to as WPA3. There are a ton of enhancements that have been built in to the protocol to address concerns in WPA2, which is a 14-year old protocol that was developed around the same time as 802.11g.
One of the biggest protections being offered in WPA3 is detailed in RFC 8110 – Opportunistic Wireless Encryption (OWE). OWE is a huge advance in the way that we handle communications between clients and access points in public spaces.
Public Wi-Fi is a huge boon to businesses. It’s offered in coffee shops to encourage people to stay a while and enjoy another cup. It’s offered in stores to let people do research before buying a new device or service. It’s offered in hospitals and sports stadiums to give people connectivity when they need it. It’s important for public Wi-Fi to be open and easy to access. As any wireless administrator will tell you, having to debug the connection process to an SSID is fraught with painful explanations and irritation when things don’t work correctly.
However, open networks have their own issues, chief among them is security. Without requiring a password to access the network, there is no encryption of the payload of your packets when you connect. Public, unencrypted Wi-Fi is a huge minefield that can lead to problems with personal information being leaked. There are tons of websites that tell you never to connect to public Wi-Fi networks without having a VPN connection to ensure encryption. If you remember how crazy FireSheep was you can see why having all that information available is so bad.
TLS Should Mean “Try Layered Security”
However, we don’t need to worry about that now because of SSL/TLS everywhere, right? Ever since we started encrypting all our traffic on the web we surely don’t need to worry about using something like OWE in our new protocols. In fact, this very argument has been made for the better part of 2018 in an effort to make OWE an optional part of WPA3 instead of a requirement as was originally intended.
While SSL/TLS are great ways to protect application traffic, you still have to worry about the information that’s passed in the clear outside of the application payload. Sure, your Facebook traffic is encrypted, but what happens if something in that process defaults to HTML without security? Can you be entirely sure that every part of the transaction is protected from beginning to end for every page that you pull up? Sure, the login box may be protected by the little lock, but what else on that page isn’t safe?
TLS and SSL are great when they are configured by you or someone else. But you can’t encrypt everything with them. There are still things that need to be transmitted in clear text. There is also too much information out there that will never be protected. That’s why WPA3 with OWE is so critical to securing all that traffic. Because the odds are good we don’t even know about it.
Case in point: Here’s a great article from Scott Lester (@TheITRebel) that explains OWE in more detail. Of special mention is the section where he talks about things like 802.1X authentication. By rule, 802.1X isn’t encrypted because the authentication has to happen in the clear. But, if the underlying communication protocol encrypted the traffic between all devices it would be okay because it would look unencrypted to the authentication server. 802.1X is just a small example of the kinds of protocols that leak our information in public without us knowing it.
A Little Extra Protection
For those out there that may still say that OWE is unnecessary and that people should just VPN or use password-protected networks, think about it like this. There are people that still lock their doors with more than one lock and set an alarm system at their house every night. Why go through all the trouble? Wouldn’t one lock be just as effective and so much faster and cheaper?
The truth is that defense in depth isn’t just a good idea. It’s the best way for us to ensure that the failure of one section of our security apparatus isn’t going to be the end of all that we’ve built. By layering everything on top of something else we ensure that exceptions fall through to the lower layers and get caught. Or, in the case of OWE, that those exceptions are picked up in the first place before someone can sniff the data that we’re sending out before it gets encrypted.
Bringing It All Together
The benefits of WPA3 with OWE won’t be showing up for a while. Some access points are software-upgradable to WPA3 right now, but it’s going to take a concerted effort to roll out that code, perform the upgrades, and then upgrade the SSIDs to OWE-compliant ones. That takes time away from flying airplanes and making coffee for paying customers. So you won’t see OWE protecting you until later this year. The good news is that once it does finally kick in, you’ll get to enjoy the wonderful protection that it offers whether or not your application is using SSL/TLS.