[ale] Strong home wireless router?

Solomon Peachy pizza at shaftnet.org
Sat Jun 3 23:32:04 EDT 2023 

On Sat, Jun 03, 2023 at 10:01:00PM -0400, DJPfulio--- via Ale wrote:
> There is no such thing as strong security when RF is involved.  If you 
> want strong security AND wifi, then you'll need to use a full IPSec 
> VPN.

You really need to quality "strong" in terms of threat vectors.

One can't hide the fact that _something_ is communicating when RF is 
involved, but one can absolutely hide the contents until long after 
learning them matters.

If some TLA wants in your systems, you're already screwed, because 
they'll just slap you over the head with a warrant or NSL.  Or just 
physically break in.

But if you want to deter someone hanging around sniffing your traffic so 
they can log into your network without your permission, then modern WPA3 
(or even WPA2) is more than enough, assuming you actually rotate your 
network keys once in a while.

Or you could switch to WPA-Enterprise, with per-user 
credentials/certificates.  Then there's truly nothing shared/reused, 
making the "sniff a sufficiently long amount of time to derive the 
shared key" attack against WPA-PSK impossible.

Oh, WPA-PSK and WPA-Enterprise rotate the on-air packet crypto keys 
pretty often, so it's not remotely practical to break a given session's 
keys in realtime, and the OTA crypto session has designed-in mitigation 
against replay or injection attacks.

(FWIW, I've written three complete wifi stacks over the course of my 
 career, including their OTA crypto implementations and a complete 
 WPA-PSK+Enterprise authenticator.)

Meanwhile.  Going back to the threat vector thing; while modern wifi is 
in of itself decently secure, a random access point/router is anotehr 
matter entirely, and that's entirely in the hands of the vendor, 
especially in today's surveillence/data-mining climate.  I wouldn't 
trust anything that isn't supported by OpenWRT.

(I'm typing this via an older Engenius EAP1750H, running an OpenWRT 
 snapshot from a few days ago.  They go for about $40 these days on 
 eBay, and their slower predecessors are even cheaper.  And thanks to 
 their high output power radios (28dBm/630mW) they're particualrly nice 
 for meshing or bridging longer distances.  I used a pair of EAP1200s 
 and another pair of EAP600s to connect the various outbuildings here 
 until I pulled two pairs of armored singlemode everywhere...)

 - Solomon
-- 
Solomon Peachy			      pizza at shaftnet dot org (email&xmpp)
                                      @pizza:shaftnet dot org   (matrix)
Dowling Park, FL                      speachy (libra.chat)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mail.ale.org/pipermail/ale/attachments/20230603/0c89eb23/attachment.sig>

More information about the Ale mailing list