A Brief History of Wi-Fi Security Protocols from “Oh My, That’s Bad” to WPA3

630

Thanks to upcoming developments in Wi-Fi, all of us connectivity-heads out there can look forward to getting familiar with new 802.11 protocols in the near future. Ars took a deep look at what’s on the horizon last fall, but readers seemed to have a clear request in response—the time had come to specifically discuss the new Wi-Fi security protocol, WPA3.

Before anyone can understand WPA3, it’s helpful to take a look at what came before it during The Dark Ages (of Internet)—a time with no Wi-Fi and unswitched networks. Swaths of the Internet today may be built upon “back in my day” ranting, but those of you in your 20s or early 30s may genuinely not remember or realize how bad things used to be. In the mid-to-late 1990s, any given machine could “sniff” (read “traffic not destined for it”) any other given machine’s traffic at will even on wired networks. Ethernet back then was largely connected with a hub rather than a switch, and anybody with a technical bent could (and frequently did) watch everything from passwords to Web traffic to emails wing across the network without a care.

Closer to the turn of the century, wired Ethernet had largely moved on from hubs (and worse, the old coax thinnet) to switches. A network hub forwards every packet it receives to every machine connected to it, which is what made widespread sniffing so easy and dangerous. A switch, by contrast, only forwards packets to the MAC address for which they’re destined—so when computer B wants to send a packet to router A, the switch doesn’t give a copy to that sketchy user at computer C. This subtle change made wired networks far more trustworthy than they had been before. And when the original 802.11 Wi-Fi standard released in 1997, it included WEP—Wired Equivalent Privacy—which supposedly offered the same expectations of confidentiality that users today now expect from wired networks.

In retrospect, WPA3’s early predecessor missed the mark. Badly.

Read more at Ars Technica