There needs to be a mechanism where a site can provide its verified identity to allow the user to know exactly who they are.
Not every site will need or want this but the ability should exist.
At the moment EV provides this ability. If EV is not seen as the answer then we need to have something else instead. We could decouple this from HTTPS but identity is also a valid purpose of signed certificates.
Not quite: The attacker watches for the initial client->AP encryption negotiation (or forces it by forcing a disassociate), records one step of that negotiation and replays it to the client. That has the side-effect of causing the client->AP traffic to re-use encryption keys. Since WPA2 encryption is a stream cipher, re-using keys opens it up to a known-traffic analysis attack, which allows a listener to decrypt the traffic. So, the user is still connected to their existing AP, but since they're re-using keys, attackers can decrypt the client->AP communication.
There's no need for a second AP in all this, just someone in range of the client who can replay packets to the clients.
Are you sure about that? From the paper (section 3.3):
> Note that the adversary cannot replay
an old message 3, because its EAPOL replay counter is no longer
fresh.
And a related update from the TLDR post you originally referenced (which I believe is causing confusion):
> Update: An early version of this post suggested that the attacker would replay the message. Actually, the paper describes forcing the AP to resend it by blocking it from being received at the client. Thanks to Nikita Borisov for the fix.
> The client is forcibly disconnected from the WiFi network and reconnects to the attackers network instead.
The client is tricked into moving to what it thinks is the same WiFI network running on a different channel, but is actually the attackers network instead.
> The attacker doesn't need to know the WPA2 password but it accepts the connection setting the encryption to zeros.
The attacked doesn't need to know the WPA2 password and (for Android and Linux clients) the client then defaults to an encryption key of all zero bytes.
> The client thinks it is connected to the original wifi network and continues as normal.
Yes.
> Wifi traffic is intercepted and unencrypted.
Wifi traffic is intercepted and can be decrypted (since the encryption key - all zero bytes - is now known).
Just the traffic between the impacted client and the network, right? Because each client is using a different key (has to be, if we're able to reset just one client's key to all zeros)
Wetransfer is a cancer. In my organisation I keep being called because the links are expired and people haven't downloaded the files. They also use it for sensitive information (links are sent through clear text mail).
We have NAS for local file transfer but the convenience of Wetransfer trumps that.
