[firewall-bad]

I do think it's an end-of-the-world type vulnerability, at least as far as Wi-Fi goes.

1) The paper claims confidentiality compromise allows the attacker to hijack a tcp connection: "allow an adversary to decrypt a TCP packet, learn the sequence number, and hijack the TCP stream to inject arbitrary data", this on all cases, even in the cases where it doesn't allow forgery (CCMP)

2) There's no such claim on the paper and according to the researcher, exploiting this on Android and Linux is trivial. Apparently also macOS. Did you see the video on their website?

3) There's no way for you to control this (apps, https stripping, for instance). Most importantly, there's no way for the average user to control this, short than using a VPN.

Again, as far as Wi-Fi security goes, seems pretty end-of-the-world to me. I don't think the huge attention this is getting is unwarranted.

[notyourday]

Sky-is-falling is FUD:

The attack is a standard break exiting secure TCP connection and trick the target to re-create it to a host controlled by the attacker via arp poisoning or route hijacking. After that either convince target to accept a bogus cert or redirect to insecure connection. In the former case the issue is that browsers have way too many root CAs included in them and those CAs can issue certs for any domain; the issue in the second case is that users are not being paranoid enough.

[firewall-bad]

That's not the attack at all. And there's nothing standard about it.

The attack is the fact that someone couldn't do this you're describing on any WPA-2 protected Wi-Fi network before, and now they can.

[SadWebDeveloper]

You have two school of thought here... optimist vs pessimist.

Remember that the attack affects mostly client implementations therefore still needs proximity to victim(s), this makes most of the end-of-the-world type scenarios impractical (they even state these on their QA) and leaves exploitation to direct/APT-groups alone.

[firewall-bad]

Well I did mention it's "an end-of-the-world type vulnerability, at least as far as Wi-Fi goes".

I don't think it's a lot of consolation saying something along the lines of "Wi-Fi security is broken, but it's not so bad because it's Wi-Fi"

[SadWebDeveloper]

You should read "Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks" by Michal Zalewski to expand your universe on things you should be afraid pal.

Interesting book that can really burst your bubble on how bad things are and yet we are still here.

[firewall-bad]

Yeah I've had 'Silence on the Wire' for awhile - brilliant book, although I confess I haven't ever been able to sit down and really read it end to end. But I'd say I'm familiar with the topics he talks about.

I'm not sure how that compares to the fact that WPA2 is completely insecure and trivial to decrypt on Android as "no, that is bad". Except maybe in a "well who trusts Wi-Fi security anyway?" to which I'd reply: "Actually, a lot of people. Including people on this thread".

I actually buy the argument that the RSA issue that affects YubiKey, that was announced today, is perhaps more important since it's harder to mitigate than using a VPN, but I don't know how bringing up silence in the wire makes this any less important.

Again, I haven't fully or detailedly read the book, so I could be wrong about that I guess.