[callalex]

What is your threat model to warrant this effort at home? Are your work-related machines not networking through an encrypted tunnel in some other way (that would be a serious oversight!)? What government are you living under that is routinely compromising WPA3 from mobile vans? Are friends/guests so untrustworthy that you can allow them into your home but can’t trust the VLAN implementation of your network equipment to protect you from them accessing your network admin plane?

I’m asking incredulous and probing questions because I used to live life the way you are currently, and it’s frankly unhealthy for the human brain. If “home” feels like such an unsafe place to warrant your current measures, you need to either make serious changes to where home is, or your mental state. Neither is easy but at least one is necessary.

[staplers]

  What government are you living under that is routinely compromising WPA3 from mobile vans?

I imagine living in any decent sized downtown area would have your network being scanned by thousands of machines daily. Especially if near important infrastructure, law enforcement, etc.

[callalex]

That is not enough for a threat actor to modify the network control plane with WPA3. There are tight timings involved. It is only enough to be able to passively capture packets that can be retroactively decrypted and even then if there isn’t TLS working on those packets you already screwed up worse anyways.

[soraminazuki]

That's the wrong question to ask. Instead, we should be asking ourselves, why is it after all these years that we still don't have secure and easy to use multi-account WiFi networks with per-account configurable security policies in our homes? It's the current state of things that's unhealthy, not the people demanding better.

Security measures should be evaluated based on their own merits, not by appealing to friendship or any other relationships. We can lock our front doors and have a healthy relationship with our neighbors! These two things aren't mutually exclusive. Though I will add that trusting government authorities not to routinely abuse their powers is a hard ask given their track record all across the globe, even in democratic countries.

WiFi is ubiquitous and is used to exchange sensitive information 24/7. Its compromise can result in financial, reputational, or even physical risk. Considering that raw signals can be intercepted outside of our homes, devices on the network should at the very least be mutually authenticated and their connections encrypted.

Also, let's not forget about the devices too. Say you trust the people you let into your home. Can you also trust their devices and the software that runs on it? Do you trust your work laptop and its "security" software to respect your privacy? Do you even fully trust your own devices? Do you have faith in current commercial hardware and software to respect boundaries, or even comprehend the concept of user ownership? Because the answer to all these questions increasingly sounds like a "no."

[callalex]

> we should be asking ourselves, why is it after all these years that we still don't have secure and easy to use multi-account WiFi network

But that’s exactly what we do have! Any old router/AP combo you buy at the store or get from your ISP will let you set up a normal network and an isolated Guest network. All with a nice UI/UX that involves checking one box and choosing a password. Considering WPA3 to be insecure is just not rational or based in reality. Exploits against it are really complicated and just don’t happen all that much.

I don’t have to trust all the junk IOT devices that end up in my house because I just throw them on the guest network and call it a day. Nothing bad is going to happen to me as a result of this practice.

[soraminazuki]

When I wrote "multi-account WiFi networks with per-account configurable security policies," I meant WPA Enterprise style networks. Having 2 SSIDs and 2 passwords is a horribly insufficient setup which doesn't fit my description. That feels just as secure as running a Tor exit node right in my home, since there's no separation in the primary network and the password is bound to leak the more you share it to people.

[transpute]

> unhealthy for the human brain

Fortunately, wired networking continues to work reliably, unlike frequently "New and Improved" wireless increments.

[solatic]

Honestly, wired networking can be less secure, depending on your threat model. Not everyone lives in some kind of a physical fortress; breaking into someone's house is usually a simple matter of some lock picks that you can buy off the Internet, then compromising the wired network just requires installing an interceptor, not to mention stuff like hardware keyloggers. The truly paranoid user needs to check all their wired connections before each and every use, which few people do. They will need to seal the cases of each of their machines with some kind of tamper-evident seal, with transparent cases to ensure that nothing has been added internally with countermeasures taken against the tamper-evident seal, including the cases on the video cameras that they have set up to try and catch would-be intruders.

The point remains, people either generally feel safe in their homes, or they don't. If you do, then honestly a lot of these security measures are just overkill. If you don't, then you should deal with the root cause instead of its symptoms.

[transpute]

> generally feel safe in their homes

The human occupants of homes and businesses may be surprised by IEEE 802.11bf through-wall imaging of human activity by WiFi 7 Sensing, including keystrokes, breathing, motion and location in rooms.

Should the sale of new wireless imaging powers come with vendor responsibility and liability to secure those powers, or should that be delegated to the feelings of customers?

Will an enterprise VPN be sufficient to protect corporate assets which rely on the integrity of devices located in WFH employee homes, with walls transparent to WiFi 7 Sensing?

[unethical_ban]

You might be right, but this person might just be really intuitively good at network config and this is their hobby.

[cm2187]

Thanks god for shitty wifi ranges!

[xoa]

>What is your threat model to warrant this effort at home?

Same normal one as everyone else in a connected world? I find this interesting and do the same stuff for both home and work. You make a lot of mistakes and wrong assumptions, but a big one is failing at all to consider cost amortization. You're assuming this is a burden, but that's backwards. I need/want a decent network anyway. I want to use open source for core areas to avoid actual problems I've had (not theoretical) with lock-in going wrong anyway. There is absolutely real work and cost in setting that up, same as a good NAS, virtualization (or home k8s clusters some people do or whatever else), etc. But once you do, the marginal cost of doing more stuff with it is tiny, which of course is some part of the whole value in doing it in the first place. It's absolutely wise to pick where one spends their time and resources with care, and I have zero issues with leaning on COTS and other professional in plenty of areas. Self-hosting is both something I enjoy, something I think is important/valuable, and of professional interest.

>I’m asking incredulous and probing questions because I used to live life the way you are currently, and it’s frankly unhealthy for the human brain. If “home” feels like such an unsafe place to warrant your current measures, you need to either make serious changes to where home is, or your mental state. Neither is easy but at least one is necessary.

This is a lot of projection and confusion on your part I'm afraid. None of this has anything to do with "feeling unsafe" beyond the basic ways perhaps we should given the state of smart home devices, cloud service dependencies etc, and how valuable our digital lives and monitoring of them now are. As far as security you've literally got it backwards though: moving to an open less complex higher layer is simpler, more practical, more reliable, and thus it reduces vs adds mental burden. I don't need to think as much about whether some new aggressive smart home thing is trying to scan my network and what issues it might have (they are, they do, and no I do not get total veto on what comes in vs family desires/needs), about making use of still good but now old and never updated kit, about issues in the network hardware itself (like when some UniFi gear was leaking traffic between VLANs [0]), about new surprises in WPA, ever more automated attacks, and on and on. A minute to setup a tunnel once and a lot of that evaporates for years at a time. It significantly reduces the surface area of stuff that is critical to stay on top of vs "eh, check on updates once in awhile".

None of this comes from the strange state you describe yourself as in, but from curiosity, interest, and reasonable respect for the amount of risk against both my own limitations and positive features that I want to take advantage of in my life. Indeed if I didn't consider my home, office, and other work spaces fundamentally physically safe that would undermine the foundation of self-hosting! But physically safe with great neighbors and so on is separate from the connection to the entire rest of the planet, and the various black box objects we bring into said safe home made by profit seeking multinationals capable of communicating without our approval over said connection to the entire rest of the planet right? I hope you're making progress though!

----

0: https://community.ui.com/questions/BUG-NanoHDor-broadcast-an...