It was asked to AT LEAST write an email to the mailing list.
And still we are here flaming about this....
I will make a PR on Luci to change that to not secure. Again here it's user fault for using unsecure stuff... It's really like saying don't write your admin pass in the router what should we do? Enforce private key login?
Well, I have no idea how this mailing list stuff works nor how to register for it or something. It might be easier if this is addressed by someone who is already active (maybe even a dev?) and knows how that stuff works, can be something like:
"A forum user posted this threa [link] and pointed out if the vulnerable TKIP stuff can be removed. It is deprecated since 2012. What do other people on the mailing list think?"
For now I only saw one user flaming around (but not yet in this thread actually)
With that "idea" why does openwrt now ships with https by default? Why did openwrt got rid of wep? Why does openwrt has a strength check for the router password?
Because it is always desired to have it secure as possible (while at the same time easy as possible) by default (imho that includes to do don't even ship broken ciphers and also have a strength check for the wifi key).
That probably raises complexity for the average user (doesn't keep the principle "easy as possible"). But activating https by default and check the router password for strength at least raised the minimum standard
Also I wonder what "discussions" took place that the collective could agree letting wep rest once and for all. Maybe some one got a link? Did found much discussion in the forum about that...
The way I understand that is, WPA-PSK/WPA2-PSK will be as problematic as WPA-PSK for devices that will only connect via WPA, but more modern WPA2 devices will use CCMP/AES, so this is arguably a safer option, as if all stations support WPA2 TKIP will essentially not be used anymore...
Personally, I am sitting on the fence here, for one having shitty encryption in the field is bad, but on the other hand relaying on WiFi encryption as the only/main source of security for local traffic seems like a fools errand as well (on a suspicius link, like any internet path, we routinely use better encryption if security is of value, the same approach can be used over insecure WiFi links).
I understand the two sides of the "medal" but shouldn't openwrt then be consequently ship all the shitty ciphers and include WEP again? Why was that purged out of the official images at all then?
That's another PITA for sure:
Anyways till today nobody here discovered not one () device which is only able to communicate via WPA (TKIP) but not WPA2 (CCMP-AES) btw..... (I don't count that device I linked from 1998 as it was said a software update made it ready for WPA2 despite that device is EOL anyways...)
You probably need to ask whoever removed that... if you want to know. IMHO security is always a continuum and always at odds with convenience. If a cypher gets removed and no one hollers however it seems clear that jettisoning it was OK, the catch is you only know after the fact...
Why? As they say, unix gives you enough rope to shoot yourself in the foot. As far as I can tell tha is not the default, no?
Well, your problem, as I see it, is that you would need to prove that this apparent failure to present such an example is due there not being any such devices and not just because those folks affected did not participate in the thread, if you want to make a point out of this. But a "negative" is hard to prove.
Maybe re-phrase your whole approach into something ala:
Since TKIP can hardly be considered secure anymore and we can't really check whether it is required on some devices in our user-base a priori, let's try to disable it in an rc or test version to see how many complaints come in, if that number is zero maybe it can be disabled for good...
I don’t know what the past rationale was for dropping WEP (I disagreed) but I do know that it promptly triggered complaints from users who were unable to setup a WEP enabled guest network for their PSP handhelds anymore.
As a consequence, people will stick to old, discontinued versions that still support their use cases which arguably is worse in the grand scheme of things than offering a current version with secure defaults that still offers legacy features for those people who need them.
I don‘t know what there reason was, just that forcibly removing wep broke their use case. It was also so thoroughly removed that it is not even possible to install another package flavor like hostapd-full to gain it back.
+1; it is not that WiFi encryption should be trusted with anything too sensitive anyway (it is not that WPA2 did not have its own set of issues).
The problem with this approach, 'I know what is best for you' is that unless you really do know best and cover all eventualities, you might look somewhat stupid if you end up forcing users into retiring otherwise still operational hardware, even if that would not cause security issues.
E.g. I can for example use a wireguard link over a insecure WiFi channel and might hence not care all that much about the WiFi link's own encryption.
I think it's enough if the ready made images cover like 99% of the use cases and therefor don't include known vulnerable ciphers.
A lot of my network gear (all capable of WPA2 ) is "stuck" on openwrt 19.07 which is EOL since april. At the moment everything is still fine but if a security issue is discovered in the future this devices might end up as landfill
Except you made these 99% completely up. You have no idea about use-cases and their likelihood, and nor do I.
Yes, that is sad. However I assume that the issue is likely either:
a) lack of RAM
b) lack of storage
c) lack of developer time
All IMHO bigger issues than the perception of less secure encryption methods over WiFi...
Yepp, sad as I said. However I do not see that dropping TKIP will recover enough space to keep your hardware supported much longer. And the point here is that the problem is not necessarily to obsolete your router/AP but all the end devices that might require WEP or TKIP.
Or TKIP, which as it seems is going to be available into the future... I guess we will not agree on this, which is fine. I will however try to bow out of this thread to avoid endless repetitions.
It's probably more . I assumed this number based on some facts:
WEP was standardized in 1999
WPA was standardized in 2003
WPA2 was standardized in 2004
My calendar dates to the year 2022 at this very moment
Other than WEP (which was around for about 4 years) and doesn't necessary allowed a software upgrade path it was different for WPA (which was only around for a year) because that typically allowed a software only upgrade path to support WPA2.
Solely because of this timeline one could already assume that there are more (20 year old) "WEP only" devices out there than a "WPA only" device (which actually still lacks proof to really exist in the wild )
In the end it looks to me that there was exactly one (in numbers: ) user in this forum that "missed" WEP:
On the other hand while browsing thru the topics and posts some user probably used some vulnerable cipher without knowing (that can only happen if obsolete ciphers are shipped ) and were happy when other forum member suggested WPA2 or WPA3 to them.
I would call this a good example why not to include vulnerable ciphers by default