On October 16 the KRACK exploit affecting all Wi-Fi connected devices became public knowledge. KRACK allows hackers to gain easier access to your Wi-Fi connection. They do this by using a replay attack, in which the attacker replays the 3rd message of the 4-phase Wi-Fi connection handshake. Doing this will get the router to resend the 4th phase of the handshake, and allow the hackers access the same session as the victim.
The consequences for the victim is that unencrypted information being sent between sent from the victim’s device over Wi-Fi is able to be easily accessed and read by attackers. This includes usernames, and passwords and anything else you might want to keep safe and private.
How do you protect yourself?
While we are waiting for companies to patch their devices. [At the time of writing this article, there are patches for Microsoft devices but we are still waiting on patches from Apple and Google for their devices.]
Using a VPN that is reputable is one thing you can do, as this will encrypt all your traffic adding an extra layer of security.
Alternatively, simply connecting to a site that is secured with an SSL certificate (HTTPS://) will also help protect you. Connecting over HTTPS:// rather than HTTP:// will encrypt your connection and make it harder for attackers to gain access to sensitive information.
In the past few years, there is been a push for website owners to secure traffic to their websites with SSL certificates. In 2014, Google made a push towards a more secure web when it included HTTPS as one of the many ranking factors in it’s algorithm. Starting in January 2017 Google took this a step further by further lowering relevancy scores for non HTTPS websites. Sites with SSL will rank higher in Google than those that do not have an SSL.
Chome on HTTPS
With version 56 in January, Chrome began marking HTTP sites with password or credit card fields as “Not secure” in the address bar. As a result, Google noted a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop.
With the release of Chrome 62 this month, Google is now extending the warning to any HTTP site where user data is entered. Notably, the badge will not appear in the address bar until users begin entering information into a field (see the example above).
The benefit for Chrome users is that you can see very quickly when information you are entering would be visible to an unsecure Wi-Fi connection. While this isn’t a guarantee of complete safety, it helps user to know when that extra layer of protection is there.
What this means for website owners?
Internet giants (Google, Mozilla etc.) are making a big push encourage website owners to secure their site and help protect their users. We also see that websites are being “shamed” for not being secure.
It used to be that SSLs were very expensive and out of reach for the average mom-and-pop website, but over the years prices have dropped significantly and as of now they have never been cheaper. Our most basic domain verified SSL (the RapidSSL) starts at $69/yr.
For more information about SSLs see:
If you have any questions about getting an SSL for your site, contact our sales team, and they’d be happy to help you out.