What are
/r/KRaCK's
favorite Products & Services?
From 3.5 billion Reddit comments
The most popular Services mentioned in /r/KRaCK:
Match.com
Launchpad
NordVPN
Debian
Arch Linux
Magisk
The most popular reviews in /r/KRaCK:
HTTPS is not vulnerable.
The issue is that when you type in "match.com" as the demo video did, the site is configured to redirect you to https://match.com. If an attacker can intercept that redirect (or if the site serves traffic on both HTTP and HTTPS), then you can be sending data unencrypted over HTTP.
When the demo video mentions a "properly configured website", that means setting the HSTS header (and ideally adding the domain to the preload list). That means that your browser knows to go straight to HTTPS for that domain, so no data is sent unencrypted and you start with the TLS handshake. If a site is not encrypted in such a way, you can protect yourself using something like HTTPS Everywhere or manually prefixing https:// when entering a URL.
While I can't find any blog entry or article about this, I can personally confirm that Linux Mint has pushed the wpa update from Ubuntu. At this point, I'm guessing both have issued the update to user machines.
For anyone reading this using Arch Linux, running a simple "sudo pacman -S wpa_supplicant" isn't enough as wpa_supplicant-1:2.6-8 is still being served out. Download the latest wpa_supplicant-1:2.6-11 can be downloaded here. And then patch yourself up: sudo pacman -R wpa_supplicant sudo pacman -U wpa_supplicant-1_2.6-11-x86_64.pkg.tar.xz
I found something related on XDA, but no one replied anymore after someone said wpa_supplicant had to be statically linked: https://forum.xda-developers.com/apps/magisk/magisk-modules-to-resolve-terrible-wpa2-t3690444
Anyways, I just compared wpa_supplicant of unpatched OxygenOS 7.0 and an officially patched 7.1, and wpa_supplicant has the same file checksum on both ROMs. So it seems they fixed the vulnerability elsewhere but not in the file wpa_supplicant.
Or just install an Android VPN app
https://nordvpn.com/download/android/
https://www.privateinternetaccess.com/pages/android-vpn-app
There are also VPN apps that will only turn on when you're on Wi-Fi and not on a selected number of networks. So you can update your home router, and then your phone will only use the VPN when you're on a foreign WiFi network.
You can do it with OpenVPN, but it's a bit harder to use for novices. I assume Private Internet Access or Tunnel Bear or one of the other more user friendly apps has it, but I don't use any of those so I couldn't say.