4

Everytime I connect to my wifi-network with my Windows 10 1909 I get a notification about the network not being secure.

The network does use WPA2 Personal though (which is shown by multiple devices on the network, 2 android devices show WPA/WPA2 PSK and my windows 10 laptop shows WPA2 Personal) which I don't think is insecure.

Is there another reason why this notification pops up? And could this be related to internet cable maintenance in my area?

guntbert
  • 383
  • 3
  • 14
DaddyMike
  • 77
  • 2
  • 8
  • 1
    Make sure the AP does **not** have original WPA (TKIP) enabled in any way. It should be pure WPA2 (AES-CCMP) **only**. Original WPA had issues where a buggy device sending a malformed packet could be misinterpreted as an attack on the network and cause all devices on the network to be notified that the network was under attack. – Spiff Nov 15 '19 at 19:53

1 Answers1

4

There is a support article for this notification that suggest you may be using TKIP encryption, even on a WPA2 Personal network.

...this can occur if you connect to a Wi-Fi network that uses WEP or TKIP for security. These security standards are older and have known flaws.

Make sure that your router is set up to use AES encryption.

Romen
  • 1,238
  • 1
  • 10
  • 18
  • 2
    I would add CCMP to AES _(i.e. AES-CCMP)_, as many routers' firmware doesn't specify AES but WPA2+CCMP. – JW0914 Nov 15 '19 at 22:59
  • You may also want to add that having TKIP enabled on an SSID can cause 802.11n (and newer) standards compliant APs to disable HT/VHT data rates, capping your maximum data rate to 54Mbps (802.11a/g speeds). You don't want TKIP enabled for both security and performance reasons (unfortunately, for many people the latter is of more importance). – YLearn Nov 16 '19 at 17:00
  • And what are the possible security risks involving WPA2 with TKIP that AES solves? – DaddyMike Nov 17 '19 at 18:20
  • 1
    @YLearn You're saying it in a way that can easily be misinterpreted. Just to be clear, if someone has WPA2 "mixed mode" enabled (that is, where AES-CCMP is enabled and preferred, but TKIP merely *available* for ancient clients that don't support AES-CCMP), it does NOT cause 802.11n or newer APs or clients to disable HT/VHT data rates. Those newer APs and clients just use AES-CCMP since it's available, and still get to use HT/VHT data rates. I know this from having done tons of interop testing and Wi-Fi certifications in my career. But TKIP is best left disabled anyway. – Spiff Nov 20 '19 at 19:37
  • @Spiff, I would disagree since I did say "can" and not "will". True, having TKIP available does not in itself disable HT/VHT data rates, but the presence of a single client (older or misbehaving) using TKIP will affect the entire BSS. I could also point out that it doesn't negate all the benefits of newer 802.11 amendments. However I find that with the vast majority of people that I deal with in my professional capacity designing/implementing/maintaining 802.11 networks, the blurry line of what exactly is impacted and when is less important than the possibility of the performance impact. – YLearn Nov 20 '19 at 20:22
  • The edit to the question now excludes AES-GCMP, which is a valid key/encryption combination. If you are going to be more specific than AES, you should include both CCMP and GCMP. – YLearn Nov 20 '19 at 20:25
  • @YLearn, I think most of what you are commenting about, such as performance, is outside of the scope of the question. I am inclined to edit it back to just say "AES" since there is no way to be 100% inclusive unless we try to list the alternative option to TKIP for *every single router interface*. I have worked with many routers that just say "AES", so if there is a ubiquitous alternative name for "AES" that some routers use, I will add it to the answer. – Romen Nov 20 '19 at 20:38