Microsoft is planning to remove WEP encryption from Windows 10.
Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3.
WEP is very old – it entered the scene in 1997 – and was cracked in 2001. It’s incredibly easy to crack, so it only makes sense to remove this outdated feature from Windows.
The shouldn’t remove WEP just flag it as insecure, the same as open wifi…. WEP is still fine as what amounts to luggage locks for wifi….
cb88
That’s kind of what I was thinking, from a security perspective WEP isn’t worse than open wifi, just put a warning that it’s not secure and treat wep as unsecured, problem solved.
I don’t mind for APs to remove support for WEP, but it’s more annoying to have it removed from the client such that it cannot connect.
+1, removing the ability to connect to a WEP AP is only detrimental. I’m connecting to open wifi APs, why couldn’t I connect to WEP APs and use my own VPN or SSH tunnel if I so desire.
Why exactly Windows 10 get to decide which networks I connect to? What if I tunnel everything through a VPN and have marked the network as “public” and don’t need strong encryption? What about open WiFi or even Ethernet which has no provision for encryption byitself?
This is Microsoft going all “we only support good standards” again in another phase of Apple envy. They did the same with email a while ago.
This.
Another example – MS has announced that they’ll be removing standard username/password authentication from all their O365 services, with the exception of SMTP. Everything must be OAUTH/OpenID as of October next year.
That means no existing apps will work with POP, IMAP, EWS, Remote Powershell, it will break most ActiveSync implementations out there, anything that talks to their web services will need re-engineering etc.
They say “we’ll implement support for our custom brand of OAUTH in those other services!”
But so far, none of the promised extensions to IMAP, POP3, etc exist. Nor are specified. Let alone standardized.
Customers, apparently, should also find 12 months sufficient notice to get whatever software they’re using rewritten to support these unspecified and unimplemented new proprietary protocols. Never mind the various line of business apps out there that simply can’t be just redeveloped.
Microsoft says it’s doing this to help customers. Even the ones that specifically don’t want help.
It’s not Microsoft’s job to dictate usage models. Advise, recommend, warn, sure but it’s their job to deliver a product that works.
Unfortunately, Windows 10 is nowadays just an O365 delivery platform, and the O365 ecosystem is heavily built around vendor lock-in, and MS is making any other licensing model more difficult or impossible…
The future, sadly, is a small set of services vendors controlling most of IT.
I’m up in the air about this. I really don’t care. But I can see that if they leave it in they should definitely bring the user’s attention and urge them to use caution. I rarely use WEP. If I do, it’s with VPN.
If supporting WEP has hit the law of diminishing returns from their point of view, so be it. I don’t particularly have much sympathy for those who insist on using old antiquated, crippled, or compromised systems or methods. And, I don’t see the problem with letting go of an option you’re never going to use. I see no shortage of people not wanting to give up “choice” but how many people does this *actually* affect? I don’t expect stores to carry cassette players in the extremely unlikely circumstance that someone might wander in looking for one.
The problem is that usually when you have many ways of getting a connection this won’t affect you at all. You could always use 4G sharing if you happen to find the odd WEP-only AP.
But then one time when you actually are backpacking through some place in south-eastern Asia or anywhere else, you’ll be in that cheap hostel that has an old AP nobody is taking care of except for the occasional reboot when clients complain that the Internet doesn’t work. And it’ll be setup with WEP and a password printed on the wall. And you’ll be sorry that your Win10 machine cannot connect. You’ll proceed to go have a beer and a nice evening. It may be a good move after all.
The question is… What about your older equipmwnt that still needs WEP? A lot of us older folks have gadgets and even iOTa that run on WEP or No security. That said, If M$ is going to remove WEP support, they should remove Open Access also… But I digress, I believe that WEP removal should be removed from the AP first. , after the majority of OEMs follow suit, then the Desktop OS.
Considering how easily & quickly WEP is cracked, older equipment depending on WEP is no more secure with than without it. It’s not a matter of “WEP or no security”, it’s that WEP *is* no security, only the transparent illusion of it. If you’re depending on WEP to keep you secure then it’s time you upgrade, or switch to an OS to caters to old outdated insecure hardware.
Why should open access be removed? Not everything needs to be locked tightly down, or at all when they’re roads to nowhere. And, why should OS providers wait for hardware makers to remove something before removing it from their own products? Are those hardware makers subsidizing the continued support & maintenance? Nope. If the OSes deprecate WEP, which they should, then the hardware makers will likely follow suit. The end result is the same and it doesn’t matter who flinches first.
It’s such a contradiction to see people constantly promoting “security” as a top priority and then having a problem when Microsoft takes a step towards better security by dumping support for encryption that was broken 15+ years ago.
So how do I upgrade my Nintendo DS Lite to better than WEP? You don’t. It’s WEP or nothing. The Sony PSP only has WPA. Windows is killing WEP today, and tomorrow it’ll be WPA. Upgrading is sometimes neither necessary, nor an option. So someone can snoop on my game of Doom on my PSP… big friggin’ whoop. I don’t use my DS or PSP for banking. I guess your only choice coming for that is unprotected wifi. How soon until that’s no longer a choice either?
JLF65,
I have an internet mp3 player that doesn’t support WPA.(and doesn’t really need privacy). I’ve already written it off, and choose to run WPA1/2, but I know it’s frustrating. Maybe you can have a separate network for WEP gadgets? This would be a good use case for VLANs, but that’s usually not supported with cheap consumer gear 🙁
It can connect to Open WiFi. With current techniques WEP can be cracked in a matter of seconds, so the best way to isolate that insecure network is to quarantine it with a properly locked down VLAN or guest network.
I will never ever run something like that using consumer gear even if I don’t do banking, maybe your wired clients do more sensitive work and your old and outdated gear is infected and used as a door to your network, or something like the integrated camera or microphone gets compromised. When you check firewall logs in a regular basis you suddenly understand that the Internet is a battlefield.
friedchicken,
The thing is, technically all of your defenses for open wifi apply to wep as well. As long as users are notified that WEP connections are not secure, then it does not pose any security threat over open wifi access points.
As many people have said already, the security argument falls flat. It’s a flimsy premise that supporting WEP on the client decreases security, which is plainly false considering that the security of typical public access points are equally insecure.
A more logical and less controversial argument that you could make for removing it would be to say that WEP is obsolete and redundant, which is true and requires no further justification with weak arguments about it being detrimental for security, when in many cases it really isn’t.
Another point that hasn’t been brought up yet regarding WPA is that WPA security can be misleading as well because although it encrypts the traffic, it does not necessarily guaranty who you are talking to. It becomes easy for an imposer to set up a rogue access point using properly encrypted WPA credentials and then dupe users into connecting to the wrong AP to establish a man in the middle attack with full access to the raw packets. This could even trick security professionals who don’t have their guard up 24/7 and may not even know which APs are authentic in a public setting.
Even when wifi is secure, traffic usually is not secure in the LAN, cable infrastructure, at the ISP, on the internet backbone, etc. For this reason, it’s actually more important to use a VPN and/or encrypt the application level protocols than to assume wifi is always secure. The good news is that as long as you are using secure protocols/VPN, the insecurity of the medium becomes a mute issue.
The principal benefit of WPA is controlling access to a network from strangers, but IMHO it isn’t a substitute for protocol level crypto where data privacy is important.
“As many people have said already, the security argument falls flat. It’s a flimsy premise that supporting WEP on the client decreases security, which is plainly false considering that the security of typical public access points are equally insecure.
A more logical and less controversial argument that you could make for removing it would be to say that WEP is obsolete and redundant, which is true and requires no further justification with weak arguments about it being detrimental for security, when in many cases it really isn’t.”
Supporting WEP doesn’t decrease security, but it doesn’t provide any either. Using WEP doesn’t provide security, merely the illusion of it for those who never got the memo on how easily & quickly it can be cracked. I see no difference between that argument and saying WEP is obsolete. It makes no sense to say there’s no security argument to be had when the very purpose of WEP is to provide a level of security.
I absolutely agree with your points about WPA and protocol level crypto. There are plenty breach entries as it is so the harder you can make it for bad actors to put hands on useful data, the better, even if that means sacrificing old & outdated stuff. People can’t have it both ways. They can’t demand security and then throw a fit when you start tossing things out that are blatantly unsecure. It’s a bizarre inconsistency to witness. Like I said in my other post, if the lack of WEP is such a huge deal, Windows 10 isn’t the os for them.
“friedchicken
If supporting WEP has hit the law of diminishing returns from their point of view, so be it. I don’t particularly have much sympathy for those who insist on using old antiquated, crippled, or compromised systems or methods. And, I don’t see the problem with letting go of an option you’re never going to use. I see no shortage of people not wanting to give up “choice” but how many people does this *actually* affect? I don’t expect stores to carry cassette players in the extremely unlikely circumstance that someone might wander in looking for one.”
Yo a*hole……Because it’s *NONE* of your fracking business if people choose to use WEP or not on *THEIR* equpiment, that’s why.
Just like it’s *NONE* of your business if people choose to buy a cassette player to play their cassette tape collection.
Get a life, loser.
I couldn’t care less what people use, and I doubt Microsoft does either. Where did I state otherwise? *NOWHERE*. But don’t be dumb enough to think that Microsoft has any obligation to support WEP because *YOU* say so or refuse to stop using it. If WEP is so important to you then switch to an os that continues to support it. If you want to buy a cassette player then find somewhere that still sells them, don’t throw a fit because Best Buy doesn’t. Best Buy couldn’t care less about your cassette collection, and neither do I.
“friedchicken
I couldn’t care less what people use, and I doubt Microsoft does either. Where did I state otherwise? *NOWHERE*. But don’t be dumb enough to think that Microsoft has any obligation to support WEP because *YOU* say so or refuse to stop using it. If WEP is so important to you then switch to an os that continues to support it. If you want to buy a cassette player then find somewhere that still sells them, don’t throw a fit because Best Buy doesn’t. Best Buy couldn’t care less about your cassette collection, and neither do I.”
So don’t whine when people stick with Windows XP and Windows 7 like people like you usually do……
PS. Who’s stupid enough to actually *BUY* anything from Best Buy besides you and your friends?
The Employee discount you guys get for that overpriced crap isn’t that great dude…..
If all you’re going to do is make up ridiculous nonsense, why bother replying in the first place? You’re not even funny or witty at all, just …. dumb.
“friedchicken
If all you’re going to do is make up ridiculous nonsense, why bother replying in the first place? You’re not even funny or witty at all, just …. dumb.”
I never said you worked at Best Buy, you did. Explains a lot though, like why you sound a lot like like the idiots who work there and Radio Shack before it went under.
Umm, no I didn’t. And you sound like someone who hasn’t been taking whatever meds you’ve been prescribed to keep you somewhat connected to reality. Seriously, something is very wrong with you.
It was so informative post for me. I got lot of unknown wep -encryption knowledge from your explanation. I also using windows 10 but I faced an iTunes installation problem in my windows 10.I tried many possible processes but itunes wont install in my system.If anyone faced such types of problem and got any solution then suggest to me.