"Wifi network not secure" notification with WPA2 Personal
There is a support article for this notification that suggest you may be using TKIP encryption, even on a WPA2 Personal network.
...this can occur if you connect to a Wi-Fi network that uses WEP or TKIP for security. These security standards are older and have known flaws.
Make sure that your router is set up to use AES encryption.
DaddyMike
Updated on September 18, 2022Comments
-
DaddyMike almost 2 years
Everytime I connect to my wifi-network with my Windows 10 1909 I get a notification about the network not being secure.
The network does use WPA2 Personal though (which is shown by multiple devices on the network, 2 android devices show WPA/WPA2 PSK and my windows 10 laptop shows WPA2 Personal) which I don't think is insecure.
Is there another reason why this notification pops up? And could this be related to internet cable maintenance in my area?
-
Spiff over 4 yearsMake sure the AP does not have original WPA (TKIP) enabled in any way. It should be pure WPA2 (AES-CCMP) only. Original WPA had issues where a buggy device sending a malformed packet could be misinterpreted as an attack on the network and cause all devices on the network to be notified that the network was under attack.
-
-
JW0914 over 4 yearsI would add CCMP to AES (i.e. AES-CCMP), as many routers' firmware doesn't specify AES but WPA2+CCMP.
-
YLearn over 4 yearsYou may also want to add that having TKIP enabled on an SSID can cause 802.11n (and newer) standards compliant APs to disable HT/VHT data rates, capping your maximum data rate to 54Mbps (802.11a/g speeds). You don't want TKIP enabled for both security and performance reasons (unfortunately, for many people the latter is of more importance).
-
DaddyMike over 4 yearsAnd what are the possible security risks involving WPA2 with TKIP that AES solves?
-
Spiff over 4 years@YLearn You're saying it in a way that can easily be misinterpreted. Just to be clear, if someone has WPA2 "mixed mode" enabled (that is, where AES-CCMP is enabled and preferred, but TKIP merely available for ancient clients that don't support AES-CCMP), it does NOT cause 802.11n or newer APs or clients to disable HT/VHT data rates. Those newer APs and clients just use AES-CCMP since it's available, and still get to use HT/VHT data rates. I know this from having done tons of interop testing and Wi-Fi certifications in my career. But TKIP is best left disabled anyway.
-
YLearn over 4 years@Spiff, I would disagree since I did say "can" and not "will". True, having TKIP available does not in itself disable HT/VHT data rates, but the presence of a single client (older or misbehaving) using TKIP will affect the entire BSS. I could also point out that it doesn't negate all the benefits of newer 802.11 amendments. However I find that with the vast majority of people that I deal with in my professional capacity designing/implementing/maintaining 802.11 networks, the blurry line of what exactly is impacted and when is less important than the possibility of the performance impact.
-
YLearn over 4 yearsThe edit to the question now excludes AES-GCMP, which is a valid key/encryption combination. If you are going to be more specific than AES, you should include both CCMP and GCMP.
-
Romen over 4 years@YLearn, I think most of what you are commenting about, such as performance, is outside of the scope of the question. I am inclined to edit it back to just say "AES" since there is no way to be 100% inclusive unless we try to list the alternative option to TKIP for every single router interface. I have worked with many routers that just say "AES", so if there is a ubiquitous alternative name for "AES" that some routers use, I will add it to the answer.