Comment by evil-olive
16 hours ago
> You already have to assume the most likely adversary is the entity running the free wifi
why do you have to assume that?
you're at Acme Coffeeshop. their wifi password is "greatcoffee" and it's printed next to the cash register where all customers can see it.
with WPA2 you have to consider N possible adversaries - Acme Coffee themselves, as well as every single other person at the coffeeshop.
...and also anyone else within signal range of their AP. maybe I live in an apartment above the coffeeshop, and think "lol it'd be fun to collect all that traffic and see if any of it is unencrypted".
with WPA3 you only have to consider the single possible adversary, the coffeeshop themselves.
Because it's a near certainty (at least in the US) that businesses will spy on you to the extent that they can, but it's actually incredibly rare to be around a nerd with Wireshark? Things like facebook used to not use https long after public wifi was ubiquitous and you could easily sniff people, and it basically didn't matter. Now nearly everything uses TLS so it really doesn't matter. Actually most public wifi I encounter has no security.
> Actually most public wifi I encounter has no security.
that was also one of the things fixed [0] in WPA3.
it sounds like you don't consider it relevant to your personal threat model. but the experts in charge of the standard apparently thought it was important to have in general.
0: https://en.wikipedia.org/wiki/Opportunistic_Wireless_Encrypt...