Jesse, All I'm saying is: If security is that important for your customers, that they are calling you even before the scope of this vulnerability is out in the open (it's still a lab case), then they should already be using Apps that use SSL communication directly between the client app and the backend. Oh, and if you've read the krack site, it's mostly a clientside issue
I work at a university. Should I tell all our students to use VPN? While for sensitive information requiring VPN use should be done, it's not practical in all situations.
I think another aspect of this is the PR side. When the CIO says they have people asking "does this affect us" it shouldn't require a long explanation of "yes, but only if you're not using VPN, not using secure apps, etc etc.
You can play Ruckus' cards all you want. "It's still a lab case..." Really? If I could prove there was another WPA2 vulnerability to where you could steal the PSK, but it wasn't in the wild yet, would you expect Ruckus to have a patch before somebody packaged up in a nice little tool for script kiddies? Would you care if you could just update Windows to mitigate the new threat? Apparently you wouldn't, and that makes you incompetent and naive in network security. I won't address your other noise again about apps using SSL.
Nobody is arguing that we shouldn't have to patch our clients, but even they have stated to patch BOTH. Well we can't do that yet. According to the latest word that will be two weeks away at the earliest for 'some' devices. Now we are waiting on a managers response about how everything is just fine, so long as 'xyz' is in place, or not in use. That's not acceptable. If you wanted to reassure everyone of the risks to certain features and the network safety otherwise, that should have been in the day one security brief assuring us of this with an ETA date on the firmware releases and which models.
Playing Ruckus' card - Really? Gezus.. All I'm saying is: keep the perspective! This thread is going nuts over how all wifi is suddenly useless, when facts is, it's not!This thread is going nuts over how all security is suddenly compromised and peoples highly secret communications is at risk, and I'm simply pointing out: It the communications it that secret, you should have other security measures in place! I'm not fond if how Ruckus is handling this either, but stop making the world come to and end over this, when in fact it's not.