It's also probably worth acknowledging that many organizations do use MS-CHAPv2 for their inner authentication credentials, precisely because they want to depend on it for mutual authentication instead of managing/deploying a PKI.<p>Since the Defcon talk, I've gotten a ton of emails from people thanking me for making this available as a service, so that they can easily demonstrate why relying on MS-CHAPv2 for WPA2 mutual authentication is a bad idea to their organizations.<p>The article is correct, but the solution they outline is only "simple" in theory. Most organizations do not have a BYOD enforcement or onboarding process for their enterprise wireless networks, and they used to think MS-CHAPv2 made that OK.
MS-CHAPv2 is used by VPNs and can be used by RADIUS authentication services (to authenticate WIFI clients) but typically it won't be.<p>For almost all private individuals your WPA2 connection is still just as secure as it has ever been. For most businesses it is likely secure unless you're using a Microsoft RADIUS server for authentication (and even then as the article says the impact is almost nil).<p>Which isn't to say that the MS-CHAPv2 thing isn't a big deal: because it really is. It just doesn't have much to do with WIFI.
As part of the new Baseline Requirements for public CAs, certificate authorities are not able to issue certificates for internal purposes after 2015.<p>This means that your client will have to have the certificate installed on it <i>prior to authentication</i>. So a random person connecting to your AP may be subject to an untrusted certificate, or require manual installation before connecting.<p>So.... in 2015, we might be fucked.