Don’t buy into the Hype..
KRACK is real.
What isn’t real is being able to “realistically” use this attack in the wild without being VERY obvious about it. I mean VERY obvious.
Here’s a technical “KRaCK Crib Sheet” i compiled from various sources while educating on the details when this was announced.
KRaCK for WPA/WPA2 Tl;dr: — To Exploit: — Must be within range of a Client. — Better to be within range of Client and…ghostbin.com
It’s worth noting “what it takes” to currently exploit this in a “controlled environment.” That said, it will probably be a matter of time before it can be done more quickly and easily in a lesser-controlled environment. So- time is on your side. Use it to patch where you can.
And if you can’t — make sure you use SSL. Because while you can’t revover a network key, you can eavesdrop on traffic. But if that traffic is encrypted, well, then not such a big deal. (Here’s where your commentary about VPN use is particularly brilliant.)
Although currently the “RISK” is hype, the awareness/exposure of the flaw is valuable in several ways.
Risk will change, though. So it will pay to be dilligent.
But is the world coming to an end?