Section on "secure connections" to wireless routers is slightly inaccurate

[AdamZ]

In section 3.1, you write

Thus, while your device is still sending all its messages across the room, those messages are protected in such a way that only your device and the router can “hear” what is being sent.

This isn't strictly true, however. Most wifi routers, even those in many businesses, are set up in pre-shared key mode (usually called WPA2 home or something similar). While technically each client negotiates a separate key with the router, that negotiation can be eavesdropped on by any other device that knows the network password. Additionally, it is possible to force a client to re-negotiate a key, so an attacker that joins a network after their victim can still eavesdrop on traffic.

Long story short, anyone who knows the network password (whether legitimately or not) can see all messages travelling on the local network if they want to. As far as I understand it, the only mitigation is to use WPA2 with 802.1x authentication (usually called WPA2 enterprise), which is complex and involves setting up a server with users/passwords and certificates and such.

Having said all that, since the rest of the book advocates end-to-end encryption whenever possible, it's probably not a huge deal. However, it might be worth mentioning at some point that others connected to the same network can also intercept your traffic, even if it's a secure wireless network.

[susanemcg]

This is a great point. I debated quite a bit in writing this about how much detail to include on the negotiation of wireless connections. The distinction between WPA2 home vs. enterprise is really valuable, though, and I think worth including in the main text. If I can resolve my linking issues(!) I'll add as an aside and link to your more detailed explanation here. Thanks for posting such a thorough (and well-written!) explanation.