The Wi-Fi Protected Access II protocol - the de-facto standard for consumer Wi-Fi security - is vulnerable to an attack that allows malicious hackers to eavesdrop on Wi-Fi traffic.
The exploit is called KRACK, short for Key Reinstallation Attacks, and it works by affecting the four-way handshake used to establish a key for traffic encryption. The attack happens at the third step of the process when a key can be resent multiple times and when resent in a certain way, a cryptographic nonce can be reused so that the whole security operation is compromised.
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
The whole research around the KRACK has been kept a secret in the past weeks, right before the scheduled public announcement at 8am ET on Monday.
Some companies like Aruba and Ubiquiti that sell wireless access points (WAPs) to the government and other large parties have already updates that patch this exploit, but the overwhelming majority of WAPs will be patched much later, and many will not be patched at all.
With this in mind, HTTP website traffic becomes exposed, but you can still have a secure browsing experience if you visit HTTPS only websites.