-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander Clouter wrote: > Arran Cudbard-Bell <[email protected]> wrote: >> Paul Bartell wrote: >>> Right. Its better to give crackers less information versus >>> more. so others do not get login credentials. Though, if >>> certificates were properly implemented, there would be mutual >>> authentication >> Exactly. The only attacks I know of that can be easily >> implemented rely on administrator/user ignorance/stupidity. >> >> For example some administrators tell users to explicitly uncheck >> the 'Validate Server Certificate' check box in their supplicants >> (i've actually seen this in eduroam documentation *shudder*). The >> result (depending on the EAP method used) is that when an >> attacker comes along with an AP broadcasting the same SSID as >> trusted wireless infrastructure, users (or their supplicant >> software) hand credentials over no questions asked. >> > Yeah, do a suitable[1] Google hack against 'ac.uk' and I wish we > drank a lot more beer at Networkshop. > > Sigh. :-/ Plymouth, LSE and Exeter are all examples of this. In fact idiot proof examples are hard to come by.
This is our offering: https://wwwnew.sussex.ac.uk/roaming/mod/doc_pages/index.php?doc=setup_guide.winxp#configure_authentication_client With Windows 2K/XP/Vista, supplicant settings are configured on a per SSID basis, so should be locked down to a organisational CAs and specific certificate CNs. We tell users to check the 'Do not prompt user to authorize new servers or trusted certification authorities' for just that reason. Never underestimate the desperation or blind stupidity of a student craving a facebook fix. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkneguQACgkQcaklux5oVKJR3gCeK8fakVEfR6+QsjCGjnscrkFx 5YoAniSNy5g8F3Q0S5SXyd5FGWB0TZYS =WiPo -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
