Very true, thank you for pointing that out as well.
Note to anyone following:
If you use a certificate signed by a general authority (verisign for
example) then anyone with a verisign cert will be trusted in your place,
and able to "authenticate" your users, IE as a man in the middle.
They'll have access to the un-encrypted password payload (NT,
cleartext), which is a severe security compromise. That's why you
(should) always use an internal Certificate Authority, where you control
which certs are signed and distributed.
On 9/20/2011 00:31, Alan DeKok wrote:
Christ Schlacta wrote:
I thought if you had a certificate signed by a trusted root CA, you were
good and didn't need to install anything on the client.
It's true that you don't need to install anything on the client. It's
*not* true that it's a good idea.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
