On Fri, 2010-06-04 at 10:49 -0700, L. David Baron wrote: > I regularly want to access a particular wireless network using a > password whose security I care about, but I currently avoid using > this network because of security concerns I describe here. This > wireless network has what appears to me to be a reasonable > authentication mechanism for the desired level of security: it's > using WPA2 Enterprise with EAP-MSCHAPv2 authentication (I hope I'm > using the right terminology here), and has a valid cert signed by a > well-known root CA, for a hostname that makes sense in context > (i.e., its domain is the domain of the company operating the > wireless network). > > However, the NetworkManager UI doesn't give me confidence in the > handling of the security of my password, since it prompts me for > (all at once): > * my username > * my password > * what root CA should be used (if any) to validate the cert > > In this particular case, it seems somebody could steal my password > if they set up a wireless network nearby with the same SSID, a > stronger signal, and a valid cert purchased from the same CA (but > for a different domain). Or, if I choose the full root cert list > for the CA (since I really don't know any other way to figure out > what the right root CA is other than finding a friend with a Mac to > connect to that wireless network), the attacker could use a valid > cert from any CA. > > It seems to me that in cases where certificates are involved: > * the prompt for my username and password should not happen until > the cert has been checked, and it should display information > about the cert, i.e.: > + if the cert was signed by a CA in the root cert list, the > hostname the cert is for (and probably the CA that signed it, > and perhaps the fingerprint) > + otherwise, the cert's fingerprint > * when I enter a username and password for such a prompt, it should > only be used for wireless with that SSID+Cert combination, and > not for other wireless networks with the same SSID. > > It seems like this would prevent the attack described above, and > also improve security in the self-signed cert case. A UI that > worked this way would make me comfortable accessing the network in > question using NetworkManager. > > > Is this a reasonable request? Are there reasons the current UI is > preferable to such a UI?
This is a reasonable request and making the certificate UI better is something that I've wanted to do for a long time. Just a month or two or three ago Jouni added better cert validation results to wpa_supplicant, which means we now actually have a chance of getting better status about 802.1x authentication. Before, we'd have had to run wpa_supplicant in verbose mode and screenscraped its output (which was really OpenSSL error messages) to find out what was going on. I'd like to use this eventually (though wpa_supplicant isn't there yet) to prompt the user to accept the RADIUS sever's certificate if it's not been seen yet like Mac OS X and Windows do, and then save the fingerprint like you suggest and warn the user if that fingerprint changes. We're almost there, but we need a bit more intelligence underneath to do so. Dan _______________________________________________ networkmanager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
