On Thu, 5 Dec 2002, Mike McCauley wrote: > Its true that TTLS does not require a cert on the client. > > I guess the theory is that the server authenticates itself to the client by > virtue of the fact that it has a valid server certificate, and then the > client authenticates itself to the server by virtue of the fact that it has > the correct users password. All the authentication traffic between client and > server (including over-the-air) is encrypted inside TLS (which is basically > the same as SSH). >
Unfortunately, it is a bit complex than that. If you search for "man in the middle" TTLS on Google, you'll come across a PDF here: http://www.saunalahti.fi/~asokan/research/tunnel.pdf Basically, it claims that MITM attacks are possible when an inner protocol is tunneled through a protected tunnel provided by the outer protocol. Now I do not know whether something of this nature is feasible, but when designing a security solution it's something that you should keep in mind. Kevin "Starfox" Arima -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
