http://www.informationweek.com/story/IWK20021204S0006
yawn, MRL At 10:44 PM 12/4/2002 -0500, Kevin Arima wrote:
On Thu, 5 Dec 2002, Mike McCauley wrote:
> Its true that TTLS does not require a cert on the client.
>
> I guess the theory is that the server authenticates itself to the client by
> virtue of the fact that it has a valid server certificate, and then the
> client authenticates itself to the server by virtue of the fact that it has
> the correct users password. All the authentication traffic between client and
> server (including over-the-air) is encrypted inside TLS (which is basically
> the same as SSH).
>
Unfortunately, it is a bit complex than that. If you search for "man in
the middle" TTLS on Google, you'll come across a PDF here:
http://www.saunalahti.fi/~asokan/research/tunnel.pdf
Basically, it claims that MITM attacks are possible when an inner protocol
is tunneled through a protected tunnel provided by the outer protocol.
Now I do not know whether something of this nature is feasible, but when
designing a security solution it's something that you should keep in mind.
Kevin "Starfox" Arima
--
NYCwireless - http://www.nycwireless.net/
Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/
Archives: http://lists.nycwireless.net/pipermail/nycwireless/
____________________________________________________________ Marcos R. Lara [EMAIL PROTECTED] Founder, Managing Dir. Tel: 917.541.3812 the cool wind of the last breath of summer is now in the air and on it are the truest words ever told you can hear them if you listen like white whispering noise it's in the rustling trees and on every tumbled leaf ____________________________________________________________ -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
