On 11.09.24 20:22, David Woodhouse wrote:
We choose EAP methods which involve handing our password in plain text (even if over EAP-(T)TLS) to the server we happen to be talking to.I feel that warrants more attention.
I'm not 100% sure what you mean, but all passwords we intercepted during the test came as MS-CHAPv2 hashes (about 200). After 10 mins, an average PC had cracked the first 2 of these. We stopped there because investigating a hash algorithm that has been dead since 2012 was not our focus. We encountered a few Clients trying EAP/TTLS-PAP, guests from a university I know has been doing TTLS-PAP since the start fo eduroam. But these were smart enough to deny our trivial self-signed cert. The colleagues at that place had obviously implemented said countermeasure and nailed the EAP outer/anonymous identity to a special value. This spoils the thing for users who naively type in their username+PW, but do not configure anything else. (Changing outer identity was part of the root cert migration plan anyway, but how do you force BYOD users to abide your instructions?) Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pa...@hrz.uni-marburg.de D-35032 Marburg
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
