On 30/09/16 13:57, Alan DeKok wrote:
On Sep 30, 2016, at 6:53 AM, freeradius-users@latter.org wrote:
However I have just looked at the instructions we give to users wishing to connect their Windows 8 machine to the wifi network and have seen this:
- Untick “Verify the server’s identity by validating the certificate”
Which means that you have no security.
...in the event that someone goes to the effort of spoofing the SSID etc.
This is MUCH worse than storing clear-text passwords in the database.
I really wish that amateurs would stop trying to design security systems. They get most things wrong.
I have no idea why they did it that way. I will try and draw their attention to the issue. But if I may be so bold: the problem with security professionals is that they often don't seem to recognise the concept of "Good Enough". They only seem to accept things that are mathematically provably secure. And they can then end up with systems that are so complicated that hardly anybody actually uses them [0]. I live in Cambridge [1]. If you leave a bike unlocked for more than two minutes it *will* get stolen. But if it is locked - even with a lock that could be torn apart with bare hands - it probably will survive until you get back to it. So a really not very good lock is often Good Enough. Is providing Dot11 but not verifying the certificate Good Enough in this instance? I would guess that you do not think so. Other comments would be welcome. I have not yet formed an opinion. I am moving towards Not Good Enough. I do not profess to being a security professional. My main gig is writing code. I am trying to improve things. [0] see: PGP signatures, encrypted mail [1] Cambridge, England. More bicycles than people.