18 Mar
2013
18 Mar
'13
11:31 a.m.
Brian Julin wrote:
Slightly OT, but I'd like to encourage folks here who have a google account to "star" up issue #37178 on code.google.com to see if we cannot get Android developers to make future versions of the OS behave sanely WRT which AAA server certificates they will accept.
Making things work is always on topic. Publicly shaming vendors who get RADIUS wrong is always on topic.
I also left a long screed there about what the optimal behavior might be which some here might like to comment on.
I'd suggest putting up a web page explaining how you can steal android credentials via a malicious AP. If you can get it to do TTLS + PAP for a random certificate, that's good for a CERT issue. And they'll pay attention to that. Alan DeKok.