-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Bartell wrote:
Right. Its better to give crackers less information versus more. so others do not get login credentials. Though, if certificates were properly implemented, there would be mutual authentication
Exactly. The only attacks I know of that can be easily implemented rely on administrator/user ignorance/stupidity. For example some administrators tell users to explicitly uncheck the 'Validate Server Certificate' check box in their supplicants (i've actually seen this in eduroam documentation *shudder*). The result (depending on the EAP method used) is that when an attacker comes along with an AP broadcasting the same SSID as trusted wireless infrastructure, users (or their supplicant software) hand credentials over no questions asked. With PEAPv0, the inner method (MsCHAPv2) is insecure which is why it's wrapped in a TLS tunnel. If you strip off the TLS tunnel MsCHAPv2 becomes trivial to break. EAP itself is not insecure, but is susceptible to exactly the same kind 'phishing' attacks used with other methods that rely a user entering a userid and password (possibly more so as many supplicants will cache credentials). Arran
On Tue, Apr 7, 2009 at 8:12 AM, Arran Cudbard-Bell <a.cudbard-bell@sussex.ac.uk> wrote: Paul Bartell wrote:
I too have had weird behavior on macs. I just ended up using mac-address authentication (due to insecurities in EAP. (or possibly rumored, i havn't seen a paper on it yet)) Wait what... You went to Mac-Based authentication because you thought EAP was insecure ?
Ohh are you referring to the scaremongering 'The Register' was doing last year? Because of course, anyone with a hacked copy of FreeRADIUS can steal all your users credentials !
On Tue, Apr 7, 2009 at 7:08 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Have you actually traced the wireless traffic (passively), are you sure it's the Macs at fault with this one? as everything works fine on the same Mac when it runs Vista (yes, I know...) and works all okay on random PCs and PDAs/smartphones..the big greasy pointy finger is pointing decidedly at the OSX
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkneX+UACgkQcaklux5oVKInpgCeJ1zXDxSXmHhSi/gYyuVI/JkO fkUAn0wrgrRFZH+2i3YJtGUI5dBbyTHx =/r0T -----END PGP SIGNATURE-----