Security issues with public CA and signing certificates?
Hello everyone, I am following up on what Alan wrote two years ago regarding self-signed certificates and public CAs. The concern was regarding the possibility of setting up a rogue access point. For clients who do not have WiFi pre-configured, does not change anything if it is a self-signed certificate or a certificate from a public CA, because most of the users would trust the *fake* RADIUS certificate if it has all the humanly-readable field of the *original* certificate. For clients who do have WiFi pre-configured, Alan stated that people who use self-signed CAs for RADIUS are safe from this attack, while people who use public CAs might not be safe since someone could pay the $3k or so to get a signing certificate issued by that same CA and create the server certificate. According to Alan, this approach should work because most supplicants historically have not cached the *server* certificate. Instead, they only track the CA certificate. By googling I was able to download the exact CA certificate we use and I was also able to download one of the three signing certificates (I suppose the root), so probably the two signing certficates I wasn't able to find are the intermediate ones. However, on iOS, whenever I download the configuration profile I can see all the info of the CA certificate and the three signing certificates. Would be possible for someone with major hacking skills to deploy the server certificate by downloading or creating the signing certificates with all these informations (not sure whether the private keys can be found)? June.
On Mar 9, 2019, at 7:21 AM, June Murderer <june.murderer@yandex.com> wrote:
By googling I was able to download the exact CA certificate we use and I was also able to download one of the three signing certificates (I suppose the root), so probably the two signing certficates I wasn't able to find are the intermediate ones.
However, on iOS, whenever I download the configuration profile I can see all the info of the CA certificate and the three signing certificates.
Would be possible for someone with major hacking skills to deploy the server certificate by downloading or creating the signing certificates with all these informations (not sure whether the private keys can be found)?
If you don't have the private keys, you can't create a server certificate. The CA certs are public for a reason. The information in them can't be used to do anything nefarious. You need the private keys. Alan DeKok.
I see, thanks. So, as you stated two years ago, the only way to work on pre-configured clients would be to pay $3k or so to get the signing certificate signed with the private key of the CA (assuming the supplicant tracks only the CA certificate)? June. 09.03.2019, 14:25, "Alan DeKok" <aland@deployingradius.com>:
On Mar 9, 2019, at 7:21 AM, June Murderer <june.murderer@yandex.com> wrote:
By googling I was able to download the exact CA certificate we use and I was also able to download one of the three signing certificates (I suppose the root), so probably the two signing certficates I wasn't able to find are the intermediate ones.
However, on iOS, whenever I download the configuration profile I can see all the info of the CA certificate and the three signing certificates.
Would be possible for someone with major hacking skills to deploy the server certificate by downloading or creating the signing certificates with all these informations (not sure whether the private keys can be found)?
If you don't have the private keys, you can't create a server certificate.
The CA certs are public for a reason. The information in them can't be used to do anything nefarious. You need the private keys.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 9, 2019, at 10:07 AM, June Murderer <june.murderer@yandex.com> wrote:
I see, thanks.
So, as you stated two years ago, the only way to work on pre-configured clients would be to pay $3k or so to get the signing certificate signed with the private key of the CA (assuming the supplicant tracks only the CA certificate)?
If the client can't load new CA certificates, yes. Alan DeKok.
I'm not sure how that's relevant. Could you elaborate, please? Thanks! June. 09.03.2019, 16:31, "Alan DeKok" <aland@deployingradius.com>:
On Mar 9, 2019, at 10:07 AM, June Murderer <june.murderer@yandex.com> wrote:
I see, thanks.
So, as you stated two years ago, the only way to work on pre-configured clients would be to pay $3k or so to get the signing certificate signed with the private key of the CA (assuming the supplicant tracks only the CA certificate)?
If the client can't load new CA certificates, yes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
June Murderer