Slightly OT, but I'd like to encourage folks here who have a google account to "star" up issue #37178 on code.google.com to see if we cannot get Android developers to make future versions of the OS behave sanely WRT which AAA server certificates they will accept. I also left a long screed there about what the optimal behavior might be which some here might like to comment on. The URL is http://code.google.com/p/android/issues/detail?id=37178
Brian Julin wrote:
Slightly OT, but I'd like to encourage folks here who have a google account to "star" up issue #37178 on code.google.com to see if we cannot get Android developers to make future versions of the OS behave sanely WRT which AAA server certificates they will accept.
Making things work is always on topic. Publicly shaming vendors who get RADIUS wrong is always on topic.
I also left a long screed there about what the optimal behavior might be which some here might like to comment on.
I'd suggest putting up a web page explaining how you can steal android credentials via a malicious AP. If you can get it to do TTLS + PAP for a random certificate, that's good for a CERT issue. And they'll pay attention to that. Alan DeKok.
Hi,
I'd suggest putting up a web page explaining how you can steal android credentials via a malicious AP. If you can get it to do TTLS + PAP for a random certificate, that's good for a CERT issue. And they'll pay attention to that.
dont even need that. if it doesnt check/trust the certificate then PEAP/MSCHAPv2 is also open and ready to be unpeeled. alan
Alan DeKok wrote:
I'd suggest putting up a web page explaining how you can steal android credentials via a malicious AP. If you can get it to do TTLS + PAP for a random certificate, that's good for a CERT issue. And they'll pay attention to that.
The FreeRADIUS-WPE patches have been out since at least 2008, but I guess having something that specifically shows an Android yielding up credentials might be more provocative, yes.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Brian Julin