of Mac and Men

[Arran Cudbard-Bell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander Clouter wrote:
> Arran Cudbard-Bell <a.cudbard-bell at sussex.ac.uk> wrote:
>> Paul Bartell wrote:
>>> Right. Its better to give crackers less information versus
>>> more. so others do not get login credentials. Though, if
>>> certificates were properly implemented, there would be mutual
>>> authentication
>> Exactly. The only attacks I know of that can be easily
>> implemented rely on administrator/user ignorance/stupidity.
>>
>> For example some administrators tell users to explicitly uncheck
>> the 'Validate Server Certificate' check box in their supplicants
>> (i've actually seen this in eduroam documentation *shudder*). The
>> result (depending on the EAP method used) is that when an
>> attacker comes along with an AP  broadcasting the same SSID as
>> trusted wireless infrastructure, users (or their supplicant
>> software) hand credentials over no questions asked.
>>
> Yeah, do a suitable[1] Google hack against 'ac.uk' and I wish we
> drank a lot more beer at Networkshop.
>
> Sigh. :-/
Plymouth, LSE and Exeter are all examples of this. In fact idiot proof
examples are hard to come by.

This is our offering:
https://wwwnew.sussex.ac.uk/roaming/mod/doc_pages/index.php?doc=setup_guide.winxp#configure_authentication_client

With Windows 2K/XP/Vista, supplicant settings are configured on a per
SSID basis, so should be locked down to a organisational CAs and
specific certificate CNs.  We tell users to check the 'Do not prompt
user to authorize new servers or trusted certification authorities'
for just that reason.  Never underestimate the desperation or blind
stupidity of a student craving a facebook fix.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkneguQACgkQcaklux5oVKJR3gCeK8fakVEfR6+QsjCGjnscrkFx
5YoAniSNy5g8F3Q0S5SXyd5FGWB0TZYS
=WiPo
-----END PGP SIGNATURE-----