Generating a Microsoft compatible CSR for FreeRADIUS
Sallee, Stephen (Jake)
Jake.Sallee at umhb.edu
Thu Jan 20 20:56:36 CET 2011
> To clarify, they can pretend to be a valid server, because *anyone* signed by Verisign is a valid server.
> To go one step further, they can have verisign sign a CA, and then use that CA to create *any* certificate they want,
> including one which pretends to be your server. Most users won't bother reading the entire certificate chain.
> They'll just see "mit.edu" (or >whatever) and click "OK".
Ahh , I see what you mean. Thank you for the clarification. The masses of undereducated and/or apathetic users out there are the biggest challenges facing IT pros.
Thanks again.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-----Original Message-----
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Thursday, January 20, 2011 1:48 PM
To: FreeRadius users mailing list
Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS
Sallee, Stephen (Jake) wrote:
> Hmmm. I hadn't thought of that attack vector, kind of like a man-in-the-middle attack, but isn't that what the private key is for, to prevent just that?
To clarify, they can pretend to be a valid server, because *anyone* signed by Verisign is a valid server.
To go one step further, they can have verisign sign a CA, and then use that CA to create *any* certificate they want, including one which pretends to be your server. Most users won't bother reading the entire certificate chain. They'll just see "mit.edu" (or whatever) and click "OK".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list