Andriod certificate validation behavior

Alan DeKok aland at deployingradius.com
Mon Mar 18 16:31:56 CET 2013


Brian Julin wrote:
> Slightly OT, but I'd like to encourage folks here who have a google
> account to "star"
> up issue #37178 on code.google.com to see if we cannot get Android
> developers to make
> future versions of the OS behave sanely WRT which AAA server
> certificates they will accept.

  Making things work is always on topic.

  Publicly shaming vendors who get RADIUS wrong is always on topic.

> I also left a long screed there about what the optimal behavior might be
> which some
> here might like to comment on.

  I'd suggest putting up a web page explaining how you can steal android
credentials via a malicious AP.  If you can get it to do TTLS + PAP for
a random certificate, that's good for a CERT issue.  And they'll pay
attention to that.

  Alan DeKok.



More information about the Freeradius-Users mailing list