Andriod certificate validation behavior
aland at deployingradius.com
Mon Mar 18 16:31:56 CET 2013
Brian Julin wrote:
> Slightly OT, but I'd like to encourage folks here who have a google
> account to "star"
> up issue #37178 on code.google.com to see if we cannot get Android
> developers to make
> future versions of the OS behave sanely WRT which AAA server
> certificates they will accept.
Making things work is always on topic.
Publicly shaming vendors who get RADIUS wrong is always on topic.
> I also left a long screed there about what the optimal behavior might be
> which some
> here might like to comment on.
I'd suggest putting up a web page explaining how you can steal android
credentials via a malicious AP. If you can get it to do TTLS + PAP for
a random certificate, that's good for a CERT issue. And they'll pay
attention to that.
More information about the Freeradius-Users