--cafile enabling system-trust nevertheless?
Dimitri Papadopoulos Orfanos
dimitri.papadopoulos at cea.fr
Wed Sep 11 01:27:14 PDT 2024
Hi,
The problem is not as much a counterfeit access point, as a counterfeit
RADIUS server.
A counterfeit access point might launch attacks such as distributing
rogue routing parameters through DHCP. However that would be true of any
Wi-Fi network you connect to.
A counterfeit RADIUS server might steal your identifiers, which in some
organisations are not specific to the Eduroam service.
Dimitri
Le 11/09/2024 à 05:29, Daniel Lenski a écrit :
> Interesting. eduroam is the only 802.1x-using wifi network that I've
> ever configured *for myself*.
>
> But as an end user of eduroam, why should I actually be concerned if
> I've connected to a "counterfeit" eduroam access point, as long as it
> gives me real internet connectivity? The eduroam network doesn't
> really give me access to any particular internal network. There isn't
> really a trust boundary with eduroam. And if my device is sending any
> non-e2ee'd-and-cert-validated traffic, it's already susceptible to
> eavesdropping and MITM attacks by middleboxes on *any* network.
>
> Am I missing something in this case?
>
> I'd contrast this with a corporate or institutional wifi network
> ("BigCorp-Internal") where connecting to the internal network might
> imply some actual trust boundary between inside and outside, and so a
> forged AP would be of concern both to admins and to end users.
More information about the openconnect-devel
mailing list