--cafile enabling system-trust nevertheless?
Martin Pauly
pauly at hrz.uni-marburg.de
Thu Sep 12 08:01:28 PDT 2024
On 11.09.24 20:22, David Woodhouse wrote:
> We choose EAP methods which involve handing our password in plain text
> (even if over EAP-(T)TLS) to the server we happen to be talking to.
>
> I feel that warrants more attention.
I'm not 100% sure what you mean, but all passwords we intercepted during the test
came as MS-CHAPv2 hashes (about 200). After 10 mins, an average PC had cracked the first 2 of these.
We stopped there because investigating a hash algorithm that has been dead since 2012 was not our focus.
We encountered a few Clients trying EAP/TTLS-PAP, guests from a university I know has been doing
TTLS-PAP since the start fo eduroam. But these were smart enough to deny our trivial self-signed cert.
The colleagues at that place had obviously implemented said countermeasure and nailed the EAP outer/anonymous
identity to a special value. This spoils the thing for users who naively type in their username+PW, but do not
configure anything else. (Changing outer identity was part of the root cert migration plan anyway, but how do you
force BYOD users to abide your instructions?)
Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
D-35032 Marburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20240912/31c0c63d/attachment.p7s>
More information about the openconnect-devel
mailing list