The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

For Windows, OS X and iOS installers, the real security should be
carried by the installer/profile signature, not by the web page signature.
CAT provides a user API which makes it very simple to fabricate another
front-end GUI, and of course to substitute installer in the final moment.

We are yet to finalise signing of EAP-config profiles and implement this
in the Android eduroamCAT application.

This does not change the fact, that I do not think that CAT should be
embedded in other pages and would vote for preventing this.
Tomasz


W dniu 2015-10-19 o 12:14, Alan Buxey pisze:
> Surely you can look at your eduroam CAT web logs for referrer? Collect
> them then curl them to see how they are called?
>
> Either way....if eduroam CAT was in a frame then might be worth
> thinking about what security concerns that actually gives given that
> user/pass is via IDPs...fake downloader provided? I'm often discussing
> with people after their tool gives out some warning ;)
>
> alan 

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576