cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] eduroamCAT App sources available

From: Ralf Jung <jung AT mpi-sws.org>
To: A.L.M.Buxey AT lboro.ac.uk
Cc: Stefan Winter <stefan.winter AT restena.lu>, cat-users AT lists.geant.org
Subject: Re: [[cat-users]] eduroamCAT App sources available
Date: Mon, 8 Feb 2016 12:39:04 +0100
Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT mpi-sws.org

Hi,

>> notification after every reboot, and I read somewhere that the warning
>> would not show up with eduroamCAT.
>
> no...its still a 3rd party CA - which Google doesnt like

In one of the Android issues, an eduroamCAT developer claimed that since
eduroamCAT is using the WiFi Enterprise API (whatever that is), there
would be no warning. That's all I know^^
I can dig out the reference, if anyone is interested.

> is this just removing the warning? I get one warning at reboot (which is
> a rare event) but I wouldnt want some other random 3rd party certs being
> put onto
> my phone without being aware.... the *problem* here is Googles view of 3rd
> party
> certs.... but its really the purpose of the cert. i ONLY want our CA root
> to be valid for network authentication.... (802.1X and VPN) and thats it.
> not
> for web sites or anythign else.... thus the network traffic/web site data
> CANNOT
> be monitored and their fears/FUD is wrong. but they wont let us do
> this.....)

I run a nightly build of a custom ROM, so reboot is not so rare ;-) .
It removes that warning unconditionally. *If* someone is able to sneak a
cert on my phone without me noticing, that means they had control over
my device without me noticing. There is no way for me to defend against
that; they could do anything from swapping out Apps with bad versions to
installing backdoors fairly deep into the system. Attackers with
physical access to the unlocked device is not a threat model I am
defending against (and I don't think we have any technology available to
realistically defend against this, either).

I do approve that Google forces the use of a PIN or some other locking
mechanism before accepting custom certs. For devices without a lock, it
is just too easy to do something without the owner noticing. But showing
a warning on every reboot whenever a custom cert is installed? Clearly,
many people will rather just leave their eduroam *not* checked by a
cert, than having this warning. Worse, those institutes that do the
*right* thing and tell users to install a cert, also have to teach users
to ignore the security warning. So they will of course take security
warnings they see elsewhere similarly serious. Overall, the effect of
this warning will, I think, be *less* security, not more.

Kind regards,
Ralf

[[cat-users]] eduroamCAT App sources available, Stefan Winter, 02/04/2016
- Re: [[cat-users]] eduroamCAT App sources available, Ralf Paffrath, 02/04/2016
- Re: [[cat-users]] eduroamCAT App sources available, Ralf Jung, 02/06/2016
  - Re: [[cat-users]] eduroamCAT App sources available, A . L . M . Buxey, 02/08/2016
    - Re: [[cat-users]] eduroamCAT App sources available, Ralf Jung, 02/08/2016
      - Re: [[cat-users]] eduroamCAT App sources available, A . L . M . Buxey, 02/08/2016
        
        Re: [[cat-users]] eduroamCAT App sources available, Ralf Jung, 02/08/2016
      - Re: [[cat-users]] eduroamCAT App sources available, Stefan Winter, 02/08/2016
        
        Re: [[cat-users]] eduroamCAT App sources available, Ralf Jung, 02/08/2016
        
        Re: [[cat-users]] eduroamCAT App sources available, Stefan Winter, 02/08/2016
        
        Re: [[cat-users]] eduroamCAT App sources available, Ralf Jung, 02/08/2016
        Re: [[cat-users]] eduroamCAT App sources available, A . L . M . Buxey, 02/08/2016
  - RE: [[cat-users]] eduroamCAT App sources available, Ayres G . J ., 02/08/2016