The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> I did not know that there are even more parameters that the app sets.
> I'll give it a try then, once my institute supports it :)
> 
> Out of interest... with the certificate being pinned already, are there
> any attacks fixing this server name (what server?) is defending against?

Only the *CA* certificate is pinned. If that is a commercial CA with
millions of valid certificates out there, it is (potentially) not very
difficult to get a valid cert from that CA.

That other cert will have a name showing that it's unrelated; but since
the name is not displayed nor checked, users will fall for it without
having a chance of noticing.

Only specifying the expected name *together with* the CA which issues a
cert on that name has the full security effect.

Greetings,

Stefan Winter


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature