Skip to Content.

cat-users - Re: [[cat-users]] ProxyType: Auto on iOS

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] ProxyType: Auto on iOS


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Greg Haverkamp <gahaverkamp AT lbl.gov>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] ProxyType: Auto on iOS
  • Date: Mon, 23 Oct 2017 14:43:45 +0200
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,

> Is there a reason that this is set?
>
> We recently had a user who found himself receiving a TLS certificate
> error by, it appears, connecting to an inadvertently discovered proxy. 
> This occurred while connecting on our site, and while it hasn't been a
> problem that I've heard reported previously and I assume is an isolated
> event (our security group is investigating), is this a necessary
> settings at some sites?

The eduroam policy discourages, but allows for transparent proxies.

So, when your users roam to a random campus, there is a chance that they
will be DoSed if they would need to discover and use a proxy, but the
config didn't tell them to look.

So, yes, it is necessary at some sites.

As an eduroam Service Provider, you should always be in control of your
own network. That typically means: if your network does not foresee the
use of a proxy, you should actively advertise via the usual channels
(WPAD...) that there is no proxy on your network.

If you do not actively announce the non-existence of a proxy, then
someone else on your network might use the opportunity to make other
users discover his own, unauthorised proxy. That is true for any IP
network, and not specific to eduroam.

I can only guess that this one-off situation was caused by someone with
an attitude nearby, who advertised a proxy. A good way to counter such
is by adding DNS and DHCP entries which immediately tell users at
connection start time that there is no proxy.

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page