cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Jørn Åne <jorn.dejong AT uninett.no>
- To: cat-users AT lists.geant.org
- Cc: rubenv AT drcmr.dk
- Subject: Re: [[cat-users]] Certificate validation
- Date: Mon, 22 Jan 2018 11:06:46 +0100
On 19/01/2018 14:04, Ruben Vestergaard wrote:
> Greetings! New here, been trawling the archive, but please forgive
> if I miss something obvious :)
>
> From the FAQ:
>
> (?) I can connect to eduroam simply by providing username and
> password, what is the point of using an installer?
>
> (!) When you are connecting from an unconfigured device your
> security is at risk. The very point of preconfiguration is to set
> up security, when this is done, your device will first confirm that
> it talks to the correct authentication server and will never send
> your password to an untrusted one.
>
> The very point of TLS is to verify that you're talking to the
> correct server in the first place (okay, encryption, however) - why
> doesn't my O/S flat out reject the connection if the certificate is
> unverifiable?
>
> Why does PEAP even bother with TLS if it isn't going to use it?
When you connect to eduroam, there is no host name you can verify the
TLS certificate against. When you connect to an HTTPS website, you
enter a domain name and connect to a server that must present a
certificate with the same name. If the name doesn't match, the
certificate isn't valid.
It's not that easy with wifi networks, such as eduroam. There is no
DNS equivalent for SSIDs; anybody can set up an access point and call
it «eduroam». Since there is no way to verify the trustworthiness of
the certificate, a lot of OSes simply assume everything is in order,
or ask the user to confirm. A lot of users will confirm without
reading, thinking «Yes, I *do* want to connect to the internet!»
The point of using an installer is to tell your OS which certificate
is okay for eduroam to use and which isn't. Which certificate is
necessary depends on your Identity Provider (IdP; the organisation
that gave you your eduroam account). The installer is necessary
because your OS has no idea itself which certificate is used by your IdP.
I hope this answers your question. :)
--
Jørn Åne
Systemutvikler
UNINETT AS
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] Certificate validation, Ruben Vestergaard, 01/19/2018
- Re: [[cat-users]] Certificate validation, Jørn Åne, 01/22/2018
- Re: [[cat-users]] Certificate validation, Ruben Vestergaard, 01/22/2018
- Re: [[cat-users]] Certificate validation, Jørn Åne, 01/22/2018
- Re: [[cat-users]] Certificate validation, Ruben Vestergaard, 01/22/2018
- Re: [[cat-users]] Certificate validation, Jørn Åne, 01/22/2018
- Re: [[cat-users]] Certificate validation, Ruben Vestergaard, 01/22/2018
- Re: [[cat-users]] Certificate validation, Jørn Åne, 01/22/2018
Archive powered by MHonArc 2.6.19.