The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Vlad Mencl <vladimir.mencl AT reannz.co.nz>]

Hi Martin,

Two comments on the behaviour of Android with respect to the certificate 
validation:

On 18/08/21 04:47, Martin Pauly wrote:
> But if the new cert has been signed by the root cert your Android 
> already was set up to expect,
> everthing is fine. As long root cert and server name do not change,
> the verification process is exactly the same, and hence the result is 
> the same.

Yes, Android allows you to specify "Use system certificates" as what to 
validate against - so in that case, changing the root from one public CA 
to another would still work.

Patrick, did you have this set on your phone?

[snip]

> Android as provided by Google (e.g. AOSP, Pixel phones) has adopted this 
> policy for WiFi 802.1X
> logon as a sort of default. The old, really dangerous "Do not validate" 
> setting is gone.
> The most liberal way to go is called "Use system defaults". This means:
>   - Accept any PKI whose root cert is in Android's JAVA certs store 
> (Android equivalent of /etc/ssl/certs).
> Since the supplicant still has no clue as to the servername to expect, it accepts anything. 

This it not really true.  On Android 11, it asks you for "domain name" 
to check for in the certificate - and specifying one is mandatory.

The domain name entered has to either exactly match a name in the 
certificate, or it can also be shortened to just the "domain name" of 
the certificate - I assume Android goes by the Public Suffix List to 
determine how many components of the name from the certificate to strip.

So the security is reasonably good - at the very least, an attacker 
would have to get a certificate issued with a name falling under the 
institution's domain.


Cheers,
Vlad



--
Vladimir Mencl
Senior Software Engineer

Research & Education
Advanced Network NZ Ltd

M +64 21 997352
E  vladimir.mencl AT reannz.co.nz
www.reannz.co.nz