The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Martin Pauly <pauly AT hrz.uni-marburg.de>]

Hi Vlad,

Am 18.08.21 um 04:07 schrieb Vlad Mencl:
> This it not really true.  On Android 11, it asks you for "domain
> name" to check for in the certificate - and specifying one is
> mandatory.
>
> The domain name entered has to either exactly match a name in the
> certificate, or it can also be shortened to just the "domain name" of
> the certificate - I assume Android goes by the Public Suffix List to
> determine how many components of the name from the certificate to
> strip.
>
> So the security is reasonably good - at the very least, an attacker
> would have to get a certificate issued with a name falling under the
> institution's domain.

you are right, thanks. So you end up with
- CA has to be one of the 400+ "SSL Clearnet" CAs
- Servername MUST to be pre-configured correctly

This makes an attack _much_ harder, so Google
has finally gotten this default setting kind of right.
It also matches the behaviour of Patrick's phone:
He switched the CA to a well-known public one, but kept the server name.
-> Both criteria are met, client is happy.

Regards
Martin

--
  Dr. Martin Pauly     Phone:  +49-6421-28-23527
  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
  Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
  D-35032 Marburg