[OpenWireless Tech] Securing Open Wireless
"Andy Green (林安廸)"
andy at warmcat.com
Thu Jul 28 09:43:08 PDT 2011
On 07/28/2011 05:28 PM, Somebody in the thread at some point said:
> Hi!
>
> On 11:03 Thu 28 Jul , Christopher Byrd wrote:
> ...
>> - EAP-TLS without client authentication provides a secure wireless
>> connection without client authentication similar to how HTTPS works
>> for web sites.
>>
>> - Server certificate validation is possible. These changes would
>> benefit both this solution and existing closed (enterprise) EAP-TLS
>> and EAP-PEAP networks.
>
> I do not really see how the certificates would help at all. First, getting
> them has a significant time and cost impact, especially for individuals.
> Second, they do not protect you if the operator itself is evil. Third, you
> probably do not even need them for protection against man-in-the-middle
> attacks. See the last paragraph of my previous link at:
> http://michaelblizek.twilightparadox.com/projects/cor/internet_exit.html
> Fourth, these certificates might even make it easier to cause intented legal
> problems to the hotspot operator.
Yeah I don't think the aim should be to authenticate the AP. The AP
should not be trusted at all because in fact, you don't know what's
going on in there and there can and will be malicious APs.
In the VPN case, like SSL, the encrypted tunnel extends from the client
to the remote server, the AP is a conduit only for encrypted content he
can't decrypt. Then we don't have to care about snooping at the
untrusted AP, all he sees is encrypted mush to and from the VPN server.
he doesn't even know what sites you are visiting inside the encrypted
link since DNS can go down there as well.
-Andy
More information about the Tech
mailing list