[OpenWrt-Devel] EAP-TLS / EAP-TTLS PAP
bernd at kr217.de
Thu Mar 26 09:33:08 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Maybe you have been at the Chaos Communication Congress in Germany the
last years. Then may you saw the WPA2 802.1X encrypted /public open
wireless access points/, where a user/client can choose their own
(random) name/password credentials.
(CA-CERT, sha-1 fingerprint:
Due to popular demand (and with security in mind) we provide WPA2
802.1X. This will encrypt your traffic, preventing attackers from
sniffing your data. Keep in mind that this won't protect you from
other network attacks and you should still be aware that you are at a
hacker conference! Your link layer should be secure if you do
certificate checking (see below).
Back in 2010 and 2012 one paper and some emails claim, that it is
possible to patch hostapd to not have the need for client certificates.
/* Mails from californiajack at tormail.org via [OpenWireless Tech]) */
So what now? There is a project (
https://github.com/OpenSecurityResearch/hostapd-wpe ) where people
have patched and open sourced hostapd to do not request client
certificates (and other things). So far so good, there are patches.
But I'm not a C/C++ hacker and I will not touch TLS and other
critical encryption and fuck it up to compile my version of hostapd.
If I want to use it, I want to use a well maintained version, it there
is any. (?!)
However, I saw that all this stuff is specified:
there is "FreeRadius" which will do similar stuff, I heard about.
I was curious in that technology cause it would be a nice thing for
our wireless community network. The sad fact today is, that we do not
have wireless security because in a flat organised community you will
not have central credentials (that is stupid and not open) and you
will not have a central comity which verifies user client
certificates, which is even more a closed system and can restrict user
access (realy realy bad!).
But if a user could choose his own (fake) credentials we have some
security against passive network sniffing. As you may know that there
are hunderds of shitty mobile apps with broken api-calls and poor
tls/ssl quality. We don't have to put our users at unnecessary risks.
We can not expect that every user can use end-to-end vpn connections.
Further, if we had an active network scanner within our infrastructure
we had an other problem. ...
K back to the plot:
Know you any hostapd configurations or other software in openwrt which
can achieve that goal? Are there any issues which might can lead to
problems or other downsides I may have missed? Reasons against?
Thanks for comments and pointers!
Bernd Naumann <bernd at kr217.de>
PGP: 0xA150A04F via pool.sks-keyservers.net
XMPP: bn at weimarnetz.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
-----END PGP SIGNATURE-----
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel