UI for dealing with certs appears insecure

From: "L. David Baron" <dbaron dbaron org>
To: networkmanager-list gnome org
Subject: UI for dealing with certs appears insecure
Date: Fri, 4 Jun 2010 10:49:39 -0700

I regularly want to access a particular wireless network using a
password whose security I care about, but I currently avoid using
this network because of security concerns I describe here.  This
wireless network has what appears to me to be a reasonable
authentication mechanism for the desired level of security:  it's
using WPA2 Enterprise with EAP-MSCHAPv2 authentication (I hope I'm
using the right terminology here), and has a valid cert signed by a
well-known root CA, for a hostname that makes sense in context
(i.e., its domain is the domain of the company operating the
wireless network).

However, the NetworkManager UI doesn't give me confidence in the
handling of the security of my password, since it prompts me for
(all at once):
 * my username
 * my password
 * what root CA should be used (if any) to validate the cert

In this particular case, it seems somebody could steal my password
if they set up a wireless network nearby with the same SSID, a
stronger signal, and a valid cert purchased from the same CA (but
for a different domain).  Or, if I choose the full root cert list
for the CA (since I really don't know any other way to figure out
what the right root CA is other than finding a friend with a Mac to
connect to that wireless network), the attacker could use a valid
cert from any CA.

It seems to me that in cases where certificates are involved:
 * the prompt for my username and password should not happen until
   the cert has been checked, and it should display information
   about the cert, i.e.:
   + if the cert was signed by a CA in the root cert list, the
     hostname the cert is for (and probably the CA that signed it,
     and perhaps the fingerprint)
   + otherwise, the cert's fingerprint
 * when I enter a username and password for such a prompt, it should
   only be used for wireless with that SSID+Cert combination, and
   not for other wireless networks with the same SSID.

It seems like this would prevent the attack described above, and
also improve security in the self-signed cert case.  A UI that
worked this way would make me comfortable accessing the network in
question using NetworkManager.


Is this a reasonable request?  Are there reasons the current UI is
preferable to such a UI?

-David

-- 
L. David Baron                                 http://dbaron.org/
Mozilla Corporation                       http://www.mozilla.com/

Follow-Ups:
- Re: UI for dealing with certs appears insecure
  - From: Dan Williams
- Re: UI for dealing with certs appears insecure
  - From: Ludwig Nussel

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]