Re: UI for dealing with certs appears insecure

[Dan Williams <dcbw redhat com>]

On Fri, 2010-06-04 at 10:49 -0700, L. David Baron wrote:
> I regularly want to access a particular wireless network using a
> password whose security I care about, but I currently avoid using
> this network because of security concerns I describe here.  This
> wireless network has what appears to me to be a reasonable
> authentication mechanism for the desired level of security:  it's
> using WPA2 Enterprise with EAP-MSCHAPv2 authentication (I hope I'm
> using the right terminology here), and has a valid cert signed by a
> well-known root CA, for a hostname that makes sense in context
> (i.e., its domain is the domain of the company operating the
> wireless network).
> 
> However, the NetworkManager UI doesn't give me confidence in the
> handling of the security of my password, since it prompts me for
> (all at once):
>  * my username
>  * my password
>  * what root CA should be used (if any) to validate the cert
> 
> In this particular case, it seems somebody could steal my password
> if they set up a wireless network nearby with the same SSID, a
> stronger signal, and a valid cert purchased from the same CA (but
> for a different domain).  Or, if I choose the full root cert list
> for the CA (since I really don't know any other way to figure out
> what the right root CA is other than finding a friend with a Mac to
> connect to that wireless network), the attacker could use a valid
> cert from any CA.
> 
> It seems to me that in cases where certificates are involved:
>  * the prompt for my username and password should not happen until
>    the cert has been checked, and it should display information
>    about the cert, i.e.:
>    + if the cert was signed by a CA in the root cert list, the
>      hostname the cert is for (and probably the CA that signed it,
>      and perhaps the fingerprint)
>    + otherwise, the cert's fingerprint
>  * when I enter a username and password for such a prompt, it should
>    only be used for wireless with that SSID+Cert combination, and
>    not for other wireless networks with the same SSID.
> 
> It seems like this would prevent the attack described above, and
> also improve security in the self-signed cert case.  A UI that
> worked this way would make me comfortable accessing the network in
> question using NetworkManager.
> 
> 
> Is this a reasonable request?  Are there reasons the current UI is
> preferable to such a UI?

This is a reasonable request and making the certificate UI better is
something that I've wanted to do for a long time.  Just a month or two
or three ago Jouni added better cert validation results to
wpa_supplicant, which means we now actually have a chance of getting
better status about 802.1x authentication.  Before, we'd have had to run
wpa_supplicant in verbose mode and screenscraped its output (which was
really OpenSSL error messages) to find out what was going on.

I'd like to use this eventually (though wpa_supplicant isn't there yet)
to prompt the user to accept the RADIUS sever's certificate if it's not
been seen yet like Mac OS X and Windows do, and then save the
fingerprint like you suggest and warn the user if that fingerprint
changes.  We're almost there, but we need a bit more intelligence
underneath to do so.

Dan