Yes, a security experiment is not so interesting without an attack.
I would like an evil twin access point to be set up with a cert that says 'evil
twin' and measure how much traffic goes through it. This is frequently done at
BlackHat albeit not necessarily in a manner that complies with human subjects
Its not much of a security experiment if you only measure whether people can
From: Andrew G. Malis [mailto:agmalis(_at_)gmail(_dot_)com]
Sent: Tue 25/03/2008 9:05 AM
To: Patrik Fältström
Cc: Hallam-Baker, Phillip; IETF Discussion
Subject: Re: Write an RFC Was: experiments in the ietf week
Phillip does have a point regarding 802.1x authentication, which is
typically used to authenticate the user to the service, and not vice
versa. Conceivably a person could set up an "evil" access point that
advertises the same beacon as the official access points, and has
802.1x enabled to accept the same shared user name and password (which
is also well publicized).
One way that could make this much more secure from the user viewpoint
would be for every attendee to receive an individual 802.1x user name
and password, perhaps printed on the back of their name tag.
Presumably an "evil" access point would not have access to these names
and passwords, so users can be sure that they are attaching to an
official access point. But as this would create much more work for the
NOC and admin staff, I'm not advocating we do that.
On Mon, Mar 24, 2008 at 10:30 PM, Patrik Fältström
On 25 mar 2008, at 02.18, Hallam-Baker, Phillip wrote:
I am willing to have a go at it next time round but only if I have
some idea what I am expected to have on my machine and what
authentication indicata I am to expect.
As it stands there is no way for me to evaluate an authentic or
inauthentic experience. I don't know what authentic looks like. I
have no trust anchor.
This email message sent to me was enough of a trust anchor to use
802.1x. Specifically as "the instructions" are the same as IETF-70 and
Sure, the mail was not signed, but I also asked a friend at the
meeting "what he used". And as we both had the same instructions, we
trusted that. If we wanted to, we could have asked someone actually
running the network, but we did not feel we had to.
IETF mailing list
IETF mailing list