ietf
[Top] [All Lists]

RE: Write an RFC Was: experiments in the ietf week

2008-03-25 07:29:32
Yes, a security experiment is not so interesting without an attack.
 
I would like an evil twin access point to be set up with a cert that says 'evil 
twin' and measure how much traffic goes through it. This is frequently done at 
BlackHat albeit not necessarily in a manner that complies with human subjects 
criteria.
 
Its not much of a security experiment if you only measure whether people can 
deploy it.
 

________________________________

From: Andrew G. Malis [mailto:agmalis(_at_)gmail(_dot_)com]
Sent: Tue 25/03/2008 9:05 AM
To: Patrik Fältström
Cc: Hallam-Baker, Phillip; IETF Discussion
Subject: Re: Write an RFC Was: experiments in the ietf week



Phillip does have a point regarding 802.1x authentication, which is
typically used to authenticate the user to the service, and not vice
versa. Conceivably a person could set up an "evil" access point that
advertises the same beacon as the official access points, and has
802.1x enabled to accept the same shared user name and password (which
is also well publicized).

One way that could make this much more secure from the user viewpoint
would be for every attendee to receive an individual 802.1x user name
and password, perhaps printed on the back of their name tag.
Presumably an "evil" access point would not have access to these names
and passwords, so users can be sure that they are attaching to an
official access point. But as this would create much more work for the
NOC and admin staff, I'm not advocating we do that.

Cheers,
Andy

On Mon, Mar 24, 2008 at 10:30 PM, Patrik Fältström 
<patrik(_at_)frobbit(_dot_)se> wrote:

On 25 mar 2008, at 02.18, Hallam-Baker, Phillip wrote:

I am willing to have a go at it next time round but only if I have
some idea what I am expected to have on my machine and what
authentication indicata I am to expect.

As it stands there is no way for me to evaluate an authentic or
inauthentic experience. I don't know what authentic looks like. I
have no trust anchor.

This email message sent to me was enough of a trust anchor to use
802.1x. Specifically as "the instructions" are the same as IETF-70 and
previous meetings.

http://www.ietf.org/mail-archive/web/71attendees/current/msg00154.html

Sure, the mail was not signed, but I also asked a friend at the
meeting "what he used". And as we both had the same instructions, we
trusted that. If we wanted to, we could have asked someone actually
running the network, but we did not feel we had to.

   Patrik


_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf