IETF Logo Mail Archive

Re: [saag] Channel binding is great but not a silver bullet

Alan DeKok <aland@deployingradius.com> Mon, 02 March 2009 17:57 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7159328C253 for <saag@core3.amsl.com>; Mon, 2 Mar 2009 09:57:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[AWL=0.701, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVgJ5GiZgNzZ for <saag@core3.amsl.com>; Mon, 2 Mar 2009 09:57:07 -0800 (PST)
Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by core3.amsl.com (Postfix) with ESMTP id 98B223A68F9 for <saag@ietf.org>; Mon, 2 Mar 2009 09:57:07 -0800 (PST)
Received: from Thor.local (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by liberty.deployingradius.com (Postfix) with ESMTPSA id C7A101234091; Mon, 2 Mar 2009 18:57:32 +0100 (CET)
Message-ID: <49AC1E0C.8040407@deployingradius.com>
Date: Mon, 02 Mar 2009 18:57:32 +0100
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@sun.com>
References: <2788466ED3E31C418E9ACC5C3166155768B2CB@mou1wnexmb09.vcorp.ad.vrsn.com> <0c2301c9979f$8a1cd770$0600a8c0@china.huawei.com> <2788466ED3E31C418E9ACC5C3166155768B2CE@mou1wnexmb09.vcorp.ad.vrsn.com> <20090226143809.GF7227@mit.edu> <1235663917.3293.16.camel@localhost> <20090226165448.GK9992@Sun.COM> <tslprh5rlvt.fsf_-_@mit.edu> <200903021609.n22G9hIg014931@grapenut.srv.cs.cmu.edu> <1232E3FA9408ED0962D481EF@atlantis.pc.cs.cmu.edu> <20090302172641.GP9992@Sun.COM>
In-Reply-To: <20090302172641.GP9992@Sun.COM>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: saag@ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, der Mouse <mouse@Rodents-Montreal.ORG>
Subject: Re: [saag] Channel binding is great but not a silver bullet
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2009 17:57:08 -0000

Nicolas Williams wrote:
>    Imagine a coffee house

  ... doing anything but selling coffee.

  Nope, that's not going to work.  I work with/for global WiFi
operators, so I have some experience here.

  Take Starbucks, for example.  They have WiFi.  What do the employees
know about it?  Pretty much nothing.  What do the people who installed
it know about it?  Pretty much nothing.  What does the network operator
*running* the network know about it?  Pretty much nothing.

  You can't begin to believe how bad many of these networks are.

> that posts a certificate fingerprint on a
>    flyer by the cashier, then you can use the coffee house's
>    infrastructure (an access point and a small service running on it) to
>    enrol in any service federated with that coffee house.

  This presumes that social engineering attacks, and/or re-printing
flyers is hard.  It's not.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email