-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Maybe you have been at the Chaos Communication Congress in Germany the last years. Then may you saw the WPA2 802.1X encrypted /public open wireless access points/, where a user/client can choose their own (random) name/password credentials. https://events.ccc.de/congress/2014/wiki/Static:Network#WPA2_802.1X.2C_e ncryption (CA-CERT, sha-1 fingerprint: 4C:11:E8:BA:DE:12:79:08:45:4F:53:33:1F:E9:B9:60:56:1D:63:9F) """ Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below). """ Back in 2010 and 2012 one paper and some emails claim, that it is possible to patch hostapd to not have the need for client certificates. /* Mails from californiajack at tormail.org via [OpenWireless Tech]) */ So what now? There is a project ( https://github.com/OpenSecurityResearch/hostapd-wpe ) where people have patched and open sourced hostapd to do not request client certificates (and other things). So far so good, there are patches. But I'm not a C/C++ hacker and I will not touch TLS and other critical encryption and fuck it up to compile my version of hostapd. If I want to use it, I want to use a well maintained version, it there is any. (?!) However, I saw that all this stuff is specified: http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS and there is "FreeRadius" which will do similar stuff, I heard about. I was curious in that technology cause it would be a nice thing for our wireless community network. The sad fact today is, that we do not have wireless security because in a flat organised community you will not have central credentials (that is stupid and not open) and you will not have a central comity which verifies user client certificates, which is even more a closed system and can restrict user access (realy realy bad!). But if a user could choose his own (fake) credentials we have some security against passive network sniffing. As you may know that there are hunderds of shitty mobile apps with broken api-calls and poor tls/ssl quality. We don't have to put our users at unnecessary risks. We can not expect that every user can use end-to-end vpn connections. Further, if we had an active network scanner within our infrastructure we had an other problem. ... K back to the plot: Know you any hostapd configurations or other software in openwrt which can achieve that goal? Are there any issues which might can lead to problems or other downsides I may have missed? Reasons against? Thanks for comments and pointers! Greetings, Bernd - -- Bernd Naumann <be...@kr217.de> PGP: 0xA150A04F via pool.sks-keyservers.net XMPP: b...@weimarnetz.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJVFAqUAAoJEEYW3OihUKBPOLkQAIHn8ovj3qEIjKnQ5YGLQr/Z rttoYAeC1uZePbVTCe5c/DOZVvDp0tn174Eu8itKA5E+NUOJ4RjQ/Xr9tWdtQme/ kXnJoYS15+m2tivRbpYvHGTV47bWYYEBMg+P0Wg0XOHsy580CT88ZuBZDL1FlTcr VjwibSwoNT7ZVO7UemrBmt8LNaItgNVwyhID6Eo//JyTWft2idPA9X4DPiMYndJG cE3UwBcq5nqTh0whZXsUCmcjWzZ91hV+D2BfDf6rsWCIzdoFA+42HqwX4RSgJaQn TCQeQYZpYgeysqBoAuetJc2AEGHRA3Vt+pxuX2HCerfk+pWU1F4ZCKRQ1q1u7XQk p3ZD8tSofLZjmyXxAMrWJnNk74T1qLF/YuS2g5ms9kKIWzre6xOQ7Exe5yn0W+Mq uKLexEI6BAJtDEiGKRMtn7tw70v6G0lhNtrbebgIULbHpaY+ToxozksGxUtyfbQ7 PnTnGqk2HS0XHn7noZgzqbLh6X9MniGrAEU3zJkhdcbAVTF//0lC/YUcrQKlOX5u dpvcFu6FzvLUzncRXIJVjovuYzGpkP054fY379spSGyZo7/MDuUkKwT3bOYbf7oL gOs0OA4e9RfIEvy0avR9SgR02n+w/QTSiqz3bl6UdZ5TTO810LXK8FpJMZV2gJcz WdUg2cAuqsEC+7vp27v8 =8QL5 -----END PGP SIGNATURE----- _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel