[isf-wifidog] immediate user disconnect feature
acv
acv at miniguru.ca
Lun 28 Avr 14:01:45 EDT 2008
On Mon, Apr 28, 2008 at 07:55:22PM +0200, Wichert Akkerman wrote:
>
> The thought had occured to me. The reason I did not do that is that it
> complicates the protocol a bit while was not sure that is really needed.
In the wifidog threat model, it's been the assumption that the
goal the goal of attackers has been to get free iinternet access. If they
can sniff the internet side of the router, the only thing they really stand
to gain, re-usable authentication credentials) are supposed to be SSL
protected.
Alex
>
> Haven given this a bit more thought I can see that this is useful: if
> the auth server uses http instead of https (which I would expect to be a
> common scenario) an attacker can sniff the token and logout the user
> even after we have secured the status page.
>
> I'll code the http authentication change tomorrow when I'm back at work.
>
> Wichert.
>
> --
> Wichert Akkerman <wichert at wiggy.net> It is simple to make things.
> http://www.wiggy.net/ It is hard to make things simple.
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- section suivante --------------
Une pièce jointe non texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 187 octets
Desc: non disponible
Url: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20080428/7450c59c/attachment.pgp
Plus d'informations sur la liste de diffusion WiFiDog