

PEAP-MS-CHAPv2 Authentication Could Allow Information Disclosure, Windows Phone - hatchan
http://technet.microsoft.com/en-us/security/advisory/2876146

======
adekok
RADIUS guy here. I've worked with 802.1X and PEAP for as long as it's existed.

This isn't news.

If you disable certificate checking, then the authentication security of TLS
goes away. Your traffic is still encrypted, but you have no idea who you're
talking to.

This means that the attacker gets access to the MS-CHAPv2 data. Which we know
can be attacked off-line via dictionary attacks.

Always enable certificate checking for 802.1X. If you don't, you're handing
your authentication credentials to anyone.

And always know _which_ certificate you're checking. Some deployments use
certificates signed by a known root, and for "ease of use", allow any
certificate signed by that root.

Well... the root CAs sign thousands of certificates a day. You've just
configured your system to hand authentication credentials to anyone.

Don't do that.

~~~
mentat
The thing is (as demonstrated in the actual presentations) the default is
insecure and the process for making it secure is not straight forward.

