[opensource] Peristent ResNET Login

Brian Swaney swaneybr at opensource.osu.edu
Fri May 13 09:55:18 EDT 2011


For the certificates, I don't know how to do it in Python, but what
you're checking are the "Common Name" (the host,
something.resnet.ohio-state.edu) and "Certificate Authority"
(Internet2). The way it works is you have a "trusted third party" that
asserts, by way of providing their own signature, that the certificate
indeed belongs to whomever is listed in the "common name". If the
Certificate Authority is lying, or the certificate was stolen, then you
have potential for a man-in-the-middle attack, but otherwise (in theory)
you are safe. In practice, certificate authorities are often negligent,
and sometimes complicit (e.g. Comodo handed certificates to cyber
criminals, and some CA's may support government man-in-the-middles), but
Internet2 is a group of schools working together on networking and
technology, so I think you can be reasonably sure that a certificate
provided by them to a school domain is legitimate.

You can basically assume just by posting this on the mailing list that
Student Life IT will know about it. If they don't have people reading
our list, which is open to the public, then somebody will almost
certainly bring it to their attention in the very near future. We have
historically had Student Life IT staff in our club. So, trying to hide
this from them is not practical. As for the resnet.osu.edu/RANDOM, they
might pick up on it, but if you request a different string each time
then they're not going to break the script by making that string exist
(and thus not return the expected 404). In my opinion, looking for a 404
error to tell you nothing is wrong is not the best way to go about this,
for reasons such as this, but it sounds like it will work. In practice,
they probably don't check their hit logs, but now that it has been
brought up they're probably going to watch it like Big Brother. I'd
personally do something along the lines of compare the expected result
of a page with the actual result, then if they don't match look for a
ResNet login with an ohio-state.edu top-level domain.

I don't see the user/pass at the top of the page, so you might have
linked to the wrong one. Rather than link to a new pastebin each time,
you could probably host your script locally. If you have a shell
account, you could put it into a locally-hosted git repository.
Otherwise, you might be able to attach it to the page on our website.
That said, since we know there is a serious safety concern with using
the current version of your script, until that gets fixed do you really
think we should be encouraging people to run it?

Brian Swaney
Open Source Club at
Ohio State University
Website Administrator


On 05/13/2011 09:05 AM, friedly.1 at osu.edu wrote:
> I'll plan on making the changes you described, because it is a pretty
> big security hole.  I'm not sure if Python automatically checks the
> certificates, but I'll see what I can find about that.  Checking
> certificates might be a bit over my head though, I've never done it
> before and I'm not really sure how it works.  If it's as simple as
> just checking the server's key against a public list of keys then I
> can do that but I'm not really sure.
> Also, I'll stop using xkcd because I guess it is a bit discourteous.
> xkcd.com/404 just returns a 404 though, which we thought was pretty
> funny compared to xkcd.com/403 or xkcd.com/405.  But since it's
> ResNET's problem, it would be more fair to just try to open a
> connection to some random page at resnet.osu.edu/RANDOM.  The only
> problem is if they start noticing that they're getting a lot of
> traffic to that random url and look into it.  We could maybe generate
> our own random string urls, but if one of them actually exists then
> the script won't work right.
> The newest update has which lines to modify moved to the top and
> connects to a random resnet.osu.edu address; I'll add other stuff later:
> http://pastebin.com/K016g3Bx
> _______________________________________________
> Opensource mailing list
> Opensource at cse.ohio-state.edu
> http://mail.cse.ohio-state.edu/mailman/listinfo/opensource

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://mail.cse.ohio-state.edu/pipermail/opensource/attachments/20110513/89e932a5/signature.bin


More information about the Opensource mailing list