From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] use CHAP for dial-in as default Date: Sun, 19 Nov 2017 15:34:33 +0000 Message-ID: <1511105673.4838.512.camel@ipfire.org> In-Reply-To: <20171119144730.1dca97e2.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6046749105373264949==" List-Id: --===============6046749105373264949== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, I am not really sure if this would improve security - although the protocol itself would of course. Do we know how compatible other ISPs are with CHAP? I know at least one that only supports CHAP and so we would break compatibility with them since it is probably not very obvious. So, in practice I do not think that this change is worth it, because: a) it might break compatibility. pppd will always use CHAP if it is available already and fall back to PAP when necessary. b) CHAP is not really secure. It is some sort of HMAC-MD5, but the challenge = is usually known for someone who can eavesdrop on the wire. So brute-forcing the password is easy to do. We would only be left with the protection against immediate replay attacks which I do not consider a problem since ISPs will suspend your account very quickly. c) The Internet connection is a public thing. The user credentials are easy to socially engineer. Even if the authentication would use CHAP this won't impro= ve any security of the data being transferred after that. Best, -Michael On Sun, 2017-11-19 at 14:47 +0100, Peter M=C3=BCller wrote: > Use CHAP as default setting for PPPoE dial-in connections. >=20 > Although CHAP does not provide strong transport security > at all, it is better than submitting credentials in plain text. >=20 > Enforcing CHAP prevents the system from silently falling > down to no encryption (MITM attack!). >=20 > Existing installations remain untouched. >=20 > Signed-off-by: Peter M=C3=BCller > --- > html/cgi-bin/pppsetup.cgi | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/html/cgi-bin/pppsetup.cgi b/html/cgi-bin/pppsetup.cgi > index 4b45ee50c..a96dce9df 100644 > --- a/html/cgi-bin/pppsetup.cgi > +++ b/html/cgi-bin/pppsetup.cgi > @@ -1042,7 +1042,7 @@ sub initprofile > $pppsettings{'HOLDOFF'} =3D 30; > $pppsettings{'TIMEOUT'} =3D 15; > $pppsettings{'MODULATION'} =3D 'AUTO'; > - $pppsettings{'AUTH'} =3D 'pap-or-chap'; > + $pppsettings{'AUTH'} =3D 'chap'; > $pppsettings{'DNS'} =3D 'Automatic'; > $pppsettings{'DEBUG'} =3D 'off'; > $pppsettings{'BACKUPPROFILE'} =3D $pppsettings{'PROFILE'}; --===============6046749105373264949== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxvUnBJa0FDZ2tRZ0hudy8yK1EKQ1FlTXZRLy9STEdnVThzZkRp SmJmcVc1SXlIeDJ2OXYrdTNCVFNSTUFmY2FiTmlqUXZibklsbTFFTkpFdGZFNgo4WUhhTDczR1ZI cXAxaDUrL2NxN1R5aGdhUHNOWHRwQWdKN1B4dUNqUXBKbWRXK093ck16YU5HSUxSK01Ec09FCkNU YWpJMFVrOXI4TGhYSDBpZjFhS25FMFRUVnR6cWJIdjFDNC9iM2dRaXdhZlFGL3ppNFVKY2UvcHpG L2J4OFQKZjdwVmlZOVkwWVNvYU80TG1nSGdoanB1V2lIb0NRYll4UndOZ0xLb2V5NHkyTkp2cGg2 K1IyYjRjem5GcEdmRQpGK2ZNTC9VdVFJem8ycDY5NUk1SkUrd0M5Nm4xSzFRVTVUNlVGOEJLVlQ3 OUpzNFEvYkVSMTZOYVRBak5xbUdaClJmUHhFcnZzcS95WXp5bm1WTFdpT1dnbDJxdlJrUkcrMUJr NkFnRmtDVXpaNlVVdjYvendqRmRaSEY1Y3ZuNmkKWHoreDErVElrUFRyM2ZsRlVXM3oyNU1wS2lZ YkRPcDNleTRrZnl1enRNNzVSdnFDYkJ3SEFRMEVPN0FlZXF1VwpDc1c5MUFmNjZoV1NPb2Zyb3lG elZhaUJ0TmE2WmlVMU5sYVRaTlpudW04bWdyYm0vN2dkQWZoaE9PcklaM0w4CjNYZWNPTk1FRkRH NjlwbG5OKzVnVHliUGlMeldmdC80WDFSTm9zQ0p1ekZkZnFHMzJRQXpUZVpkUzcvc2hYQnkKeFJy djdrblN5SWJtdkhHUmNmZWI2ZDJxTm52aVlLbW1SNmNkQjdhVEpZRXVoTzZCWUdJYzIzYVF4N2Rx eUNQZApVZDNtZW5rWjhvR1c2UXhNT0NCWjJRMHk4YlUyK1dEMVlNTGxlcUxiTU85UjhTOS9DMHc9 Cj1zVnZXCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============6046749105373264949==--