[pkg-wicd-maint] Bug#902421: wicd-daemon: silently keeps and uses obsolete, possibly insecure config in /etc/wicd/wireless-settings.conf

[Vincent Lefevre]

On 2018-06-26 16:38:05 +0200, Axel Beckert wrote:
> Are you aware that you need to explicitly configure if a configuration
> needs to be solely based on the ESSID? It's called "use these settings
> for all wifis with this ESSID" or similar.

I have "Use these settings for all networks sharing this essid"
ticked for eduroam, but it is apparently not honored.

> And IMNSHO it's a security feature and not a bug that wicd does use
> only the BSSID by default. That way credentials can't be leaked to to
> rogue access points which share the same ESSID (which is easy to do).

... unless a certificate is used, which is my case.

Another issue is that here, it was a *new* BSSID (well, I assume
because it is a place where I had never came before).

> > and when one updates the eduroam config, some old configs are not
> > updated, and wicd can randomly use them later.
> 
> In which case did this happen? With an ESSID where you had the "use
> these settings for all wifis with this ESSID" flag set or not?

See above. But I'm not aware if there is a global setting (in any
case the local setting should have the precedence).

> Am I right that you say that it's not an outdated password which might
> be leaked, but the current password which is sent in an insecure way,
> like WEP instead of WPA?

There were some old settings with the new password and no certificate.
This could have leaked. I never use WEP, always WPA2.

> > Note: The UI just presents the essid, so that the user will generally
> > not know what's going on.
> 
> Which UI? WICD has several UIs (Gtk, Curses, CLI) and you filed that
> bug report against wicd-daemon. (→ moreinfo, too)

Gtk.

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)