Something I don't get about #eduroam is that I'm typing my own password into a wireless access point controlled by another university.
Is it just inertia that has prevented it from moving to a web-based SSO process where I log in to my own university's website, and they pass a signed token on to the institution I'm connecting to eduroam from?
@christianp I don't think it's possible to do web-based authentication using 802.1X? The web-based authentication that's used in cafes is often open wifi that just redirects connections until you log in, and I believe that has implications for encryption and security.
@christianp I had a problem with EduRoam when I was in Canada several years ago. Each institution kept passing the blame to the other, so with the timezone difference, each email took 12 hours to get a response, which was always ... "Ask them".
I had an off-the-record conversation with one of the parties who said: Having to get buy-in from the computer science departments of multiple universities, it's a miracle it exists, let alone occasionally works.
I wonder if interested people should just implement a parallel system that actually works and is competently designed.
@ColinTheMathmo I don't doubt that eduroam is competently designed. My question was trying to fill in a clear gap in my knowledge - how come this insecure-looking thing is secure?
@cmdrSprocket not necessarily - most public WiFi works by showing you a login page on connection, blocking all other requests until you're authenticated
@christianp It would mean that all potential eduroam login pages must be accessible before authentication. Tricky to get this right without having someone being able to sneak in illegitimate services somewhere.
@cmdrSprocket yes, so maybe the decision was made that the balance of risks makes the current method better?
I don't know how I would tell if someone was reading my password with the current method, but I can at least confirm a web-based login page is really from my institution. The number of opportunities for hijinks breaking the web-based version must be much higher, which I can sort of believe
Add comment