F21 System Wide Change: Default Local DNS Resolver

Chuck Anderson cra at WPI.EDU
Wed Apr 30 21:16:13 UTC 2014 

On Wed, Apr 30, 2014 at 03:55:59PM -0500, Dan Williams wrote:
> On Wed, 2014-04-30 at 16:12 -0400, Chuck Anderson wrote:
> > If I once connected to an open network called "MyFavoriteCoffeeShop"
> > then later on someone creates a network with the same name but with
> > malicous intent, will NetworkManager connect to it automatically?
> 
> If it uses the same SSID and compatible security settings, then yes.
> That's the nature of 802.11.  However, if the malicious user doesn't
> know the password that you have saved on your machine, or the network's
> CA certificate does not validate, then the attempt will fail.

Right, so NetworkManager shouldn't treat a WIFI network connection as
"trusted" by default unless it is using secure credentials.  For open
networks, it probably shouldn't connect automatically by default at
all.  It certainly shouldn't update resolv.conf with the domain from
DHCP on such a network, and it shouldn't assign such a network to the
"trust" zone of the firewall by default (to bring all these threads
together...)  I'd argue that even a WEP or WPA-PSK network /by
default/ should not do those things.

Probably the only networks where it MAY default to the following behavior:

- Connect automatically
- Use DHCP provided domain name
- Assign network to "trust" zone for firewall or network sharing settings

are these types of networks:

- Wired network
- Wi-Fi with WPA-Enterprise where there is mutual authentication going
  on (supplicant verifies server certificate as trusted)

For other Wi-Fi security types (open, WEP, WPA-PSK), you might be able
to remember the BSSID, IP subnet, router MAC address, or other
detectable things (like UPnP) to guess that you are on the same
network as before, and use that to decide if you should apply that
same "trust" settings as before.

> Furthermore, if the user creates a network of a different type (eg,
> Ad-Hoc but yours is infrastructure), NM will not attempt to connect to
> it.
> 
> Yes, there are ways to game the system, so you are correct that there
> are some cases where NetworkManager could automatically attempt to
> connect to a malicious network that mimics a known network, the same as
> with most other OSs and phones.

It seems like a useful concept to simplify the user experience by
lumping the above things together in a concept of "trust", while still
allowing a user to go in and override the settings if desired.

More information about the devel mailing list