[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Feedback requested: Charter text.



Warren Kumari <[email protected]> wrote:
    > Currently, network providers use a number of interception techniques
    > to reach a human user (such as intercepting cleartext HTTP to force a
    > redirect to a web page of their choice), many of which look like a MitM
    > attack.

I think this is too weak.
I would say:

    Currently, network providers use a number of interception techniques
    to reach a human user.  Technically, most of the mechanisms are
    Man-in-The-Middle Attacks against DNS or HTTP.  This has the effect
    of redirecting all HTTP traffic to a web page of their choice, even
    for requests which are not viewed by a human.  It often also results
    in permanent DNS cache poisoning.

    As endpoints become inherently more secure specifically through DNSSEC,
    and HTTPS-everywhere, existing interception techniques not only fail to
    reach a human, but usually result in a the user and the device being
    confused: their either give up, or complain loudly that the network is
    broken (which technically, it is).

    In the cases where the technique does reach a human, it often results
    in a security warning about a broken certificate, and the resulting
    technique is therefore training users to ignore those warnings.

===

I find your list of deliverables perfect.
I think that this effort could benefit from some significant outreach by
ISOC (and perhaps the IAOC meeting people could involve their contacts): we
need to reach the hotel managers.

--
Michael Richardson <[email protected]>, Sandelman Software Works
 -= IPv6 IoT consulting =-



Attachment: signature.asc
Description: PGP signature