[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Feedback requested: Charter text.

On Thursday, July 9, 2015, Michael Richardson <[email protected]> wrote:

Warren Kumari <[email protected]> wrote:
    > Currently, network providers use a number of interception techniques
    > to reach a human user (such as intercepting cleartext HTTP to force a
    > redirect to a web page of their choice), many of which look like a MitM
    > attack.

I think this is too weak. 

I originally had something much stronger (with a litany of issues that CPs cause) , but toned it down after it was pointed out that this doesn't make it an environment where we will get cooperation from CP vendors and operators.

I'm trying to keep it "friendly"...

I would say: 
    Currently, network providers use a number of interception techniques
    to reach a human user.  Technically, most of the mechanisms are
    Man-in-The-Middle Attacks against DNS or HTTP.  This has the effect
    of redirecting all HTTP traffic to a web page of their choice, even
    for requests which are not viewed by a human.  It often also results
    in permanent DNS cache poisoning.

    As endpoints become inherently more secure specifically through DNSSEC,
    and HTTPS-everywhere, existing interception techniques not only fail to
    reach a human, but usually result in a the user and the device being
    confused: their either give up, or complain loudly that the network is
    broken (which technically, it is).

    In the cases where the technique does reach a human, it often results
    in a security warning about a broken certificate, and the resulting
    technique is therefore training users to ignore those warnings.


I find your list of deliverables perfect.

Thank you. 
I think that this effort could benefit from some significant outreach by
ISOC (and perhaps the IAOC meeting people could involve their contacts): we
need to reach the hotel managers.

Yup. We need input from captive portal vendors, captive portal operators, operating systems, applications, security folk, etc. Jim Martin and myself are part of the IETF NOC team and so we know some of the hotel CP folk, but we will also chat with the IAOC folk. But, yes, this is going to need lots of outreach -- I really like the ISOC angle...



Michael Richardson <[email protected]>, Sandelman Software Works
 -= IPv6 IoT consulting =-

I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.