I was making the case specifically where a user does not need to enter sensitive information. HTTPS should always be used in that case of credentials and payment info..
Comcast - Wireless Engineer
Phone – 215.286.7283
Cell – 215.609.2691
From: "Linss, Peter" <[email protected]>
Date: Tuesday, October 6, 2015 at 3:07 PM
To: Alex Roscoe <[email protected]>
Cc: David Bird <[email protected]>, Michael Richardson <mcr+[email protected]>, "[email protected]" <[email protected]>
Subject: Re: [Captive-portals] A new draft / idea - draft-wkumari-capport-icmp-unreach
On Oct 6, 2015, at 11:23 AM, Roscoe, Alexander <[email protected]> wrote:
I strongly disagree with this sentiment. These days HTTPS should be the default for all new features, and HTTP only used when there is a technical requirement preventing the use of HTTPS. We want to make the net secure, not add more attack surface.
There have already been reported incidents where the attacker joins a public wifi and hijacks DHCP. The user should have some assurance that the captive portal they're entering their credit card info into is the right one.