Re: [Captive-portals] Ben Campbell's Yes on charter-ietf-capport-00-01: (with COMMENT)

On Wed, Oct 14, 2015 at 6:37 PM, Ben Campbell <[email protected]> wrote:
> I agree with Spencer's comment about MiTM attacks.

Weirdly I don't see Spencer's comments in my mail, but I do see them
in the datatracker...
Anyway, sure, I'm happy to change this to "these interceptions are
indistinguishable from man-in-the-middle attacks"... The original
(clumsy) wording was an attempt to not annoy the CP vendors -- one
that that I think it very important to this work is to get
participation from CP vendors / implementors and operators -- I didn't
want the charter to say that what they do is a MitM, because that's
pejorative, but Spencer's "indistinguishable from" works nicely.

Responding to Spencer (I've missing his mail) -- "As endpoints become
inherently more secure" means a bunch of things, including: HSTS /
refusal to downgrade TLS, refusal (or inability) to click through
self-signed certs, client side DNSSEC, DPRIVE (ha!), VPNs, statically
configured web proxies, etc. I had a number of them listed in an
earlier version, but that turned into a: a fight about which are
better, and b: "you forgot $pet_security_mechanism".

Agree that "These might or might not be published as RFCs, and might
or might not be combined in some way." is cleaner.

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.