[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Thoughts/comments on draft-nottingham-capport-problem-01



On 8 March 2016 at 18:45, Mark Nottingham <[email protected]> wrote:
> I've seen CPs that ask for Facebook username and password, but NOT over HTTPS, and not to a Facebook domain (IIRC); it's more of a user education / security UX problem than anything.


That's perhaps an extreme - and horrific - example of what I thought
you intended here.

Loading a real browser allows a CP to close the loop with tracking
bugs.  That is less offensive, though to what degree might depend on
where you sit.

There are probably plenty of potentially relevant reasons too.  For
example, a network operator might simply want to authorize one set of
users (their paying customers) over others.  A sandbox in that context
represents a hurdle for their users, who can't rely on cookies or
other preexisting state.  The sandbox then has security drawbacks in
that it encourages users to pick less secure passwords.