[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Comments on draft-nottingham-capport-problem-00

While at the same time if we want people to actually use it, a non-HTTP solution can't become a trivially easy off-path attack vector or any of a number of other security problems either.
I think a non-HTTP solution is critically important, but it's equally
important to get the security right for all of this, HTTP(S) based or
not. This is going to fundamentally be hard to get right, if it was
easy we would have dealt with this long ago, but now it time to work
through this and get it right.

On 3/7/16 19:24 , Mark Nottingham wrote:
On 8 Mar 2016, at 2:08 AM, Dave Dolson <[email protected]> wrote:
Regarding non-browser clients, even non-HTTP clients, and considering
this is the IETF, it seems reasonable to find an IP-layer solution vs.
an HTTP-layer solution.
Making the presence of a CP clear to non-HTTP clients seems like a good thing. Doing much more than that (e.g., presenting something to the user, getting their credentials) is less attractive.


Mark Nottingham   https://www.mnot.net/
David Farmer               Email: [email protected]
Office of Information Technology
University of Minnesota
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952