IETF Logo Mail Archive

Re: [Captive-portals] Thoughts/comments on draft-nottingham-capport-problem-01

Martin Thomson <martin.thomson@gmail.com> Tue, 08 March 2016 09:20 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99FF212D57E for <captive-portals@ietfa.amsl.com>; Tue, 8 Mar 2016 01:20:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([127.0.0.1]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFVmw9kAVKC0 for <captive-portals@ietfa.amsl.com>; Tue, 8 Mar 2016 01:20:20 -0800 (PST)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5166412D592 for <captive-portals@ietf.org>; Tue, 8 Mar 2016 01:11:27 -0800 (PST)
Received: by mail-io0-x234.google.com with SMTP id g203so18955054iof.2 for <captive-portals@ietf.org>; Tue, 08 Mar 2016 01:11:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=/sWN0r3SG8DFKnrP41k1YoOK6GI+Dslob/yTs1euY98=; b=BGiQQGowr6cFjnT3mxvLdx579HBrFX/Tg/TcISxCwhs9b2tpT5gkRN/hNJD9QReHmt dYKfRoC7mbhX408vzuUn5S604Czy3QOKfYOpyLQ9h5ER54alem9V5KC0GGHUAGqhP0mZ 0aD17RO4JCgwkTaMV4tVG6q6wvE/LEJAIsOJ3d8tV/s0mti2WOR3ppqd7E3pinICppyw b9kzTasG8hYOIfEjPjMENksTyE4m0dtV9q7wVl9lwFaR3AU7ahkTz8RpLUu6dAAS/mPA OY55wKNjzUGiJhXGQ7JhVrj353vvae+hcokEdvD6I4Y0ueLbhoK4kqktT7Zx40YJHAs0 pieg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=/sWN0r3SG8DFKnrP41k1YoOK6GI+Dslob/yTs1euY98=; b=BQIOoR/B/XF6W7X9vTQBXJqQuwEEHKGivGbNCBFIFCkatbkDEHIvUcwxm1gDUla3kp EwZTK9THt0oNZNJpiPDkYHGYltz10UTMYP1Z00akPmVt90MC/xJvel6MAmzP5gAO3zPu OSDEuw56aPnl2DGe5gpVRXRSagC11z8m8iFBKeCNnbtDs2s4sj1IyJ3Ths4dA1wu1Z2Z J9gGxGsVdPIN5JBMIKDhrheMmSa53Ii5gCovuy4eiawvLf7OZu98t6Ek2Gnup1fFlg9l hq8tUS9kq9/zvyns9HGiX6XczDiFW8pk3v2UtLaSwVyS1jL7sYIfQF84OEQvVdNbTe5j /JRA==
X-Gm-Message-State: AD7BkJLR46inO12+iwiFId/vwhjSQr6zODPXiiXzogyAHIaqp5qfE39K50qyybRPPW+oEkMCsU91EULZpV7Teg==
MIME-Version: 1.0
X-Received: by 10.107.41.133 with SMTP id p127mr26688995iop.100.1457428286550; Tue, 08 Mar 2016 01:11:26 -0800 (PST)
Received: by 10.36.43.5 with HTTP; Tue, 8 Mar 2016 01:11:26 -0800 (PST)
In-Reply-To: <51DE1996-428B-4F22-AB02-64C31F812E39@mnot.net>
References: <CADo9JyVXUR=bgueHW1wWk4PhCJEvs0R-p9ya5wGVEmtYjtoFJQ@mail.gmail.com> <51DE1996-428B-4F22-AB02-64C31F812E39@mnot.net>
Date: Tue, 08 Mar 2016 20:11:26 +1100
Message-ID: <CABkgnnWTfGsbktCHGGygE=Cva4JsA6_mBuBhN2KwrwNSKVQwLQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/captive-portals/AzPAgNv_7AjnBmmie2-Lvr6E_iM>
Cc: captive-portals@ietf.org, David Bird <dbird@google.com>
Subject: Re: [Captive-portals] Thoughts/comments on draft-nottingham-capport-problem-01
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2016 09:20:21 -0000

On 8 March 2016 at 18:45, Mark Nottingham <mnot@mnot.net> wrote:
> I've seen CPs that ask for Facebook username and password, but NOT over HTTPS, and not to a Facebook domain (IIRC); it's more of a user education / security UX problem than anything.


That's perhaps an extreme - and horrific - example of what I thought
you intended here.

Loading a real browser allows a CP to close the loop with tracking
bugs.  That is less offensive, though to what degree might depend on
where you sit.

There are probably plenty of potentially relevant reasons too.  For
example, a network operator might simply want to authorize one set of
users (their paying customers) over others.  A sandbox in that context
represents a hurdle for their users, who can't rely on cookies or
other preexisting state.  The sandbox then has security drawbacks in
that it encourages users to pick less secure passwords.

v2.23.0 | Report a Bug | By Email