Re: [Captive-portals] Thoughts/comments on draft-nottingham-capport-problem-01
Alexis La Goutte <alexis.lagoutte@gmail.com> Fri, 11 March 2016 15:58 UTC
Return-Path: <prolag@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F3CF12D6C6 for <captive-portals@ietfa.amsl.com>; Fri, 11 Mar 2016 07:58:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rr690vqBNMPb for <captive-portals@ietfa.amsl.com>; Fri, 11 Mar 2016 07:58:33 -0800 (PST)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8ECD12D899 for <captive-portals@ietf.org>; Fri, 11 Mar 2016 07:57:55 -0800 (PST)
Received: by mail-lb0-x234.google.com with SMTP id k15so162836136lbg.0 for <captive-portals@ietf.org>; Fri, 11 Mar 2016 07:57:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:in-reply-to:references:date:message-id :subject:from:to:cc; bh=5pybKI2c9G0L+vz5pFfmDcfBGjfT8mr7EyhCkL2I+6I=; b=kBfC9t+c8GNFzfDBXsLYhJwUGnDD24bKfq+LLMZDrT2BTmL7Nx3zFWbpmX4vzrwdPf o/rC/aj0yuCTIiBHbQCFy6x7o/+DsETOBFeaqvLimTTC1Ctew8LQQZ6XszrXYOfOZ0GV ChITDpfMalUYfCWgVgppGuiVcHGGiKIxt/XJzM+PGh3A3oPMq/KxvTL5sF3EbYryQlwy TO+dcO7y3VeTtnpSgvL7EAx5KmdjFr7hWYodu/fcBxdC85Oq3DilBunAH5xmXourZtCI cD2UNFLb+cWYlP6gTWfY3fLPsQyrDt9xi3+j7WBqf7BHB40il7earOALvCFYlqV7JS0A Gfwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:sender:in-reply-to :references:date:message-id:subject:from:to:cc; bh=5pybKI2c9G0L+vz5pFfmDcfBGjfT8mr7EyhCkL2I+6I=; b=kIUvhCglBm95/+rPEsSPBoAL0TS5xQj9zyve0GIk9HWTmxyrwgbS3nKxcOpUVjtDdQ mdNTYJh5uyP/OWknTdHr7SkJEcyPK4ToS7YbW0DX6k7MPthvYEMuJSRI5z77I/hSGRfh JLiNzmfNQ2TSqdXF+h4VkURtPvlc9bYX6hnk5xyKACYmK6uTyC/og8vkI2WRLk/RQIPJ cbC1p1bgnQYsXEDGV+Syj7fyrFReq/04y0HjErj2991ZFbClLD4kxbOMqD4JfMy3fAox JmDUlYuARczz/xv24Zdxjo94NfRcZ4a1V+we++15Wk7c7K95LMDHxZQ1EJmJdMQs/i4x QQKQ==
X-Gm-Message-State: AD7BkJJBeKalDsAPe12bLXwaXN3LTLqjgPzXb9b3tHRQu63qKaMvwmXEKHHh4CmK5IFl/GP4aMeF4Y9BtKgwdw==
MIME-Version: 1.0
X-Received: by 10.25.35.87 with SMTP id j84mr3567039lfj.119.1457711873983; Fri, 11 Mar 2016 07:57:53 -0800 (PST)
Sender: prolag@gmail.com
Received: by 10.25.213.70 with HTTP; Fri, 11 Mar 2016 07:57:53 -0800 (PST)
In-Reply-To: <16287DD0-2408-4164-A945-F10A0D9BF22D@mnot.net>
References: <CADo9JyVXUR=bgueHW1wWk4PhCJEvs0R-p9ya5wGVEmtYjtoFJQ@mail.gmail.com> <51DE1996-428B-4F22-AB02-64C31F812E39@mnot.net> <CABkgnnWTfGsbktCHGGygE=Cva4JsA6_mBuBhN2KwrwNSKVQwLQ@mail.gmail.com> <16287DD0-2408-4164-A945-F10A0D9BF22D@mnot.net>
Date: Fri, 11 Mar 2016 16:57:53 +0100
X-Google-Sender-Auth: z9lT8johuUQf6gBuv6tOk1j9dvk
Message-ID: <CAHzrgZknRL1HtKWUp-C9Da5FGVmJCQ0id+Z_3513u5SY9+HsAQ@mail.gmail.com>
From: Alexis La Goutte <alexis.lagoutte@gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Content-Type: multipart/alternative; boundary="001a113c9ba06f0f6e052dc7fe70"
Archived-At: <http://mailarchive.ietf.org/arch/msg/captive-portals/GbYhzLpq1Jwg7ZJ4R4YrU9W6oiU>
Cc: captive-portals@ietf.org, Martin Thomson <martin.thomson@gmail.com>, David Bird <dbird@google.com>
Subject: Re: [Captive-portals] Thoughts/comments on draft-nottingham-capport-problem-01
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: alexis.lagoutte@gmail.com
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 16:00:24 -0000
On Fri, Mar 11, 2016 at 12:51 AM, Mark Nottingham <mnot@mnot.net> wrote: > On 8 Mar 2016, at 8:11 PM, Martin Thomson <martin.thomson@gmail.com> > wrote: > > > > On 8 March 2016 at 18:45, Mark Nottingham <mnot@mnot.net> wrote: > >> I've seen CPs that ask for Facebook username and password, but NOT over > HTTPS, and not to a Facebook domain (IIRC); it's more of a user education / > security UX problem than anything. > > > > > > That's perhaps an extreme - and horrific - example of what I thought > > you intended here. > > > > Loading a real browser allows a CP to close the loop with tracking > > bugs. That is less offensive, though to what degree might depend on > > where you sit. > > > > There are probably plenty of potentially relevant reasons too. For > > example, a network operator might simply want to authorize one set of > > users (their paying customers) over others. A sandbox in that context > > represents a hurdle for their users, who can't rely on cookies or > > other preexisting state. The sandbox then has security drawbacks in > > that it encourages users to pick less secure passwords. > > One aspect that's potentially different is that current CP detection > implementations (going to add a term for that :) can be automatically > triggered; if the OS recognises a SSID ("ATTWifi", anyone?), it'll pop up a > window. > Hi, it is the idea of HotSpot 2.0 from WiFi Alliance ? Add on SSID announce frame (Beacon Frame), It is a SSID with Captif Portal.... HotSpot 2.0 is already supported by WiFi Vendor (Like Aruba / Cisco)... > > Without sandboxing, that means the network gets tracking data without any > user intent in a very common case. An attacker can also spoof a common SSID > to gather such data. > > Of course, OSs could stop automatically joining Wifi networks, but that > would make for a lot of unhappy users... > > > -- > Mark Nottingham https://www.mnot.net/ > > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals >
- [Captive-portals] Thoughts/comments on draft-nott… David Bird
- Re: [Captive-portals] Thoughts/comments on draft-… Mark Nottingham
- Re: [Captive-portals] Thoughts/comments on draft-… Martin Thomson
- Re: [Captive-portals] Thoughts/comments on draft-… Mark Nottingham
- Re: [Captive-portals] Thoughts/comments on draft-… David Bird
- Re: [Captive-portals] Thoughts/comments on draft-… Mark Nottingham
- Re: [Captive-portals] Thoughts/comments on draft-… Alexis La Goutte
- Re: [Captive-portals] Thoughts/comments on draft-… Cohen-Rose, Adam
- Re: [Captive-portals] Thoughts/comments on draft-… Michael Richardson
- Re: [Captive-portals] Thoughts/comments on draft-… Martin Thomson
- Re: [Captive-portals] Thoughts/comments on draft-… Roscoe, Alexander