Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
Michael Richardson <mcr@sandelman.ca> Fri, 22 February 2019 16:41 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77A8E129284 for <captive-portals@ietfa.amsl.com>; Fri, 22 Feb 2019 08:41:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MMgiqK04n3l for <captive-portals@ietfa.amsl.com>; Fri, 22 Feb 2019 08:41:24 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C83B130ECD for <captive-portals@ietf.org>; Fri, 22 Feb 2019 08:41:23 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 3871B3826C for <captive-portals@ietf.org>; Fri, 22 Feb 2019 11:41:11 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 772181DBE; Fri, 22 Feb 2019 11:41:21 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 75C631DB1 for <captive-portals@ietf.org>; Fri, 22 Feb 2019 11:41:21 -0500 (EST)
From: Michael Richardson <mcr@sandelman.ca>
To: "captive-portals@ietf.org" <captive-portals@ietf.org>
In-Reply-To: <e73dc872-3a38-94d1-dfc6-ac1244a337cb@sjrb.ca>
References: <11662.1550772024@localhost> <e73dc872-3a38-94d1-dfc6-ac1244a337cb@sjrb.ca>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Fri, 22 Feb 2019 11:41:21 -0500
Message-ID: <28703.1550853681@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/KoPwUiDIqrOA3s0oG8kkc2Klrf8>
Subject: Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 16:41:28 -0000
Michael Richardson quoted:
> From https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
> "The two people who did get popped, both were traveling and were on their
> iPhones, and they had to traverse through captive portals during the hijack
> period,” Woodcock said. “They had to switch off our name servers to use the
> captive portal, and during that time the mail clients on their phones checked
> for new email. Aside from that, DNSSEC saved us from being really, thoroughly
> owned.”
Christian Saunders <Christian.Saunders@sjrb.ca> wrote:
> The active element here seems to be the forced use of insecure DNS
> servers.
I disagree. It's due to forced use of the captive portal's DNS.
A device will in general have no trust relationship with a captive portal.
It has no reason to trust the captive portal to do DNS correctly
(and no way to get privacy for the requests either).
> The fact that the insecure DNS configuration was forced in order to navigate
> a Captive Portal is incidental, though unfortunate.
So to me, all captive portal DNS systems are by definition insecure.
If one needs to do a DNS lookup in order to get traffic and get a
redirection, then the portal is insecure. And that's why we need an API that
involves more than just capture port-80 and redirect.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Captive-portals] poor captive port design --- A … Michael Richardson
- Re: [Captive-portals] poor captive port design --… Christian Saunders
- Re: [Captive-portals] poor captive port design --… Michael Richardson
- Re: [Captive-portals] poor captive port design --… Christian Saunders