[Captive-portals] Thoughts/comments on draft-nottingham-capport-problem-01
David Bird <dbird@google.com> Mon, 07 March 2016 02:03 UTC
Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 797BF1A6F3B for <captive-portals@ietfa.amsl.com>; Sun, 6 Mar 2016 18:03:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.321
X-Spam-Level: *
X-Spam-Status: No, score=1.321 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8wn16bbqlEb for <captive-portals@ietfa.amsl.com>; Sun, 6 Mar 2016 18:03:05 -0800 (PST)
Received: from mail-vk0-x22a.google.com (mail-vk0-x22a.google.com [IPv6:2607:f8b0:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 275ED1A6F33 for <captive-portals@ietf.org>; Sun, 6 Mar 2016 18:03:05 -0800 (PST)
Received: by mail-vk0-x22a.google.com with SMTP id e6so103157372vkh.2 for <captive-portals@ietf.org>; Sun, 06 Mar 2016 18:03:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to; bh=0FW5i0mlGr1/o5gdiS2Pv4YdrFN/le99a3InuLNJxBY=; b=HLc3CuiUb1040/MptVqzLxXW580Ub8jc0rAXkMbF9zi/3TVp7LTh4i/+IPxSUd6rLT fB+0U6RiiXb1oVM2JjDK1b+H7uToRNmeq7bhilrwliKSpDqC7GyfQ55Nz9CjyukOzsLz jXC8p7ABXZEOHMhxg1/xycTqpfqkrX6k4xVae7iiyakeUAqQ1pbx6QI3ZQ3oEdFrPdqm L+ATYuKDs2HntbctQC09dJSVp3fN8TgtisurAOI3InRavwQzRM+sm3jb+82CXX0jfMqv Q/OzvTIWNkIrXppDOQvJO0E/wONsmdRTZFYvLvHz/BMEYkLHV7g8P1xCLNOMPTCFsJ6t fA+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=0FW5i0mlGr1/o5gdiS2Pv4YdrFN/le99a3InuLNJxBY=; b=HsUk3wsPQ8As7qRYHPQ7hvOo1ESyg2ojYgJzJmaWy/LUDJ6+izBD19H4tkmvUvh+s4 AR5DSV0I7dn/kTbA5JsjnryWO9jkARDKio+K/ixQ2T28ZEqlZylXtRV279QgEfzRXLaw 6lcO4twzUOOIgikh1L/ujIiaplyYZ+9NxsicZkB7BvQFwVN5as7fCHyNKjPQhDokMAee wOt1SVM47kDXFMIk0xXi9kms361gfRWOv1tmBqJJX57Urx347PcyJS1R5xlIk3jZNg3R GOu6qchWz6ZlnVi/jcoe4WSeR0VOKaIfJ52D6UCX12bHzEQhK2iL2j9uAfA5KdlXQfLE IA5w==
X-Gm-Message-State: AD7BkJLlzSmKIHgkoMUcAXUNehA0egut18zv/mc5XsTlkc56YOV7wm5fwBmCEcIcG+TIvyn6ELc3nzKd8sT8WCw0
MIME-Version: 1.0
X-Received: by 10.31.194.10 with SMTP id s10mr18484667vkf.72.1457316183945; Sun, 06 Mar 2016 18:03:03 -0800 (PST)
Received: by 10.159.37.42 with HTTP; Sun, 6 Mar 2016 18:03:03 -0800 (PST)
Date: Sun, 06 Mar 2016 18:03:03 -0800
Message-ID: <CADo9JyVXUR=bgueHW1wWk4PhCJEvs0R-p9ya5wGVEmtYjtoFJQ@mail.gmail.com>
From: David Bird <dbird@google.com>
To: captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="001a114661dc78827d052d6bdd86"
Archived-At: <http://mailarchive.ietf.org/arch/msg/captive-portals/coP65-UXxn6ydsyM4xvXx2kSLxU>
Subject: [Captive-portals] Thoughts/comments on draft-nottingham-capport-problem-01
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Mar 2016 02:03:07 -0000
Greetings, Overall a good and much needed document! A few first round comments: -- I find the terms "captive portal" and "portals" can be confusing in the doc. It can mean the general feature, from the end-user-perspective, of being hijacked and being presented a captive portal page. At times, it means the specific hijacking mechanism within the network - the Network Access Server (NAS), and at other times it can mean specifically the captive portal website itself. I was hoping this doc could include some terminology. Maybe: Captive Portal - The feature of forcing users to a specific captive portal website CP-Network - A network the employs a captive portal; integrated CP-NAS and CP-Web (depth of integration varies) CP-NAS - A feature of the network infrastructure that enforces a captive portal, redirecting to CP-Web CP-Web - A website application that authorizes users onto CP-Network -- In Section 2, Once the captive portal's goals (see below) are met, the network "remembers" that the user is allowed network access, usually by MAC address. Maybe "Once the CP-Web's requirements (see below) are met, the user is released from the captive state within the CP-NAS. The implementation details and degree of integration between CP-Web, CP-NAS, and other network services (such as DHCP, DNS, etc) will vary between CP-Networks." -- Regarding: *Unexpected Configuration* - Some captive portals rely upon DNS interception to direct users to the portal; however, this doesn't work when the user has configured their own DNS server in preference to that provided by DHCP (e.g., 8.8.8.8). The supporting text seems rather specific to CPs that use forged DNS... Maybe "Some captive portals do not work with clients using unexpected configurations, for example clients using static IP, custom DNS servers, or HTTP proxies." (If kept, s/doesn't work/may not work/ - the CP-NAS could override with a DNAT to a specific DNS (not that I ever think faking DNS is a good solution)) -- Regarding: *Stealing Access* - because captive portals most often associate a user with a MAC address, it is possible for an attacker to impersonate an authenticated client (e.g., one that has paid for Internet access). This is an issue with Open WiFi, not necessarily with captive portals. If you removed the Open WiFi (say the CP is being used on a secure wireless medium), then this completely doesn't apply. While I agree this is an issue with (especially paid) access over Open WiFi, not sure it belongs in this doc, and securing the Open Bss shouldn't be within the scope of the WG. -- Regarding: *Access to Privileged Information* - Some captive portals want to utilise external information about the user, such as social media account logins and/or advertising tracking/targeting services. However, because the captive portal is effectively acting as a man-in-the-middle, providing these capabilities can put the user at risk. Not sure I follow this one... True that a CP might require an external login of some kind, but if done within the walled garden and over HTTPS, then how does the CP-Network increase exposure here? Or, is this also talking more about Open WiFi problems? -- Regarding: *Connectivity Interruption* - For a device with multiple network interfaces (e.g., cellular and WiFi), connecting to a network can require dropping access to alternative network interfaces. If such a device connects to a network with a captive portal, it CAN lose network connectivity until the captive portal requirements are satisfied. I added the CAN above as not all devices will drop the existing good connection when connecting to a network with a CP detected. -- In section 4, it says "Detection aims to minimize the negative effects caused by captive portals in several ways. Captive portal detection can cause issues in some networks; for example: .." Suggestion: after "several ways, " list a few, or change to something like "Detection aims to minimize the above negative effects caused by captive portals, but can cause different issues, including: ..." -- I don't feel we have explained the reasons for operators wanting to defeat the CP detection in section 4.1. Perhaps in section 4, under *Sandboxing* we can explain: While sandboxing seems a good idea to protect user data (particularly on Open WiFi), it is implemented differently on various platforms and often causes a (severely) broken user experience on the operator's CP-Web site (even when the operator is protecting user data end-to-end with HTTPS). To offer a consistent and rich experience on the CP-Web, some operators actively try to defeat OS CP detection. -- If I may rant a bit... OS vendors and others doing CP detection are conflating security issues around Open WiFi and Public Access Networks, and the need to protect user data in such networks, with CP detection. While CP detection is perhaps a good signal for designating a network as Public Access, it does not inherently mean the underlying network is "insecure". Nor does the absence of a CP in an Open WiFi network mean the underlying network is in anyway "secure" (and therefore not Sandboxed). The reasons for vendors being extra suspicious of CP networks is because of the similarities with mitm attacks - which is understandable. However, as CP networks are more common place and the mechanisms for signaling become more formalized (thanks to this WG), vendors need to work with, not against, operators who utilize TLS to protect user-data even in Open WiFi public access networks, to offer a full browser CP-Web experience. -- David
- [Captive-portals] Thoughts/comments on draft-nott… David Bird
- Re: [Captive-portals] Thoughts/comments on draft-… Mark Nottingham
- Re: [Captive-portals] Thoughts/comments on draft-… Martin Thomson
- Re: [Captive-portals] Thoughts/comments on draft-… Mark Nottingham
- Re: [Captive-portals] Thoughts/comments on draft-… David Bird
- Re: [Captive-portals] Thoughts/comments on draft-… Mark Nottingham
- Re: [Captive-portals] Thoughts/comments on draft-… Alexis La Goutte
- Re: [Captive-portals] Thoughts/comments on draft-… Cohen-Rose, Adam
- Re: [Captive-portals] Thoughts/comments on draft-… Michael Richardson
- Re: [Captive-portals] Thoughts/comments on draft-… Martin Thomson
- Re: [Captive-portals] Thoughts/comments on draft-… Roscoe, Alexander