IETF Logo Mail Archive

Re: [Captive-portals] Arguments against (any) Capport "API"

David Bird <dbird@google.com> Fri, 07 April 2017 15:03 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 970D6129455 for <captive-portals@ietfa.amsl.com>; Fri, 7 Apr 2017 08:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIgxI_5F57M7 for <captive-portals@ietfa.amsl.com>; Fri, 7 Apr 2017 08:03:14 -0700 (PDT)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DAA812773A for <captive-portals@ietf.org>; Fri, 7 Apr 2017 08:03:14 -0700 (PDT)
Received: by mail-qt0-x236.google.com with SMTP id v3so13222320qtd.3 for <captive-portals@ietf.org>; Fri, 07 Apr 2017 08:03:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lvNR8g1RZsorGkAiXtKwOEqBS1TIgpbtqURe2YKXkVM=; b=hdp6cnKCP3sP8QSO9BVKwKLuRQu14nE0YTkaTRRzKJz31gXXqRPH1ovrUu+Ng3rQBH sI1hyW6btLuX9L+gcs73q7ac5aXYQWq41endCBYM2ZxZChPKvQpnfpWhW/cJUNJnDuyR CD9cO2iW7jvmmwM1G78+CYkfdSzqKYu3QRWDTNjJ23i2e6wrWxi/AHxbg2gDHleQ2p+d sdD0PJQyzp/KogGO/ei5JriXotdWUspyRCKWsqzJ6809J2J+58n5iiyVv8i1dNlGj/yV THv59rTIpquEY7OJ1YBZGckHKmH5+yFp8C2eAB5Otht6liq9Qx6HmzFtPjDAmCEBB30h 2vHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lvNR8g1RZsorGkAiXtKwOEqBS1TIgpbtqURe2YKXkVM=; b=ArrH9ShL48rTrqhGI5FUTwp/On522HaV5Esz8IhztofYhydKhXe45zxzLqVYwLTw7c RgobPt9ZPwyLLElF0kQXw3ayR5DmnGDB3tMkp1j4mCdY/uKQKKWzETjOXeBI2J3OAtMR 1c8FxUC7op2kIddI6ed/x+quJrPQ+bIdGpoAySNDy13Wh8cick6hb506hgGoeK3Iu47y hKY7V5d6I4fw67M0scA2TO2HCkW4rxEOObfJ4U2CSXX2mDlt7SbXOLLHvTzaW20rsZGh fc2w7kMylH05kNhMPlgnlEdFT5Sd1vt7wNGVxECS3hnu34SU1iltJoIIL5FwT+eq3ND8 Qb9A==
X-Gm-Message-State: AFeK/H2EOlbeJV4DgUEz4V52iJO1E0NHGmHS3YaR1L2anIm1vD2oACe3RP4be5WvYMl8hirgeADdsNFAox3hT/rk
X-Received: by 10.237.57.164 with SMTP id m33mr43868960qte.293.1491577393406; Fri, 07 Apr 2017 08:03:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.128.233 with HTTP; Fri, 7 Apr 2017 08:03:12 -0700 (PDT)
In-Reply-To: <CADo9JyUKb_c6SPigjUqngUyPvDsbN10TLZX0+B9r92xm6XGgAA@mail.gmail.com>
References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <CAAedzxqR5bWTP_gou+hC5cgQ99tV275nX_ijm7iUok4-h+3wMQ@mail.gmail.com> <CADo9JyVfmhir8YtOR2mzzaaPL_9mBKgFmht6-SA50SfPmh9z6w@mail.gmail.com> <CAAedzxrck9+TBpEp-x8_tG-oxxKh4MQ4-x+iuGNGd6JsG=poQQ@mail.gmail.com> <CADo9JyUKb_c6SPigjUqngUyPvDsbN10TLZX0+B9r92xm6XGgAA@mail.gmail.com>
From: David Bird <dbird@google.com>
Date: Fri, 07 Apr 2017 08:03:12 -0700
Message-ID: <CADo9JyUbjD-Q-Oic0d7KqE4xRyUMxoN-5eVppmhp23NWBEkZwg@mail.gmail.com>
To: Erik Kline <ek@google.com>
Cc: captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="001a11410306b0e3bc054c94ecb5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/dlPZezWP7qE6doANoRn7FzHkgtw>
Subject: Re: [Captive-portals] Arguments against (any) Capport "API"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 15:03:16 -0000

A root cause of the so-called 'arms race' around captive portal detection
that I'm trying to highlight is that it will always continue for as long as
UEs treat captive portal networks specifically different than they do
public access networks generally, you will have incentive to exploit that
difference in behavior in the public access industry.

On Fri, Apr 7, 2017 at 6:52 AM, David Bird <dbird@google.com> wrote:

> On Fri, Apr 7, 2017 at 6:36 AM, Erik Kline <ek@google.com> wrote:
>
>> I think the client should, ideally do:
>>>
>>> -  Use the network for all connections (why ask permission when
>>> forgiveness is cheap).
>>>
>>
>> Not gonna happen.  Mobile clients do a ton of work to enable "make before
>> break".  There is no such thing as forgiveness from users who can't get
>> Facebook updates, Twitter notifications, nor email while their device is
>> held hostage because it switched to Wi-Fi and tore down mobile before
>> checking for a captive portal.
>>
>>
> But, it DOES happen when you connect to Open SSID without captive portal
> (or when the venue evaded your detection). Maybe the captive portal
> networks wants to offer these services in their walled garden... and it is
> likely the user would be happy about that (provided they selected the
> network on purpose).
>
> If you had ICMP giving you real-time feedback, you could more accurately
> (and quickly) detect what connections will work and which will not on the
> network. QUIC will help in maintaining session continuity as connections
> are pinned to different interfaces.
>
>
>
>> This may also address your question elsewhere about browsers and
>> "sandboxing".  I suspect the sandboxing to which you're referring is about
>> cookie isolation (primarily), but there's a kind of "network sanboxing"
>> that is applied as well to ensure the browser uses a self-consistent
>> networking configuration.
>>
>
> Cookie isolation on secure websites doesn't really help the user any...
>
>

v2.23.0 | Report a Bug | By Email