IETF Logo Mail Archive

Re: [Captive-portals] Arguments against (any) Capport "API"

David Bird <dbird@google.com> Wed, 05 April 2017 21:38 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46B5C1294B9 for <captive-portals@ietfa.amsl.com>; Wed, 5 Apr 2017 14:38:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUfoaDD3VvWK for <captive-portals@ietfa.amsl.com>; Wed, 5 Apr 2017 14:38:10 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 985E81294B2 for <captive-portals@ietf.org>; Wed, 5 Apr 2017 14:37:55 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id n21so22315911qta.1 for <captive-portals@ietf.org>; Wed, 05 Apr 2017 14:37:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rO85XBt7HjRCQ6/o2xZyUOaeqBwZUONodHwf5KUNMR0=; b=vNED5KPfXhvbyGywVfOnyeCuskkO5zSv/fBIdTqprAXUKkKDVNEDbs6BEJH50f7/C2 v0lDNGKZId0lRfXFT3nOJzd9irlohbNJcy1WkH2Zjg+N8GzKRvUf5IhEl4u05TBe8goR uINyOREhkF0Z1k+6hr4nk6+awvmqSoZD88F3QEvY3oRv1tRI5TdSQyrXqJ+aDwmkVGuu /zXakHq2D/Wrp5Hz+YUop0wi7FnyOVVdwpRYeUvxGidRxx7frgElBHv2MgHMcq7s+iPk 0VPedPUObEmVhUBrmea+UBc6twHNjyBCZ5tn6n/fHLrduRBWG5V14ilrgBK1fwuRdBdP n5eA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rO85XBt7HjRCQ6/o2xZyUOaeqBwZUONodHwf5KUNMR0=; b=oVrMC74NqBnj5yaVGDQWH0y8EoVHszLiN9JWRpQuTR0xynG2FYgZPnY2hP0z1HtzeZ LaXtC9WqAUwY56p7VUk1ZcVZ/eRQLF7b4ev3rB4rRL9bXCMaUWOprKyr3UfaPglrCjaG X03mxHi72T0VQjZKYCw82E80jZtdvj7PeRBgR4cu6AmWYM1dvTgwVQgquWgMh5XYOiEy 5740o8JboysOfSnEdsd5lHM4FmwYmrCRN3qwXmyi6atN6qM/1Ek4RjUm74cbmkDLrtaC N8Wj/d7r/xB5hWm10QbSzv8+3Tn2+RfQnV25sZDwL7RCbl/620pb+SpaJ/DJBVduMKfz n6yw==
X-Gm-Message-State: AFeK/H08JJ2uBWO1Ki82yPZqgKIuEXZaUBvfsdgQNt4bMgGqs/Duqbb6wqloW/zS/RtiGtuqTYVcc1A5VAT4Jb/v
X-Received: by 10.237.35.218 with SMTP id k26mr33982031qtc.60.1491428274348; Wed, 05 Apr 2017 14:37:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.128.233 with HTTP; Wed, 5 Apr 2017 14:37:53 -0700 (PDT)
In-Reply-To: <E8355113905631478EFF04F5AA706E9870579488@wtl-exchp-1.sandvine.com>
References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <alpine.DEB.2.02.1704042139110.27978@uplift.swm.pp.se> <CADo9JyVr07w5GRpF+UzSBHRuo=V=3p9MeyhFdzB+5pZk7_amNw@mail.gmail.com> <D76BBBCF97F57144BB5FCF08007244A77059CE49@wtl-exchp-1.sandvine.com> <CADo9JyUnOfXSfXufzSk=QajyG2KXQfKzmQayca1kitRoAuwsqg@mail.gmail.com> <c12d4153-a053-8402-46a0-bfe6cb7228e9@sjrb.ca> <CADo9JyXPUPLU4aKueT7HxTU1CYfY=HrhqRz0OcCu4z1AivP-hg@mail.gmail.com> <E8355113905631478EFF04F5AA706E9870579488@wtl-exchp-1.sandvine.com>
From: David Bird <dbird@google.com>
Date: Wed, 05 Apr 2017 14:37:53 -0700
Message-ID: <CADo9JyW47Uiw51w8Bhgvv9D23tPPFa0u8EVH50etB8CsE91PBw@mail.gmail.com>
To: Dave Dolson <ddolson@sandvine.com>
Cc: Christian Saunders <Christian.Saunders@sjrb.ca>, "captive-portals@ietf.org" <captive-portals@ietf.org>
Content-Type: multipart/alternative; boundary="001a113e3fda813ebf054c723452"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/m1v0NCDwSNBeB0OpKn48t3ZaatY>
Subject: Re: [Captive-portals] Arguments against (any) Capport "API"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 21:38:14 -0000

The browser sandboxing issue is slightly more complex... I too am hoping
engineers working on such things participate in this discussion!

I've been told various reasons, from 'I don't remember', to 'others do it
that way', and sometimes reasons why it serves to protect the user. The
latter argument, I believe, is historic in that captive portal networks
were (are?) viewed as 'hostile'. I don't think this argument really holds
much weight because:

- It conflates captive portal to mean public access. Today, a captive
portal doesn't have to mean public access (it can be a trusted network
too). Also, an Open SSID network with no portal is just as hostile (if not
more, in that they aren't even notifying you of their man-in-the-middle
'presence').

- The sandbox browser comes up because, we guess, the network is 'hostile'
(even though the user *selected* this SSID in the case of it being Open),
yet after the user interacts with the captive portal, the UE determines all
the sudden that the network is not so hostile? To think that people today
select an Open SSIDs and then freak out about a captive portal I think is
out-dated.

If protecting the user, while also offering ease of use for legitimate
captive portals, I will be idealistic and say:

- UE should classify networks as public vs. private, where an Open SSID is
always automatically put into the public category. All non-secure browser
connections get sandboxed, secure connections go ahead (let TLS do its
thing). [This line item has nothing to do with captive portals.]

- If the UE detects capport, that it will at least check the URL from
capport detection (following any redirects) to verify it is https:// before
launching a user default browser (with or without a message somewhere
indicating this site is a captive portal).  If it makes the user feel
better, non-https could be sandboxed, but not when secured.

- To prevent a network from getting a URL / website into your default
browser cache (by hijacking and redirecting you there), the UE should
present the user (even in the notification event) of the captive portal URL
FQDN they are about to connect to -- it could even give a TLS indication
and cert verification icon. (Of course, the clever attacker can still mess
with you using DNS and hijacking connections later on, after capport
detection, so...)

What is ironic is that this is sometimes called an 'arms race', when in
fact both parties are just trying to make the user experience better or
safer, yet neither are being successful. For Hotspots, they have website
usability reasons to hate capport detection, yet increasingly they are
having problems with user experiences around HTTPS. Engineers hate captive
portal, they think they are *broken*, and think avoiding detection is
further proof captive portals can't be trusted. Hotspot are largely broken
for the user because of the combination of sandboxed browsers and OS
capport detection being evaded.

A note about capport detection evasion: It is not always on purpose... As
more hotspots do "social login" applications, they are opening up the
walled garden surprisingly wide to get that to work...



On Wed, Apr 5, 2017 at 9:40 AM, Dave Dolson <ddolson@sandvine.com> wrote:

> I’d like to hear from browser vendors as to why the browser gets sandboxed
> when interacting with a captive portal.
>
>
>
> If one could trust the URL came from the local network (via DHCP), could
> restrictions be lifted?
>
> If the URL were HTTPS, and certificates were valid (e.g., valid cert of
> Chicago OHare Airport), could restrictions be lifted?
>
>
>
> Because as we’ve heard, portals try to defeat captive portal detection to
> get the “real” browser: cookies, video player, etc.
>
>
>
> -Dave
>
>
>
>
>
> *From:* Captive-portals [mailto:captive-portals-bounces@ietf.org] *On
> Behalf Of *David Bird
> *Sent:* Tuesday, April 4, 2017 5:35 PM
> *To:* Christian Saunders
>
> *Cc:* captive-portals@ietf.org
> *Subject:* Re: [Captive-portals] Arguments against (any) Capport "API"
>
>
>
> Thanks Christian,
>
>
>
> I wanted to high-light something you said:
>
>
>
> On Tue, Apr 4, 2017 at 1:13 PM, Christian Saunders <
> Christian.Saunders@sjrb.ca> wrote:
>
> I agree that determining the operators intention for the portal isn't
> really worthwhile.
>
> *On the other hand, it is worth providing the operators with tools to
> enable as seamless an experience as possible.*
>
>
>
> This is exactly right... the (consistent) and seamless an experience as
> possible.
>
>
>
> However, today this sometimes means tricking UE captive portal detection
> into not giving you the 'other' browser (sandboxed, incognito, or otherwise
> not the browser the user is already logged into sites with). For people who
> build fancy websites for Hotspots, you can imagine that is frustrating (to
> require users to login, every time, even when your site uses HTTPS and
> cookies are "safe").
>
>
>
>
>
> Beyond this the operators will sink or swim on their own merits.
>
> Cheers!
>
> Christian
> Shaw Communications Inc.
>
>
>
> On 17-04-04 02:05 PM, David Bird wrote:
>
> Attribution / advertising is a big motivator, at least in the US.
>
>
>
> On Tue, Apr 4, 2017 at 1:00 PM, Kyle Larose <klarose@sandvine.com> wrote:
>
> I was sitting in a coffee shop on Saturday in Chicago, and decided to log
> in to their wifi. It was a captive portal that basically said something
> like “Hey, we’re giving you this service for free, because we’re [the
> coffee shop] awesome!”. To log in I just needed to click a button to
> continue.
>
>
>
> The point here, I think, is that the coffee shop is providing this as a
> service to you, and wants you to know that. I’m not sure how much that is
> worth to them, but it’s an example of something that isn’t just ToS, and
> wasn’t terribly intrusive.
>
>
>
> *From:* Captive-portals [mailto:captive-portals-bounces@ietf.org] *On
> Behalf Of *David Bird
> *Sent:* Tuesday, April 04, 2017 3:52 PM
> *To:* Mikael Abrahamsson
> *Cc:* captive-portals@ietf.org
> *Subject:* Re: [Captive-portals] Arguments against (any) Capport "API"
>
>
>
> My opinion is that guessing why venues put up a portal isn't always that
> useful. The point is, they *have* a reason. In some countries, there are
> legal requirements to display ToS. While we could try to implement ways
> around ToS type portals, are we helping the venue be more compliant? In all
> jurisdictions? (Some laws *require* the ToS is displayed *every time*).
>
>
>
> For some locations, they may simply WANT to annoy you! (While also
> collecting per session fees from Boingo or iPass for the privileged of
> skipping that annoying portal.) More than likely, however, sites like the
> one you mentioned are just themselves concerned about liability and want
> that minimal amount of disclaimer...
>
>
>
> As a user, you should either be willing to view the portal, pay for ease
> of use, or find another network...
>
>
>
> David
>
>
>
>
>
> On Tue, Apr 4, 2017 at 12:43 PM, Mikael Abrahamsson <swmike@swm.pp.se>
> wrote:
>
> On Tue, 4 Apr 2017, David Bird wrote:
>
> The one area I do see value in solving is how to get headless IoT devices
> on-line on capport networks.. But, in some ways, all we need their is a
> WISPr client in the device and an out-of-band way of configuring
> credentials into it. That can be solved with existing protocols and
> technologies.
>
>
> I only have experience with captive portals as a user. When I travel the
> world, I have frequently seen captive portal pages that as far as I can
> see, offer nothing apart from a login page. It might have the hotel name in
> there, but that's it. So then I have to manually do something like find the
> piece of paper where my username/password is, and enter that. It seems to
> be only about authenticating me as actually being a resident of the hotel
> or whatever venue it is. Sometimes it seems to be there because there are
> legal requirements for tracking (they will write down a log of my room
> number and username on the paper in a ledger).
>
> It's extremely cumbersome and as far as I can tell, it adds nothing for
> the WISP (at least nothing I can tell) by means of marketing or alike, it's
> only for assuring that people in the street can't just use the wifi.
>
> Do you know the motivation for doing this in the context of your email? Is
> there added cost for them to automate the behavior, as in IPR or other
> licensing cost for them to use the automation tech that perhaps is already
> available in my mobile device?
>
> --
> Mikael Abrahamsson    email: swmike@swm.pp.se
>
>
>
>
>
>
>
> _______________________________________________
>
> Captive-portals mailing list
>
> Captive-portals@ietf.org
>
> https://www.ietf.org/mailman/listinfo/captive-portals
>
>
>
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>
>
>

v2.23.0 | Report a Bug | By Email