Re: [Captive-portals] Discovering captive portal API URL via DNS?
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 04 September 2019 14:15 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 496611200F4 for <captive-portals@ietfa.amsl.com>; Wed, 4 Sep 2019 07:15:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ROV6CSrgSJlZ for <captive-portals@ietfa.amsl.com>; Wed, 4 Sep 2019 07:15:44 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B72112001A for <captive-portals@ietf.org>; Wed, 4 Sep 2019 07:15:44 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [80.233.41.97]) by relay.sandelman.ca (Postfix) with ESMTPS id F15581F45A; Wed, 4 Sep 2019 14:15:40 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 849BE2BD6; Wed, 4 Sep 2019 10:16:13 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Lorenzo Colitti <lorenzo@google.com>
cc: captive-portals@ietf.org
In-reply-to: <CAKD1Yr0RvYU9TDjiU4Pm9QdVY_Z4XAN74wXcWhMhJ+smQLr_aw@mail.gmail.com>
References: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com> <18051.1567582038@dooku.sandelman.ca> <CAKD1Yr0RvYU9TDjiU4Pm9QdVY_Z4XAN74wXcWhMhJ+smQLr_aw@mail.gmail.com>
Comments: In-reply-to Lorenzo Colitti <lorenzo@google.com> message dated "Wed, 04 Sep 2019 17:00:41 +0900."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 04 Sep 2019 17:16:13 +0300
Message-ID: <27990.1567606573@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/vYXxIOh1YB7N67VlcwExCDton8E>
Subject: Re: [Captive-portals] Discovering captive portal API URL via DNS?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 14:15:46 -0000
Lorenzo Colitti <lorenzo@google.com> wrote: mcr> that things like DoT/DoH can not be used by the captive portal mcr> client. (I just want to make the assumption explicit. I'm not mcr> complaining about it) > That's not really an assumption - the fact that the captive portal > client can't do DoT/DoH is mostly true today, because unless the portal > is open, 443 and 853 are likely to be blocked. By and large, DoT / DoH > clients probably already know not to attempt them on captive portals. Well, a captive portal could leave HTTPS to cloudflare open, the same way that they might leave Do53 open to themselves, or to quadX. That works today for some portals. And if the portal doesn't let just *any* Do53, but only to known public resolvers (which they can even proxy if they want), then they can be sure to defeat DNS-VPN mechanisms. Some portals today *do* depend upon creating answers for names that aren't real. That fails today if you do DNSSEC validation. Of course, some still depend upon lying about all DNS requests, and but we have agreed that this is bad. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Captive-portals] Discovering captive portal API … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Cappalli, Tim (Aruba Security)
- Re: [Captive-portals] Discovering captive portal … Erik Kline
- Re: [Captive-portals] Discovering captive portal … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Erik Kline
- Re: [Captive-portals] Discovering captive portal … Martin Thomson
- Re: [Captive-portals] Discovering captive portal … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Michael Richardson
- Re: [Captive-portals] Discovering captive portal … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Michael Richardson
- Re: [Captive-portals] Discovering captive portal … Tommy Pauly
- Re: [Captive-portals] Discovering captive portal … Tommy Pauly
- Re: [Captive-portals] Discovering captive portal … Michael Richardson
- Re: [Captive-portals] Discovering captive portal … Nicolas Mailhot