[Doh] Captive portals (was Re: suggested slides for IETF 104 on draft-reid-doh-operator)
"Martin Thomson" <mt@lowentropy.net> Fri, 15 March 2019 02:22 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DC1A127817 for <doh@ietfa.amsl.com>; Thu, 14 Mar 2019 19:22:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=A5UTJbCC; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=jrGuyMq/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-Lh1WO8tjqT for <doh@ietfa.amsl.com>; Thu, 14 Mar 2019 19:22:06 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F41631277D9 for <doh@ietf.org>; Thu, 14 Mar 2019 19:22:05 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 213EE21EFE for <doh@ietf.org>; Thu, 14 Mar 2019 22:22:05 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Thu, 14 Mar 2019 22:22:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=ddX1x x8vX1aONmGgEKVeg5Bia0UjvOPB6omFfdQG8fg=; b=A5UTJbCCrv/NJ8/W15lv/ szv3yLN/hS8qonHXc2Iciy4VgfVuNNJWgjWFCzrJVnZHZ5L5sEeBW7NgVEgOBuPq 5ul/3QL86PNfxNjP8ww7VLxHCfsYyaQ1vGYApzjA4dY+Lw1Nd0ADxsUGHdJ0fH9L 38eM2KA3FzMghK1kymiZr87ZDvmXdRHVigjYJFbnD7f+I1cM5/InC/T409Dg1PoB 4TnSDspf/XhgdpIdBWqDdxkcR/ZNcAxhWXqvTaU4oV2CNN+Us10DZjZmXGF31TpE PsTQYYMLnXcLMiDhKr5KNPhmOIDpSpohGdqkjsXbUyvhFywW4IRa8wOL2slpNI1I g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=ddX1xx8vX1aONmGgEKVeg5Bia0UjvOPB6omFfdQG8 fg=; b=jrGuyMq/wOGAFNAtIrKY8ytPeuQZ7JvpxwKnDs2/xxUKNGPY0WLIxPZF8 o5aC/xWmE5pvFM75JKMBy3WbAm2Kvk1o5Ig/2qP0dRzjjQQBw5l2oXXyb+V0kQdz 5wTnDsMrzUpyoF567fjNeFQHPI1diU/amR0Rez82yhSF8wG2SDRUvr24Gj2CEKRk 82a/5hegD8HuRJlmewJu5GQLGUb4MlLayXX3b0lC4EinQRCvA4nPnDe+32TObOO3 hEbkIbIM/BI/+5moOQJ29hPpaN2tPEmQD7Lx2/YMndxEyxTZ6aIZcXJTFavCy0Wp D8sK+3V2gR8WxoX7wI4k7P8g43qMg==
X-ME-Sender: <xms:TAyLXPQIShEDGE8BjZIOY6VblgbUGZ6lnP39DYLk9MbGvBkncJcJTw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrheeggddulecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehloh ifvghnthhrohhphidrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:TAyLXGZxIOZ_HoveFR57ICSU_YLjf-rByygATT3bLMpYag2HdHO6qg> <xmx:TAyLXM6hkVVS-sCgrD8Nbdped2xpWzs7Ti5rhg95ItV9eCTWTTYqZQ> <xmx:TAyLXHvTmGIQHwtCsR6mamlJHUrDnx84dXFzC3G5qTvSWMM_BP5b-g> <xmx:TQyLXGzCTaf6B5FyWpf5b0RPJt7ud9ZMpRTcskmD9Cm7RWlhwYd4hw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 831877C1B7; Thu, 14 Mar 2019 22:22:04 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-976-g376b1f3-fmstable-20190314v3
Mime-Version: 1.0
X-Me-Personality: 92534000
Message-Id: <0fce90e8-38ef-4503-8e52-0ef8c8d87f64@www.fastmail.com>
In-Reply-To: <A0E89D03-9D2D-462F-88F4-11824AC9A523@rfc1035.com>
References: <A0E89D03-9D2D-462F-88F4-11824AC9A523@rfc1035.com>
Date: Thu, 14 Mar 2019 22:19:59 -0400
From: Martin Thomson <mt@lowentropy.net>
To: doh@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/LngFg4iETL3sIQMNfj5ynaMYacE>
Subject: [Doh] Captive portals (was Re: suggested slides for IETF 104 on draft-reid-doh-operator)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2019 02:22:08 -0000
Thanks for sharing the slides Jim, (As an aside, the parallels between your summary of the draft and draft-mm-wg-effect-encrypt are striking.) There are lots of *things* on your list, but maybe it would help to look at a few in more detail to see what they teach us. I happen to chair a working group that is tasked with improving the captive portal situation, so I thought I'd start there because it's first on your list too. The first thing I observe is that the story could be different depending on where the remote resolver is configured. In particular, whether you consider the configuration of an remote, encrypted resolver to be system-wide or per-application. Captive portal detection is typically done at a system level, and so the system-wide configuration would seem to be most relevant to this particular issue. That is, unless the network manages to successfully evade the various captive portal detection mechanisms in the hopes that they can somehow present information in the browser, which I'll get back to. As I've learned, operating systems typically use very different network configuration during the captive portal detection phase, and most won't be applying encrypted DNS policies until they have first validated the network is "usable". So I would expect that even if the operating system is configured to use an encrypted DNS service other than the one the network provides, it would still use the network-provided service while it is bootstrapping. For instance, I understand that Android uses the network resolver to discover the IP address of its DoT/DoH resolver (Ben can probably clarify/correct me here). If the network decides to evade captive portal detection, then it is playing roulette. Most applications now use authenticated connections to services, and so do many websites. A DNS redirection is no more effective in these circumstances than a port 80 interception[1]. The application detects the "attack" and throws up errors. That can lead to the operating system concluding that the network is broken if applications report these errors. If you are lucky and it is a web browser that first makes a connection and that connection is to a site without HSTS, then the network gets a chance to show a web page. I shouldn't need to quote stats on app vs. browser usage and proportion of HTTPS on the web to make it clear that this playing this game has increasingly bad prospects. If this is a per-application configuration, then only those applications that are configured to use remote, encrypted resolvers are affected. They fail to get the modified DNS results, but all the other problems still exist. That makes me conclude that captive portals aren't any worse off as a result of operating systems or applications choosing to configure their own encrypted resolver service. Given that using DNS for captive portals is worse than alternative methods[1], I'd suggest that we not concern ourselves with this particular problem. Cheers, Martin [1] Spoofing DNS results for captive portals poisons the cache, which makes DNS rewriting a bad choice for this use case. This is - in part - why most captive portals intercept TCP on port 80 and spoof an HTTP 302 instead. And if you consider DNSSEC-validating endpoints, that would be another reason not to spoof DNS... if those existed in any significant numbers. On Fri, Mar 15, 2019, at 03:39, Jim Reid wrote: > Here’s what I plan to present at the WG. Please comment on the list if > you have questions or suggestions.
- [Doh] suggested slides for IETF 104 on draft-reid… Jim Reid
- [Doh] Captive portals (was Re: suggested slides f… Martin Thomson
- Re: [Doh] Captive portals (was Re: suggested slid… Ben Schwartz
- Re: [Doh] Captive portals (was Re: suggested slid… Jim Reid
- Re: [Doh] Captive portals (was Re: suggested slid… Jim Reid
- Re: [Doh] Captive portals (was Re: suggested slid… Daniel Stenberg
- Re: [Doh] [EXTERNAL] Re: Captive portals (was Re:… Winfield, Alister
- Re: [Doh] [EXTERNAL] Re: Captive portals (was Re:… Daniel Stenberg
- Re: [Doh] Captive portals (was Re: suggested slid… Stephen Farrell
- Re: [Doh] Captive portals (was Re: suggested slid… Martin Thomson
- Re: [Doh] Captive portals (was Re: suggested slid… Thomas Peterson
- Re: [Doh] [Captive-portals] Captive portals (was … Tommy Pauly