IETF Logo Mail Archive

Re: Portal authorization

"Nicolas Mailhot" <nicolas.mailhot@laposte.net> Tue, 10 April 2012 11:05 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214AD11E80A5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 10 Apr 2012 04:05:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.455
X-Spam-Level:
X-Spam-Status: No, score=-10.455 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_RMML_Stock10=0.13]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HqYVLvB29ibm for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 10 Apr 2012 04:05:21 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id CC6C011E8072 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 10 Apr 2012 04:05:20 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1SHYrk-0006II-4U for ietf-http-wg-dist@listhub.w3.org; Tue, 10 Apr 2012 11:04:04 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <nicolas.mailhot@laposte.net>) id 1SHYrb-0006Gr-8R for ietf-http-wg@listhub.w3.org; Tue, 10 Apr 2012 11:03:55 +0000
Received: from smtpout5.laposte.net ([193.253.67.230] helo=smtpout.laposte.net) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <nicolas.mailhot@laposte.net>) id 1SHYrQ-0003oY-U5 for ietf-http-wg@w3.org; Tue, 10 Apr 2012 11:03:53 +0000
Received: from arekh.dyndns.org ([88.174.226.208]) by mwinf8509-out with ME id wB3G1i00J4WQcrc03B3GpA; Tue, 10 Apr 2012 13:03:18 +0200
Received: from localhost (localhost.localdomain [127.0.0.1]) by arekh.dyndns.org (Postfix) with ESMTP id B48EA8B90; Tue, 10 Apr 2012 13:03:16 +0200 (CEST)
X-Virus-Scanned: amavisd-new at arekh.dyndns.org
Received: from arekh.dyndns.org ([127.0.0.1]) by localhost (arekh.okg [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O9G+ohQNoRzz; Tue, 10 Apr 2012 13:03:10 +0200 (CEST)
Received: from arekh.dyndns.org (localhost.localdomain [127.0.0.1]) by arekh.dyndns.org (Postfix) with ESMTP; Tue, 10 Apr 2012 13:03:10 +0200 (CEST)
Received: from 192.196.142.27 (SquirrelMail authenticated user nim) by arekh.dyndns.org with HTTP; Tue, 10 Apr 2012 13:03:10 +0200
Message-ID: <6fe22d5f627ff564d9c2dc43e6e55a00.squirrel@arekh.dyndns.org>
In-Reply-To: <4F840795.9090505@gmx.de>
References: <4F763DD2.70604@isode.com> <em3e102790-aa55-4d0f-9ff3-39bf0ca77fd3@boist> <CABaLYCvGt=pqwVXaWMMUTyD1Gg=qizRG_WuekC33awBRu53AAQ@mail.gmail.com> <4F76AABF.3010201@gmx.de> <CABaLYCsB+outivXFwj8iFH+dM6XedxwR672Rw7pOhtzj7r6X-A@mail.gmail.com> <loom.20120406T155512-618@post.gmane.org> <CAA4WUYipNcFpigX4MHQHOtM-M0vFBSRjMJLZnpN6GXkPinVNMw@mail.gmail.com> <50b278cb647638c66ee1db0fe1bf8488.squirrel@arekh.dyndns.org> <20120407192933.GA3240@jl-vm1.vm.bytemark.co.uk> <502fe0631a8a28bce027c70c6e733c38.squirrel@arekh.dyndns.org> <20120409151210.GC3240@jl-vm1.vm.bytemark.co.uk> <4F838D59.50304@it.aoyama.ac.jp> <11509b6f410771fb81c08b9d7cfc2e12.squirrel@arekh.dyndns.org> <4F840795.9090505@gmx.de>
Date: Tue, 10 Apr 2012 13:03:10 +0200
From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Nicolas Mailhot <nicolas.mailhot@laposte.net>, "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>, Jamie Lokier <jamie@shareable.org>, "\"William Chan (陈智昌)\"" <willchan@chromium.org>, ietf-http-wg@w3.org
User-Agent: SquirrelMail/1.4.22-7.fc18
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Received-SPF: pass client-ip=193.253.67.230; envelope-from=nicolas.mailhot@laposte.net; helo=smtpout.laposte.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01
X-W3C-Scan-Sig: maggie.w3.org 1SHYrQ-0003oY-U5 44c825f4550fdc54074e719f5fbb1b17
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Portal authorization
Archived-At: <http://www.w3.org/mid/6fe22d5f627ff564d9c2dc43e6e55a00.squirrel@arekh.dyndns.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/13422
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1SHYrk-0006II-4U@frink.w3.org>
Resent-Date: Tue, 10 Apr 2012 11:04:04 +0000

Le Mar 10 avril 2012 12:12, Julian Reschke a écrit :
> On 2012-04-10 09:00, Nicolas Mailhot wrote:
>>
>> Le Mar 10 avril 2012 03:31, "Martin J. Dürst" a écrit :
>>> Hello Jamie, others,
>>>
>>> Mark had a draft on this,
>>> http://tools.ietf.org/html/draft-nottingham-http-portal-02. I'm not sure
>>> why it didn't move forward.
>>
>> I think it morphed in http error 511 however:
>>
>> 1. error 511 does not return an url so it can't be handled by dumb web
>> clients
>> such as curl
>
> Nor did the proposal in draft-nottingham-http-portal-02. Also, handling
> by dumb web clients was never on the agenda for this code, and I'm also
> not sure how it's supposed to work.

As started on the curl or git list dumb clients can not render a complex auth
page. They could give the user the address of this page, so he could open it
in a smarter client, if they had this address available in the HTTP 511
headers.

http://lists-archives.com/git/763532-handle-http-error-511-network-authentication-required-standard-secure-proxy-authentification-captive-portal-detection.html

>> 2. browser people do not like it. Gateway auth really needs to be specified
>> once and for all in a document with browser buy-in such as http/2
>
> Please do not make blanket statements like these unless you can back
> them up.

Right now http/1 is perceived as an end-to-end protocol with no provision for
intermediaries. And the situation is worse with TLS. If http/2 adds
multiplexing, this multiplexing should make it explicit intermediaries exist
and make a channel available for intermediaries to add their signalling

Right now what browser people have written about error 511

| Doing something "useful" with 511-over-MITMed-SSL would mean a huge increase
| in attack surface:
| * We'd have to poke a hole all the way through our TLS stack to even see the
| 511.

| A new HTTP status code won't help this bug because we get the SSL certificate
| name mismatch error before we can send an HTTP request.

(the "end-to-end" only argument)

| 3. We determine, from that error, whether we think we should try to detect
| the captive portal. If so, we issue a request to captive-portal
| test-mozilla.org. If that response comes back as a 511, or with a wispr
| response, or some other indication that we're in a captive portal, then we
| kick into captive portal mode.

(the "let's ignore proxy signalling and try to guess location by our own"
argument)

| But, I don't think we should avoid implementing a solution for the most
| common cases just because there are a few (or even many) cases where it
| wouldn't work.

("it's hard, let us do it some other day" argument)

It's a hard problem which had no satisfactory answer so far and which
resolution has been postponed for all of http/1 life. Please do not make the
same mistake with http/2 and provide for intermediaries from the start up.

https://code.google.com/p/chromium/issues/detail?id=71736
https://bugzilla.mozilla.org/show_bug.cgi?id=728658

Best regards,

-- 
Nicolas Mailhot

v2.23.0 | Report a Bug | By Email