[TLS] Captive portals, "access administratively disabled" and alert messages
Mateusz Jończyk <mat.jonczyk@o2.pl> Tue, 02 January 2018 19:15 UTC
Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4353B126CF6 for <tls@ietfa.amsl.com>; Tue, 2 Jan 2018 11:15:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajSUEGGr1odO for <tls@ietfa.amsl.com>; Tue, 2 Jan 2018 11:15:13 -0800 (PST)
Received: from mx-out.tlen.pl (mx-out.tlen.pl [193.222.135.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8394C124207 for <tls@ietf.org>; Tue, 2 Jan 2018 11:15:13 -0800 (PST)
Received: (wp-smtpd smtp.tlen.pl 23804 invoked from network); 2 Jan 2018 20:15:10 +0100
Received: from ceh60.neoplus.adsl.tpnet.pl (HELO [192.168.1.22]) (mat.jonczyk@o2.pl@[83.30.183.60]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-SHA encrypted SMTP for <tls@ietf.org>; 2 Jan 2018 20:15:10 +0100
To: tls@ietf.org
From: Mateusz Jończyk <mat.jonczyk@o2.pl>
Message-ID: <096449a4-38fc-e17f-d995-a584f976b422@o2.pl>
Date: Tue, 02 Jan 2018 20:15:09 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-WP-MailID: 841395dc81bd6b9daff8caef58f0a7cd
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 000000A [AdMU]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/A2AJt_1XiwIcujJ8jhG7szbs7Rs>
Subject: [TLS] Captive portals, "access administratively disabled" and alert messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2018 19:15:16 -0000
Hello, OpenDNS by default blocks websites that are used for phishing and optionally other sites as configured by the deployer. It does this by DNS poisoning: it responds with a forged A or AAAA response that redirects to their server. An example website blocked by OpenDNS in this manner is https://internetbadguys.com/. When OpenDNS blocks a website that is served by HTTPS, the user is presented with a "Certificate Error" message. To see what happened, she then has to accept the incorrect certificate or visit the plain HTTP version of the webpage. This creates some problems: aside from a bad user experience, it makes users accustomed to ignoring certificate errors. Another problem is created by captive portals: networks that use "a web page which is displayed to newly connected users before they are granted broader access to network resources." (Wikipedia). This could be solved by specifying two new values of AlertDescription: access_administratively_disabled and captive_portal as well as a new field to struct Alert: alert_message. Let alert_message be a fixed-length UTF-8-encoded string. It would be only valid for (description == access_administratively_disabled || description == captive_portal) and otherwise a client would HAVE TO ignore it. It would be plain-text for simplicity, shortness and security. It would be null-terminated and then randomly padded to a size of perhaps 100 bytes. A TLS client would HAVE TO filter the message for any odd characters, invalid UTF-8 sequences, etc. as will be specified in the standard. Greetings, Mateusz Jończyk
- [TLS] Captive portals, "access administratively d… Mateusz Jończyk
- Re: [TLS] Captive portals, "access administrative… Eric Rescorla
- Re: [TLS] Captive portals, "access administrative… JW
- Re: [TLS] Captive portals, "access administrative… Mateusz Jończyk
- Re: [TLS] Captive portals, "access administrative… Stephen Farrell
- Re: [TLS] Captive portals, "access administrative… Eric Rescorla
- Re: [TLS] Captive portals, "access administrative… Mateusz Jończyk
- Re: [TLS] Captive portals, "access administrative… Martin Thomson
- Re: [TLS] Captive portals, "access administrative… Eric Rescorla
- Re: [TLS] Captive portals, "access administrative… Ted Lemon
- Re: [TLS] Captive portals, "access administrative… Geoffrey Keating
- Re: [TLS] Captive portals, "access administrative… Lanlan Pan