Re: [TLS] Captive portals, "access administratively disabled" and alert messages

Eric Rescorla <ekr@rtfm.com> Tue, 02 January 2018 21:57 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F396F126BF7 for <tls@ietfa.amsl.com>; Tue, 2 Jan 2018 13:57:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sBku-ik0rzFT for <tls@ietfa.amsl.com>; Tue, 2 Jan 2018 13:57:01 -0800 (PST)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59ED61242F7 for <tls@ietf.org>; Tue, 2 Jan 2018 13:57:01 -0800 (PST)
Received: by mail-yw0-x230.google.com with SMTP id k80so12351888ywe.0 for <tls@ietf.org>; Tue, 02 Jan 2018 13:57:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+nx0kKyaCciuRFBeUBKjl9w8o5hsC7HrdBR8fPRCJ18=; b=bsxuSkfc+ojaKMGCldsD83Jm+npmjE9VhqpM5zKoVatjuBZS1EV0NdtspMLZ7FgEuK mIKTkee6fRJiI+ZqN9mvuWAbt0B1YOIyvT3xvPTufQZY3moFxg8oR3cdCRKzVpWaRDRk cnvmqGV2l5DHRoynCY8WLivjC+nV+BZXZR9XMv0fManIIcozX8UWP2qbgy6wEqAbZ+zx AyhcnE0PvZxEeyHDNWQ/iM/q2nV+/KNqJoHfZ4eCXtJYZRScW8E/fQsTAYi4XGrAnI4i Awn6crVGvsOJ9VUQoWxcasxyXuuGnjxSz5IbJQdX+eUwyQDeI/44MSJ/Pgna3GHRkDm+ n4aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+nx0kKyaCciuRFBeUBKjl9w8o5hsC7HrdBR8fPRCJ18=; b=UOCs6Dk1d1uk7eaNVSOpH4T1aBrjBT7ESsaswcNAP3BvbmQZDEpXKnVBRuUyEsYOLZ fK39mXwUjdgaDrTFGabci7MlLF71afeldl2FZJyS/61jjlRSfc+YPVb+sV/We+p33BQS CdbvWOoHd1DlyFrMAvupE51le2HYZZrq9bCu2/usJnuE3BXAVsRPY1cPX8yJ7C/i1+N2 m3lcY4h/5+2azc0jrPVTCOgmHtixoes3FgV08/piOBob9dvW4Sd7+1x8qo4xzQxz/i19 6rMAQqG9gFF2X6U6p/vdBh8uyvd9yivzshX7u95aXlKZ4xpoetLweXBa0Pkwri4ohef7 VQ/w==
X-Gm-Message-State: AKGB3mJg8gbdFkh7bF3KBYaJuZImh3RfAzKWyF5K7LCzL9jwYsajIu47 TAqnLkuX7ekbZNysTImiUU/M3OPxKof9/C4c5bGQ5L1v
X-Google-Smtp-Source: ACJfBosrfkf8onaFM9klowhAnMXEVZNwNTehhiqpApNSanwAisoIDlH7nlEr2vzk0opKzDlbAJSKMk+TqSPmVp3d2UU=
X-Received: by 10.129.58.1 with SMTP id h1mr34344473ywa.2.1514930220465; Tue, 02 Jan 2018 13:57:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.123.132 with HTTP; Tue, 2 Jan 2018 13:56:19 -0800 (PST)
In-Reply-To: <9356637a-09b1-1074-86b6-15e9d1f00c1f@o2.pl>
References: <096449a4-38fc-e17f-d995-a584f976b422@o2.pl> <CABcZeBOYH5sFszpTVbTyp8kYtmhqCX+_TJN9ofW5vuUMx50KRg@mail.gmail.com> <5e9e9357-2031-9cc9-4ee7-10865e562184@o2.pl> <CABcZeBPBCBtMioG7hcVLxMDO+K_A=oYa8LvD4AQm8Q5tzV4QSg@mail.gmail.com> <9356637a-09b1-1074-86b6-15e9d1f00c1f@o2.pl>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 2 Jan 2018 13:56:19 -0800
Message-ID: <CABcZeBMAqyta17umDrwMeNevPj31z6Dsi6XedaftLko8D0r-Tw@mail.gmail.com>
To: =?UTF-8?Q?Mateusz_Jo=C5=84czyk?= <mat.jonczyk@o2.pl>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Ted Lemon <mellon@fugue.com>
Content-Type: multipart/alternative; boundary="001a1137abdca694910561d22df4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EQqT650Fhv55OHI__BFz-jSdxdw>
Subject: Re: [TLS] Captive portals, "access administratively disabled" and alert messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2018 21:57:03 -0000

On Tue, Jan 2, 2018 at 1:40 PM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:

> CCing Ted Lemon <mellon at fugue.com> as the author of previous
> proposition.
>
> W dniu 02.01.2018 o 21:20, Eric Rescorla pisze:
> > On Tue, Jan 2, 2018 at 12:08 PM, Mateusz Jończyk <mat.jonczyk@o2.pl
> > <mailto:mat.jonczyk@o2.pl>> wrote:
> >
> >     Then the browser should display a message inside the warning screen
> that the
> >     string cannot be trusted.
> >
> > Users tend to ignore that kind of warning.
> Not any more then they ignore certificate warnings [2].


That's not clear. We would be providing some sort of attacker-controlled
text to the user with a warning that says "you can't trust this". That's
difficult to pull off.

Moreover, the certificate warnings are under control of the browser, but we
actively work to discourage the user from ignoring them. Moreover, for HSTS
sites, the browser doesn't allow the user to override them, so providing
some attacker-controlled information would make the situation materially
worse. And given that a lot of the sites which people are likely to hit
with captive portals are in fact HSTS sites (because HSTS is common in big
sites) instead showing attacker controlled information would make things
materially worse.

-Ekr