Re: [TLS] Captive portals, "access administratively disabled" and alert messages
Lanlan Pan <abbypan@gmail.com> Wed, 03 January 2018 04:05 UTC
Return-Path: <abbypan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32C631270A3 for <tls@ietfa.amsl.com>; Tue, 2 Jan 2018 20:05:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Level:
X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXoN9ZkGP8r1 for <tls@ietfa.amsl.com>; Tue, 2 Jan 2018 20:05:13 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 879C81200FC for <tls@ietf.org>; Tue, 2 Jan 2018 20:05:13 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id r78so501413wme.5 for <tls@ietf.org>; Tue, 02 Jan 2018 20:05:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+BIQ0H1f4xokkaV1WIaz/5yAgDNq3zS1Gvf7NhDElFE=; b=h16l6TKMvVjqABSZHKeWnMwU9MkZDscLcBLllJIafq4vi0PryTMu9qGH7x6XT0eJcv ARjandJF/7aIy2EvB4lajtRwTdqswq+QZKzhty5rlOikn2UY8x0e/3IRFt1ITrHSp/xi IqRNhYysE3Vx6y0wgqcHxouxh9QVE+IJwG/hSOdHKQ2vUUs9wsXFrhGGj9eoO1V1YO9Z ZkwT86366YfAxaysiWuoffHVRBCrWCBKaVZmNvHD4QyrKmAWPQKWu9R2MKwqq3vDqal6 JBHAqLTHzLO3EWR8YAH5dNMljlirK1duksVPX/w6QOOaSkzrgjz2r86IH3kH2/gBGOhC 5+cA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+BIQ0H1f4xokkaV1WIaz/5yAgDNq3zS1Gvf7NhDElFE=; b=MJuOKmLj+is5AqiBDfR3nDcZarmgmqLtJvG+/IbIGKCqGZ1u3+irqbRT/3Fyx8cWfY o1oFnpd89tv1shK3OAcwa/QZgEUuF2TNFoNfdoDEOP3qWuKqJObVW+QaW0c4lTx0xf9c b/xuZEMV+Id6LvkLxCkB4JAcreqvS6rHTXtuW0WoPTmVZpTMSh1cGSif0Mmnnu0jk0aH GvEJaIh/CaQwBKfSi1y+0hdlPYIgdEjFW/3AefI1danin+GSpS0+LIG0+OG2WaLPxU58 1umEKIYwXE/8/uwg7RVqaWwDD7xxQyaBLf4VtVEs6hFBpRuNmTb6pBisEb2dbaDIyd+R 965w==
X-Gm-Message-State: AKGB3mIIwn/cNUyWc+BvB60B6yujv9UtV9EmyOgOGg+EiCTg0ksHA1jp VVvNRkzeSDAArmy9duo0w0a+vZ1qk1xlQQxAndU=
X-Google-Smtp-Source: ACJfBovsxN3seSzfV6I/HPEXqmP9/jcGgdLLt4/fMuleZauaqwn23IcjJMEBONGZK50tarXtZyooBvgVAEEoJR32E54=
X-Received: by 10.80.177.250 with SMTP id n55mr794316edd.30.1514952311858; Tue, 02 Jan 2018 20:05:11 -0800 (PST)
MIME-Version: 1.0
References: <096449a4-38fc-e17f-d995-a584f976b422@o2.pl> <CABcZeBOYH5sFszpTVbTyp8kYtmhqCX+_TJN9ofW5vuUMx50KRg@mail.gmail.com> <5e9e9357-2031-9cc9-4ee7-10865e562184@o2.pl> <CABcZeBPBCBtMioG7hcVLxMDO+K_A=oYa8LvD4AQm8Q5tzV4QSg@mail.gmail.com> <9356637a-09b1-1074-86b6-15e9d1f00c1f@o2.pl> <CABcZeBMAqyta17umDrwMeNevPj31z6Dsi6XedaftLko8D0r-Tw@mail.gmail.com>
In-Reply-To: <CABcZeBMAqyta17umDrwMeNevPj31z6Dsi6XedaftLko8D0r-Tw@mail.gmail.com>
From: Lanlan Pan <abbypan@gmail.com>
Date: Wed, 03 Jan 2018 04:05:01 +0000
Message-ID: <CANLjSvUXYerd+CW0omzp=zpydU7_CSbHThvDpTiG1hMBisCjWA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Mateusz Jończyk <mat.jonczyk@o2.pl>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c4308666bb50561d752d3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ieBntL5NWHLmIrfE7oUSAiQuP5g>
Subject: Re: [TLS] Captive portals, "access administratively disabled" and alert messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 04:05:15 -0000
Eric Rescorla <ekr@rtfm.com>于2018年1月3日周三 上午5:57写道: > On Tue, Jan 2, 2018 at 1:40 PM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote: > >> CCing Ted Lemon <mellon at fugue.com> as the author of previous >> proposition. >> >> W dniu 02.01.2018 o 21:20, Eric Rescorla pisze: >> > On Tue, Jan 2, 2018 at 12:08 PM, Mateusz Jończyk <mat.jonczyk@o2.pl >> > <mailto:mat.jonczyk@o2.pl>> wrote: >> > >> > Then the browser should display a message inside the warning screen >> that the >> > string cannot be trusted. >> > >> > Users tend to ignore that kind of warning. >> Not any more then they ignore certificate warnings [2]. > > > That's not clear. We would be providing some sort of attacker-controlled > text to the user with a warning that says "you can't trust this". That's > difficult to pull off. > > Moreover, the certificate warnings are under control of the browser, but > we actively work to discourage the user from ignoring them. Moreover, for > HSTS sites, the browser doesn't allow the user to override them, so > providing some attacker-controlled information would make the situation > materially worse. And given that a lot of the sites which people are likely > to hit with captive portals are in fact HSTS sites (because HSTS is common > in big sites) instead showing attacker controlled information would make > things materially worse. > providing some attacker-controlled information would make the situation materially worse. +1 Although some browsers support HSTS, but also offer a "user friendly" configure item to ignore all ssl warnings. > -Ekr > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- 致礼 Best Regards 潘蓝兰 Pan Lanlan
- [TLS] Captive portals, "access administratively d… Mateusz Jończyk
- Re: [TLS] Captive portals, "access administrative… Eric Rescorla
- Re: [TLS] Captive portals, "access administrative… JW
- Re: [TLS] Captive portals, "access administrative… Mateusz Jończyk
- Re: [TLS] Captive portals, "access administrative… Stephen Farrell
- Re: [TLS] Captive portals, "access administrative… Eric Rescorla
- Re: [TLS] Captive portals, "access administrative… Mateusz Jończyk
- Re: [TLS] Captive portals, "access administrative… Martin Thomson
- Re: [TLS] Captive portals, "access administrative… Eric Rescorla
- Re: [TLS] Captive portals, "access administrative… Ted Lemon
- Re: [TLS] Captive portals, "access administrative… Geoffrey Keating
- Re: [TLS] Captive portals, "access administrative… Lanlan Pan