Re: [TLS] Captive portals, "access administratively disabled" and alert messages

Lanlan Pan <abbypan@gmail.com> Wed, 03 January 2018 04:05 UTC

Return-Path: <abbypan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32C631270A3 for <tls@ietfa.amsl.com>; Tue, 2 Jan 2018 20:05:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Level:
X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXoN9ZkGP8r1 for <tls@ietfa.amsl.com>; Tue, 2 Jan 2018 20:05:13 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 879C81200FC for <tls@ietf.org>; Tue, 2 Jan 2018 20:05:13 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id r78so501413wme.5 for <tls@ietf.org>; Tue, 02 Jan 2018 20:05:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+BIQ0H1f4xokkaV1WIaz/5yAgDNq3zS1Gvf7NhDElFE=; b=h16l6TKMvVjqABSZHKeWnMwU9MkZDscLcBLllJIafq4vi0PryTMu9qGH7x6XT0eJcv ARjandJF/7aIy2EvB4lajtRwTdqswq+QZKzhty5rlOikn2UY8x0e/3IRFt1ITrHSp/xi IqRNhYysE3Vx6y0wgqcHxouxh9QVE+IJwG/hSOdHKQ2vUUs9wsXFrhGGj9eoO1V1YO9Z ZkwT86366YfAxaysiWuoffHVRBCrWCBKaVZmNvHD4QyrKmAWPQKWu9R2MKwqq3vDqal6 JBHAqLTHzLO3EWR8YAH5dNMljlirK1duksVPX/w6QOOaSkzrgjz2r86IH3kH2/gBGOhC 5+cA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+BIQ0H1f4xokkaV1WIaz/5yAgDNq3zS1Gvf7NhDElFE=; b=MJuOKmLj+is5AqiBDfR3nDcZarmgmqLtJvG+/IbIGKCqGZ1u3+irqbRT/3Fyx8cWfY o1oFnpd89tv1shK3OAcwa/QZgEUuF2TNFoNfdoDEOP3qWuKqJObVW+QaW0c4lTx0xf9c b/xuZEMV+Id6LvkLxCkB4JAcreqvS6rHTXtuW0WoPTmVZpTMSh1cGSif0Mmnnu0jk0aH GvEJaIh/CaQwBKfSi1y+0hdlPYIgdEjFW/3AefI1danin+GSpS0+LIG0+OG2WaLPxU58 1umEKIYwXE/8/uwg7RVqaWwDD7xxQyaBLf4VtVEs6hFBpRuNmTb6pBisEb2dbaDIyd+R 965w==
X-Gm-Message-State: AKGB3mIIwn/cNUyWc+BvB60B6yujv9UtV9EmyOgOGg+EiCTg0ksHA1jp VVvNRkzeSDAArmy9duo0w0a+vZ1qk1xlQQxAndU=
X-Google-Smtp-Source: ACJfBovsxN3seSzfV6I/HPEXqmP9/jcGgdLLt4/fMuleZauaqwn23IcjJMEBONGZK50tarXtZyooBvgVAEEoJR32E54=
X-Received: by 10.80.177.250 with SMTP id n55mr794316edd.30.1514952311858; Tue, 02 Jan 2018 20:05:11 -0800 (PST)
MIME-Version: 1.0
References: <096449a4-38fc-e17f-d995-a584f976b422@o2.pl> <CABcZeBOYH5sFszpTVbTyp8kYtmhqCX+_TJN9ofW5vuUMx50KRg@mail.gmail.com> <5e9e9357-2031-9cc9-4ee7-10865e562184@o2.pl> <CABcZeBPBCBtMioG7hcVLxMDO+K_A=oYa8LvD4AQm8Q5tzV4QSg@mail.gmail.com> <9356637a-09b1-1074-86b6-15e9d1f00c1f@o2.pl> <CABcZeBMAqyta17umDrwMeNevPj31z6Dsi6XedaftLko8D0r-Tw@mail.gmail.com>
In-Reply-To: <CABcZeBMAqyta17umDrwMeNevPj31z6Dsi6XedaftLko8D0r-Tw@mail.gmail.com>
From: Lanlan Pan <abbypan@gmail.com>
Date: Wed, 03 Jan 2018 04:05:01 +0000
Message-ID: <CANLjSvUXYerd+CW0omzp=zpydU7_CSbHThvDpTiG1hMBisCjWA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: =?UTF-8?Q?Mateusz_Jo=C5=84czyk?= <mat.jonczyk@o2.pl>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c4308666bb50561d752d3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ieBntL5NWHLmIrfE7oUSAiQuP5g>
Subject: Re: [TLS] Captive portals, "access administratively disabled" and alert messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 04:05:15 -0000

Eric Rescorla <ekr@rtfm.com>于2018年1月3日周三 上午5:57写道:

> On Tue, Jan 2, 2018 at 1:40 PM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:
>
>> CCing Ted Lemon <mellon at fugue.com> as the author of previous
>> proposition.
>>
>> W dniu 02.01.2018 o 21:20, Eric Rescorla pisze:
>> > On Tue, Jan 2, 2018 at 12:08 PM, Mateusz Jończyk <mat.jonczyk@o2.pl
>> > <mailto:mat.jonczyk@o2.pl>> wrote:
>> >
>> >     Then the browser should display a message inside the warning screen
>> that the
>> >     string cannot be trusted.
>> >
>> > Users tend to ignore that kind of warning.
>> Not any more then they ignore certificate warnings [2].
>
>
> That's not clear. We would be providing some sort of attacker-controlled
> text to the user with a warning that says "you can't trust this". That's
> difficult to pull off.
>
> Moreover, the certificate warnings are under control of the browser, but
> we actively work to discourage the user from ignoring them. Moreover, for
> HSTS sites, the browser doesn't allow the user to override them, so
> providing some attacker-controlled information would make the situation
> materially worse. And given that a lot of the sites which people are likely
> to hit with captive portals are in fact HSTS sites (because HSTS is common
> in big sites) instead showing attacker controlled information would make
> things materially worse.
>

providing some attacker-controlled information would make the situation
materially worse.  +1

Although some browsers support HSTS, but also offer a "user friendly"
configure item to ignore all ssl warnings.


> -Ekr
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>


-- 
致礼  Best Regards

潘蓝兰  Pan Lanlan