Warren Kumari <[email protected]> wrote:
> Currently, network providers use a number of interception techniques
> to reach a human user (such as intercepting cleartext HTTP to force a
> redirect to a web page of their choice), many of which look like a MitM
> attack.
I think this is too weak.
I would say:
Currently, network providers use a number of interception techniques
to reach a human user. Technically, most of the mechanisms are
Man-in-The-Middle Attacks against DNS or HTTP. This has the effect
of redirecting all HTTP traffic to a web page of their choice, even
for requests which are not viewed by a human. It often also results
in permanent DNS cache poisoning.
As endpoints become inherently more secure specifically through DNSSEC,
and HTTPS-everywhere, existing interception techniques not only fail to
reach a human, but usually result in a the user and the device being
confused: their either give up, or complain loudly that the network is
broken (which technically, it is).
In the cases where the technique does reach a human, it often results
in a security warning about a broken certificate, and the resulting
technique is therefore training users to ignore those warnings.
===
I find your list of deliverables perfect.
I think that this effort could benefit from some significant outreach by
ISOC (and perhaps the IAOC meeting people could involve their contacts): we
need to reach the hotel managers.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
Attachment:
signature.asc
Description: PGP signature