Re: [Captive-portals] [TLS] FW: New Version Notification for draft-zhou-tls-server-redirect-00.txt

Subject: Re: [Captive-portals] [TLS] FW: New Version Notification for draft-zhou-tls-server-redirect-00.txt

Date: Wed, 21 Oct 2015 13:21:14 -0700

Archived-at: <http://mailarchive.ietf.org/arch/msg/captive-portals/N1DZ7R2yYR9SXSpVOKzslPPM6Hk>

Cc: joel jaeggli <[email protected]>, "[email protected]" <[email protected]>, "Zhouqian \(Cathy\)" <[email protected]>, Warren Kumari <[email protected]>

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0nzj2TSgHHtdQPfl3N/c4kg6idotTH0CSUGmcr3OgEI=; b=fch8HtRLVZXswBxeijcIawLFlx3hQ7sEIE782JA+wKc1ES359645tcIZkbb9JLOYKO 4qLtRhb3feegotPv/GkrmVbZxqWy4Ilgsov5SVPVI+P+0VIbcwltXSmZzRqKPd6DLpeE iMHcvVUiTbioKfR7rKQ7PKNyFb6k0YdGOI06BmS+3z5lRwPcxnNbeL1jkksyMKEr4iOH lmd+nWzFsLo281wMEr4MOz4FRmzD/K10KrVP1e1CnTVHhwDlrODVZz+mbGDsnx6g4zYB iAjAo2NcaTqp8qVccf8WuWrA2XUQrleTA6x/jSmoVO8HwXUMPWv/VrHP8+ipQXikHfXq mi9Q==

In-reply-to: <[email protected]>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <A6A061BEE5DDC94A9692D9D81AF776DF40A40ADF@SZXEMA512-MBX.china.huawei.com> <[email protected]> <A6A061BEE5DDC94A9692D9D81AF776DF40A40B39@SZXEMA512-MBX.china.huawei.com> <[email protected]> <CAHw9_iJpWteDGJvQFnDsgEsbQTdqakA=S3feF71tB_FaQOis-A@mail.gmail.com> <CADo9JyUF3-Qr-MN9jhbxYy5iHXDSZxJsh1W95o4SGjiAPiF-Eg@mail.gmail.com> <[email protected]>

Good point. However, browsers aren't the only applications that use HTTPS...

Reading draft-zhou-tls-server-redirect-00.txt, I'm I understanding it correctly that the "first" server must respond with the same certificate as the "second" server (e.g. the cert returned from the first server must match the Redirect URL hostname)?

A couple thoughts:

- This does mean any MitM can hijack, not just the local CP-NAS. This isn't unique to the proposed scheme, but I suppose ICMP is interesting to me because any "ICMP CP-Notification" packets can easily be filtered at the network level -- so, a CP-NAS can prevent an outside HTTPS MitM (using ICMP) from it's WAN side. It would be harder if the notification comes within the TLS handshake.

- If the CP-NAS ("first" server) must have the same certificate as the CP-WEB ("second" server), it does make the certificate a bit more vulnerable being in multiple places and could violate the cert license (which typically limit the cert to X number of machines). It is worth noting that the CP-NAS (often an AP itself) does not necessarily belong to the owners of the captive portal (take any hotspot services company as an example).

David

On Wed, Oct 21, 2015 at 11:52 AM, Yoav Nir <[email protected]> wrote:

> On 21 Oct 2015, at 7:17 PM, David Bird <[email protected]> wrote:
>
> +1 for using ICMP to signal blocked by CP :)

The problem with ICMP is that it needs to be handled by the operating system. Existing operating systems will ignore them and they usually don’t get reflected to the browser or other application.

Perhaps a special TLS alert. So the CP still has to MITM the TCP connection (just as in HTTP), but then it just fails the TLS handshake with a captive_portal alert.

If the browser then does the normal HTTP probe in a special window it should work with an updated browser on a non-updated system. And really, browsers update with new features much more quickly than operating systems.

Yoav