David Bird <[email protected]> wrote:
> - I think statements like 'portals attempt to deceive hosts'
> reinforces the belief that captive portals are themselves hostile,
> while in fact I think you mean public access networks are hostile.
No, I don't think that I'm saying that.
We have created a bunch of protocols (DNSSEC, HTTPS, PKIX specifically),
that allows end hosts to work across public access networks, even if
they are hostile.
Yet, many captive portals choose to lie to me in order to "improve"
my user experience. They claim to be IP addresses that they aren't,
and some of them still answer DNS queries in non-truthful ways.
This is as true on "trusted" corporate networks that include a portal step as
public networks.
Back in 1994, I built some of the first transparent proxies, when the term
NAT was unknown. A major feature of firewalls of the time was that they
could authenticate the user before letting them out.
So I know lot about intercepting traffic in order to "help" users.
It was a mistake, and it was step 0 of an arms race.
I even created ICMP mechanisms such that firewalls could demand
IPsec authentication before traversal... So I've been down the road we are
comtemplating, and I very much want to go down this road. It's the correct
answer.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
Attachment:
signature.asc
Description: PGP signature