Re: [Captive-portals] Arguments against (any) Capport "API"

To: Michael Richardson <[email protected]>

Subject: Re: [Captive-portals] Arguments against (any) Capport "API"

From: David Bird <[email protected]>

Date: Thu, 6 Apr 2017 17:44:20 -0700

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/SrUgrDg8Un_GE6QPBFGmXUGfY0g>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com

Cc: "[email protected]" <[email protected]>

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G+QTnE+9skMhmfsz32pley5WaZKs9TKP8WkqQF63YmM=; b=ISMXWdkUremclh/dDJfqz+I04Wnu8D4lDxeSGb999HaTC2KO4HEA9v3Kf5otIyaBjg H4KhbJfVTZiWk+JJCHWRVdg6EqfirpEJa/M0bqMDFDVJ6nNhml6WZvJ55T/hcZNHIcgy ArnaA6+G+aLsT4nzwfkzoHlCmKG61hqkLa/LbE8s7X94m0XGYWbchlf10AbbvQ7K7rz4 U6LmIv9uZhgJMT+BuIZVimOnsLwUXRfYF9pdN2PxK7NzjpEmdqxZliE8XJFF8yKPU5Fq kIPg8N8x2D2Jh2A36OXvmOV3B4RPgusszs/itvdRA1W7xQe43cXc3S+aVmB0cMdyu8a2 WREA==

In-reply-to: <[email protected]>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <[email protected]> <CADo9JyVr07w5GRpF+UzSBHRuo=V=3p9MeyhFdzB+5pZk7_amNw@mail.gmail.com> <D76BBBCF97F57144BB5FCF08007244A77059CE49@wtl-exchp-1.sandvine.com> <CADo9JyUnOfXSfXufzSk=QajyG2KXQfKzmQayca1kitRoAuwsqg@mail.gmail.com> <[email protected]> <CADo9JyXPUPLU4aKueT7HxTU1CYfY=HrhqRz0OcCu4z1AivP-hg@mail.gmail.com> <E8355113905631478EFF04F5AA706E9870579488@wtl-exchp-1.sandvine.com> <[email protected]>

On Thu, Apr 6, 2017 at 8:13 AM, Michael Richardson <[email protected]> wrote:

Dave Dolson <[email protected]> wrote:
> I’d like to hear from browser vendors as to why the browser gets
> sandboxed when interacting with a captive portal.

Security in layers.
The browser contains lots of interesting cookies and other state.

A captive portal could, for instance, provide a stack of img URLs to places
where the user might have cookies, and the browser may reach out to try
to load things. Even if those URLs are HTTPS and the captive portal lets
them through, just observing the size of the packets would tell the
portal operator whether or not the user has a relationship to that
entity. Of course, if they put http URLs in then snooping is obvious.

This is normal browser security stuff (a non-http page can't load content from https sites without an error) and threats when on untrusted networks of any kind, particularly Open SSIDs with NO portal.

(The operator can, of course, do this anyway, but the user does have a
point where they can, for instance, bring up a VPN to protect all their
traffic. My Android phone now apparently does this for me automatically when
I'm on high-quality public WiFI. More cool is that it appears to use IPv6 on
the inside. More funny was that google then alerted me to suspicious
activity from an IPv6 I'd never before logged into... which was the inner
tunnel IP...)

Android did this because you were at high quality public access network, it will do the same thing for Open WiFi w/o capport. (I hope that is right, I'm pretty sure... :)

> If one could trust the URL came from the local network (via DHCP),
> could restrictions be lifted?

I don't think this matters at all.

> If the URL were HTTPS, and certificates were valid (e.g., valid cert of
> Chicago OHare Airport), could restrictions be lifted?

I don't think so. I'm also unclear how the end-user can be sure that the
certificate in question is really from the location they are in. In many
cases, it's not "chicago-ord.com", but rather, "ord.boingo.com"...

Would visitors know the difference, which is more legitimate? As a traveler, you might prefer/trust the more familiar "boingo.com" in the FQDN. In this case, I think ORD and Boingo probably do joint marketing anyway... This sort of detail becomes a win-win-win in that the user gets to see what website (and server cert status) they are about to go to (equal to, if not safer, than when relatives send them hyperlinks in e-mails), the vendor sells NAS upgrades, operator gets to sell venues the ability to brand their WiFi, and the venue gets the chance for branding in the captive portal detection notification - all (reputable) parties motivated to support the feature... this 'feature' would deploy quickly, imho, if clients supported it (complete with the 'suggested' captive portal notification, not just when required) as it adds new ways of selling and connecting with the user. And, it could be done in a rather un-intrusive way, that is benefiting the user (who wants to stay connected) as much as the venue.

[ In this fantasy, 'feature' means IETF standards plus a client side change to how captive portals are handled. That last part, when it includes things like how to display user notifications and such, I don't think is the usual role of IETF... that is more WFA (similar to Hotspot 2.0 OSU). Is it possible that IETF can't solve this problem entirely? What is the 'carrot' for the client vendors? ]