Re: [Captive-portals] Arguments against (any) Capport "API"

To: Erik Kline <[email protected]>

Subject: Re: [Captive-portals] Arguments against (any) Capport "API"

From: David Bird <[email protected]>

Date: Fri, 7 Apr 2017 06:52:55 -0700

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/HhWOKooZ9sG9ISsoIu2XMOqIFlE>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com

Cc: [email protected]

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=DUbQmGcOnSCteFibDiHfxaTFhP7OQ0cQxEclNh2hqks=; b=Wl5qKjCqeG1gKua+W9riC4CRMpol+REILJtXzUm0OOyZjNLfYGht5PreRMDO+v1C7Q 4FLj7Tcj69e4m8EewhcCpNXEc6OrQofmgp1/cDaGXgfHFaAcb/e9/rS5+fNUm2RxEcup qe7J+kG9iFCznlWDotswXawd1I88ClaVNy5Hnr7cnhHfOvm2bE66WMEayCvuOfIYd0v9 rchAbosYMJo8qdO5btJLGMNWl72hk9BuHZnq4YKJCvzLieMYtzKP7YAVCdKc1A54Cagy P4AH1eFB4nSK+jfcB8LqaqOjZxD18hI0vR3AMPRpZdBXhV7VapqzOXsn0DD4Wd1qUZuY ETeA==

In-reply-to: <CAAedzxrck9+TBpEp-x8_tG-oxxKh4MQ4-x+iuGNGd6JsG=poQQ@mail.gmail.com>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <CAAedzxqR5bWTP_gou+hC5cgQ99tV275nX_ijm7iUok4-h+3wMQ@mail.gmail.com> <CADo9JyVfmhir8YtOR2mzzaaPL_9mBKgFmht6-SA50SfPmh9z6w@mail.gmail.com> <CAAedzxrck9+TBpEp-x8_tG-oxxKh4MQ4-x+iuGNGd6JsG=poQQ@mail.gmail.com>

On Fri, Apr 7, 2017 at 6:36 AM, Erik Kline <[email protected]> wrote:

I think the client should, ideally do:

- Use the network for all connections (why ask permission when forgiveness is cheap).

Not gonna happen. Mobile clients do a ton of work to enable "make before break". There is no such thing as forgiveness from users who can't get Facebook updates, Twitter notifications, nor email while their device is held hostage because it switched to Wi-Fi and tore down mobile before checking for a captive portal.

But, it DOES happen when you connect to Open SSID without captive portal (or when the venue evaded your detection). Maybe the captive portal networks wants to offer these services in their walled garden... and it is likely the user would be happy about that (provided they selected the network on purpose).

If you had ICMP giving you real-time feedback, you could more accurately (and quickly) detect what connections will work and which will not on the network. QUIC will help in maintaining session continuity as connections are pinned to different interfaces.

This may also address your question elsewhere about browsers and "sandboxing". I suspect the sandboxing to which you're referring is about cookie isolation (primarily), but there's a kind of "network sanboxing" that is applied as well to ensure the browser uses a self-consistent networking configuration.

Cookie isolation on secure websites doesn't really help the user any...