Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 15, 2015 at 3:02 PM, Miloslav Trmač <mitr@xxxxxxxxxx> wrote:
> Hello,
>
> On Jun 13, 2015 4:28 AM, "Michael Catanzaro" <mcatanzaro@xxxxxxxxx> wrote:
>> On Fri, 2015-06-12 at 15:49 -0700, Andrew Lutomirski wrote:
>> > >
>> > But that's not even right.  Suppose you have a captive portal that
>> > wants you to log in via your Google account.  It can send you do
>> > https://accounts.google.com, and your browser can verify the
>> > certificate and show you an indication that the connection is secure.
>> > Then you really can safely enter your password.
>>
>> Hmmm, I didn't realize legitimate portals might take you to the public
>> Internet.
>
> I think I've seen this in airports and in some hotel chains.
>
> Yes; sadly, many “legitimate portals” (easily 50% of the airport hotspots I
> have encoutered in Europe) are pretty much attackers.
>
> In particular, many of them want to bypass hotspot detection so that the log
> in screen does not appear in the sandboxed hotspot sign-on browser; by now
> it is a pretty standard feature of business access points to have a “bypass
> hotspot detection” checkbox. (For iOS, this has reportedly been done by
> recognizing an unique User-Agent used for the hotspot check; not sure about
> Android.)¹
>
> They want to use the regular, unsandboxed, browser so that
>
> password autofill works
> credit card number autofill works
> your Facebook login state is available to that you can easily “like” the
> hotspot provider (I’m not entirely sure but I think I did already see “like
> our page for 15 minutes of free internet” in a public hotspot)
> your advertising tracking cookies transfer (for better targeting of ads on
> the hotspot login page, or so that you can be marked “visited airport $ABC”
> and related ads can be targeted at you in the future)
>
> What would dnssec-trigger do if an attacker^Wlegitimate hotspot provider
> deliberately let the hotspot probe lookup and connection through, but kept
> redirecting everything else?
>    Mirek

Detect it and show the sandboxed browser.  If that means that the user
has to type their Facebook password again, then the user is welcome to
do that.  I don't see why we should make it easier to track users,
though.

Or we could proxy all traffic through the giant hole they'll create in
order to avoid being detected as a captive portal.  /me ducks

We could at least make these shenanigans harder by sending a
legitimate-looking UA header and hitting a non-static page that
answers some challenge rather than just saying "200 OK".

--Andy
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux