> On Mon, Jun 15, 2015 at 3:02 PM, Miloslav Trmač <mitr@xxxxxxxxxx> wrote: > > What would dnssec-trigger do if an attacker^Wlegitimate hotspot provider > > deliberately let the hotspot probe lookup and connection through, but kept > > redirecting everything else? > > Detect it and show the sandboxed browser. If that means that the user > has to type their Facebook password again, then the user is welcome to > do that. I don't see why we should make it easier to track users, > though. That’s what dnssec-trigger ideally _should_ do. What would it _actually_ do, e.g. with the current code? > Or we could proxy all traffic through the giant hole they'll create in > order to avoid being detected as a captive portal. /me ducks Nice ☺ More realistically, we could proxy the DNS fallback through there. > We could at least make these shenanigans harder by sending a > legitimate-looking UA header Yes > and hitting a non-static page that > answers some challenge rather than just saying "200 OK". I don’t think that would help; the hotspots tend to use a whitelist of “don’t intercept” addresses (which is after all easier than completely faking even a static reply), so seeing an unmodified hotspot detection page does not say anything about other pages being modified. Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
