On Mon, 5 Dec 2016, Michael Catanzaro wrote:
On Mon, 2016-12-05 at 09:05 -0500, Paul Wouters wrote:
That is incorrect in my experience. When I go to coffee shops, my
iphone
shows the portal page, but my laptop shows the TLS cert invalid
thing.
Oh wow. I didn't know that. Feels like time to give up....
Anything captive portal does feel that way, although there is some hope
on the horizon with the IETF captive portal working group that is trying
to make this a little easier and more standarized.
https://datatracker.ietf.org/wg/capport/charter/
So what's your recommendation, just ignore all TLS errors and accept
that anybody can intercept your credentials for the portal? It could be
a problem because AFAIK some portals are using Google credentials for
authentication nowadays. I don't know much about that ....
With certificate transparency becoming mandatory, the number of bogus
self signed certs and certs signed for bogus made up domains should
decrease as browsers will just refuse to load these. So I do think we
will see a move where if they use certificates, it will actually have
to be a valid one chained to a valid public root CA, which means the
DNS name has to be a real valid FQDN and not some made up goo.
But we are not there yet. So I think a warning might be appropriate.
Credential passing is hard. If done right, the user would only use
something OAUTH like where it is a challenge/response that the portal
will have to relay via the real authentication servers. But if they
will just put up a "sign in with XXX" and a user/password box, likely
many users will just give them their full credentials anyway. I doubt
any green URL bar, padlock or us giving warnings will do anything
about that :(
Right now, the situation leads me to having to close the gnome window
which only displays "TLS certificate invalid" or some text like that,
and still use my firefox and a new tab/window to get through the
captive portal. In which case we are exposing the full firefox with
all my privacy settings and cookies to the captive portal, instead of
(what I hope to be) some "private window" gnome web browser that has
no access to any of my personal data. So I'd rather see the gnome
window ignoring the TLS error and proceeding.
Yeah, I actually filed a bug for this a while back:
https://bugzilla.gnome.org/show_bug.cgi?id=750941
Or a cached page? It's been happening to me on f24 for a few weeks
now.
Paul
Um... yeah maybe, I don't see any code in the portal helper to disable
caching at all. Bug:
https://bugzilla.gnome.org/show_bug.cgi?id=775639
Thanks for filing those!
Paul
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
