On Oct 6, 2015, at 11:23 AM, Roscoe, Alexander <alexander_ros...@cable.comcast.com> wrote:
> I am really a big fan of having the ability to pass FQDN as a DHCP option. I > assume all un-authed users will have access to DNS. There are some edge case > scenarios will this will fail, especially in mobility situations where a > roams between 2 of the same SSIDs that have a different DHCP server and > cache. I think an ICMP reply would offer another mechanism to determine the > clients state. > > I do not think HTTPS should be a requirement, this should be left to the > discretion of the the hotspot provider. Many hotspots, especially in the > U.S. require users at a minimal check a terms of service box to get internet > access. An application like this would not need to be secure as there is no > sensitive information being passed. I strongly disagree with this sentiment. These days HTTPS should be the default for all new features, and HTTP only used when there is a technical requirement preventing the use of HTTPS. We want to make the net secure, not add more attack surface. There have already been reported incidents where the attacker joins a public wifi and hijacks DHCP. The user should have some assurance that the captive portal they're entering their credit card info into is the right one. Peter
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals
