It's been a few years since I looked at this, and I might be missing
context, but IMO, any attempts to redirect HTTPS using a MITM attack
should be considered adversarial. One might not want to onboard a device
in such a setting.
If one does want to proceed, from what I read the process for navigating
this safely is not clear.
I wish I could be more precise in the criticism, but I'm not familiar
with the background of what you are trying to achieve.
Dave
On 2025-06-30 18:07, Michael Richardson wrote:
Tommy Pauly <[email protected]> wrote:
>> Captive portals that do not follow the requirements of Section 1
of
>> {{?RFC8952}} MAY forcibly redirect HTTPS connections. While
this is a
>> deprecated practice as it breaks TLS in a way that most users
can not
>> deal with, it is still common in many networks.
> I would question using a normative MAY here; clearly, it’s
something
> the network can do and often will do, but it seems like this is
more a
> statement of practice than saying “you MAY do this” as a thing
we’d
> recommend. I would probably say “might”.
I saw that too when editing, and I thought I changed it already.
Nope. Fixed now.
Any other thoughts?
Forced redirect of TLS by portals usually is detected by a certificate
validation failure. But, in 8995, we defer the verification until
later on.
What I want to know is whether this explanation is reasonably
communicated.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT
consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________
Captive-portals mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
Captive-portals mailing list -- [email protected]
To unsubscribe send an email to [email protected]
