On Mon, Jun 15, 2015 at 3:02 PM, Miloslav Trmač <m...@redhat.com> wrote: > Hello, > > On Jun 13, 2015 4:28 AM, "Michael Catanzaro" <mcatanz...@gnome.org> wrote: >> On Fri, 2015-06-12 at 15:49 -0700, Andrew Lutomirski wrote: >> > > >> > But that's not even right. Suppose you have a captive portal that >> > wants you to log in via your Google account. It can send you do >> > https://accounts.google.com, and your browser can verify the >> > certificate and show you an indication that the connection is secure. >> > Then you really can safely enter your password. >> >> Hmmm, I didn't realize legitimate portals might take you to the public >> Internet. > > I think I've seen this in airports and in some hotel chains. > > Yes; sadly, many “legitimate portals” (easily 50% of the airport hotspots I > have encoutered in Europe) are pretty much attackers. > > In particular, many of them want to bypass hotspot detection so that the log > in screen does not appear in the sandboxed hotspot sign-on browser; by now > it is a pretty standard feature of business access points to have a “bypass > hotspot detection” checkbox. (For iOS, this has reportedly been done by > recognizing an unique User-Agent used for the hotspot check; not sure about > Android.)¹ > > They want to use the regular, unsandboxed, browser so that > > password autofill works > credit card number autofill works > your Facebook login state is available to that you can easily “like” the > hotspot provider (I’m not entirely sure but I think I did already see “like > our page for 15 minutes of free internet” in a public hotspot) > your advertising tracking cookies transfer (for better targeting of ads on > the hotspot login page, or so that you can be marked “visited airport $ABC” > and related ads can be targeted at you in the future) > > What would dnssec-trigger do if an attacker^Wlegitimate hotspot provider > deliberately let the hotspot probe lookup and connection through, but kept > redirecting everything else? > Mirek
Detect it and show the sandboxed browser. If that means that the user has to type their Facebook password again, then the user is welcome to do that. I don't see why we should make it easier to track users, though. Or we could proxy all traffic through the giant hole they'll create in order to avoid being detected as a captive portal. /me ducks We could at least make these shenanigans harder by sending a legitimate-looking UA header and hitting a non-static page that answers some challenge rather than just saying "200 OK". --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
