On Saturday, 24 February 2018 23:40:56 GMT Ralph Corderoy wrote:
> It should be packets 12 and 13; you could run the tcpdump command and
> compare it to Wireshark's display. /etc/services says https is TCP port
> 443.
I have now received a response to my question about where https is used from
Lloyd at Foxdog and he helpfully provided a screenshot of the packets in
Wireshark. The exchange is on the Foxdog page I linked to earlier.
> No, not a path to the Internt; unencrypted contact with something
> listening on TCP port 80 has been established that sent back the 204
> reply. Could be anything, not necessarily Google's machine at the
> Internet; it's easily impersonated.
Yes. A system like this could be used to scam users. However, it's more
likely to be successful if the user still gets his Internet connection :-)
> You can trying listening on TCP port 443 and seeing if Android 7 will
> play along with your self-signed certificates. Perhaps it will as far
> as thinking it's got to the Internet, but that Java source I referenced
> also talks of `PAC' that I suspect are some sort of Android software
> update package. If a PAC is involved then it will obviously only trust
> that from the expected Google source, verified by the certificate.
I'm going to try that today. Lloyd at Foxdog says that they have https
support with a Foxdog Certificate and all the phones that he's tried work. He
doesn't specify what they are.
> But this is Wimborne v. Google. All Google is trying to do is inform
> the user that they're not connecting to an Internet access point but
> something else, and asking them to acknowledge that. Seems reasonable.
> I assume relying solely on the HTTP 204 in Android 6 and earlier was
> because there was enough places blocking HTTPS that they had no choice.
> As HTTPS-only has become common for major sites, they can assume that
> access to the Internet allows it so they can probe for it, and it would
> seem duff if they don't validate the certificate on connection.
Agreed. See above.
> Even if Android 7 doesn't validate the certificate, Android 8 probably
> will and we will be here again enough into the future to have forgotten
> this detail. :-)
>
> Tell management that the posters asking the users to open the QR code
> also need to warn them to accept the portal warning?
I did that last year. Apparently it confuses the Visitors and so they give
up. My belief is that they are more likely to give up if they suddenly lose
their 'indispensible' link to Facebook, Twitter, et al.
I was asked to fix this and I will do my best. I have a backup of the old
configuration, so it's easy to revert.
I'll talk it through with 'Management' when I go in to WMT on Tuesday.
--
Terry Coles
--
Next meeting: Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/
New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
