[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] Captive portals, "access administratively disabled" and alert messages
From: Lanlan Pan <abbypan () gmail ! com>
Date: 2018-01-03 4:05:01
Message-ID: CANLjSvUXYerd+CW0omzp=zpydU7_CSbHThvDpTiG1hMBisCjWA () mail ! gmail ! com
[Download RAW message or body]
Eric Rescorla <ekr@rtfm.com>于2018年1月3日周三 上午5:57写道:
> On Tue, Jan 2, 2018 at 1:40 PM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:
>
>> CCing Ted Lemon <mellon at fugue.com> as the author of previous
>> proposition.
>>
>> W dniu 02.01.2018 o 21:20, Eric Rescorla pisze:
>> > On Tue, Jan 2, 2018 at 12:08 PM, Mateusz Jończyk <mat.jonczyk@o2.pl
>> > <mailto:mat.jonczyk@o2.pl>> wrote:
>> >
>> > Then the browser should display a message inside the warning screen
>> that the
>> > string cannot be trusted.
>> >
>> > Users tend to ignore that kind of warning.
>> Not any more then they ignore certificate warnings [2].
>
>
> That's not clear. We would be providing some sort of attacker-controlled
> text to the user with a warning that says "you can't trust this". That's
> difficult to pull off.
>
> Moreover, the certificate warnings are under control of the browser, but
> we actively work to discourage the user from ignoring them. Moreover, for
> HSTS sites, the browser doesn't allow the user to override them, so
> providing some attacker-controlled information would make the situation
> materially worse. And given that a lot of the sites which people are likely
> to hit with captive portals are in fact HSTS sites (because HSTS is common
> in big sites) instead showing attacker controlled information would make
> things materially worse.
>
providing some attacker-controlled information would make the situation
materially worse. +1
Although some browsers support HSTS, but also offer a "user friendly"
configure item to ignore all ssl warnings.
> -Ekr
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
--
致礼 Best Regards
潘蓝兰 Pan Lanlan
[Attachment #3 (text/html)]
<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">Eric Rescorla <<a \
href="mailto:ekr@rtfm.com">ekr@rtfm.com</a>>于2018年1月3日周三 \
上午5:57写道:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div \
class="gmail_extra"><div class="gmail_quote">On Tue, Jan 2, 2018 at 1:40 PM, Mateusz \
Jończyk <span dir="ltr"><<a href="mailto:mat.jonczyk@o2.pl" \
target="_blank">mat.jonczyk@o2.pl</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">CCing Ted Lemon <mellon at <a href="http://fugue.com" \
rel="noreferrer" target="_blank">fugue.com</a>> as the author of previous \
proposition.<br> <br>
W dniu 02.01.2018 o 21:20, Eric Rescorla pisze:<br>
<span>> On Tue, Jan 2, 2018 at 12:08 PM, Mateusz Jończyk <<a \
href="mailto:mat.jonczyk@o2.pl" target="_blank">mat.jonczyk@o2.pl</a><br> \
</span><span>> <mailto:<a href="mailto:mat.jonczyk@o2.pl" \
target="_blank">mat.jonczyk@o2.pl</a>>> wrote:<br> ><br>
> Then the browser should display a message inside the warning screen that \
the<br> > string cannot be trusted.<br>
><br>
> Users tend to ignore that kind of warning.<br>
</span>Not any more then they ignore certificate warnings \
[2].</blockquote><div><br></div></div></div></div><div dir="ltr"><div \
class="gmail_extra"><div class="gmail_quote"><div>That's not clear. We would be \
providing some sort of attacker-controlled text to the user with a warning that says \
"you can't trust this". That's difficult to pull \
off.</div><div><br></div><div>Moreover, the certificate warnings are under control of \
the browser, but we actively work to discourage the user from ignoring them. \
Moreover, for HSTS sites, the browser doesn't allow the user to override them, so \
providing some attacker-controlled information would make the situation materially \
worse. And given that a lot of the sites which people are likely to hit with captive \
portals are in fact HSTS sites (because HSTS is common in big sites) instead showing \
attacker controlled information would make things materially \
worse.</div></div></div></div></blockquote><div><br></div><div>providing some \
attacker-controlled information would make the situation materially worse. \
+1</div><div><br></div><div>Although some browsers support HSTS, but also offer a \
"user friendly" configure item to ignore all ssl \
warnings.<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div \
class="gmail_extra"><div \
class="gmail_quote"><div><br></div><div>-Ekr</div><div><br></div></div><br></div></div>
_______________________________________________<br>
TLS mailing list<br>
<a href="mailto:TLS@ietf.org" target="_blank">TLS@ietf.org</a><br>
<a href="https://www.ietf.org/mailman/listinfo/tls" rel="noreferrer" \
target="_blank">https://www.ietf.org/mailman/listinfo/tls</a><br> \
</blockquote></div></div><br clear="all"><br>-- <br><div dir="ltr" \
class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">致礼 Best \
Regards<br><br>潘蓝兰 Pan Lanlan<br></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic