Adding Ben.
On Sun, May 17, 2020 at 9:26 PM Martin Thomson <m...@lowentropy.net> wrote: > Adding more lists. > > On Sun, May 17, 2020, at 02:50, Rifaat Shekh-Yusef wrote: > > > Here is a quote form the API document: > > > "The hostname of the API SHOULD be displayed to the user in order to > indicate the entity which is providing the API service." > > > > > > This seems to suggest that the user is expected to inspect the > displayed name and make sure it is make sense in the context of whoever is > providing that service. > > I don't think that is the case. If this were a security mechanism, then > it would use "MUST". This is likely for the purpose of enabling some sort > of accountability. In other words, this is to offer maximal information > about what is going on. > > Here is the sentence just before the above quote from the API document: it provides the client of the API an opportunity to authenticate the server that is hosting the API. This authentication is aimed at *allowing a user to be reasonably confident that the entity providing the Captive Portal API has a valid certificate for the hostname in the URI* > > > Since this would be an easier attack compared to the interception > attack, and IP address is still permitted, then an attacker might force the > use of IP address to make it harder for the user to make sense of the > displayed name. > > I don't think that is materially different than getting a name with > confusable characters (or using the prefix hack, > example.com.<some-guid>.example, > in an attempt to confuse). > An end user should be able to validate that the name is example.com and not any other form of the URI. It would be much more difficult for the end user to make sense and validate an IP address. Regards, Rifaat
_______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals
