Cindy Sue Causey writes:
On 2/13/22, Brian <a...@cityscape.co.uk> wrote: > On Sun 13 Feb 2022 at 16:02:53 +0100, to...@tuxteam.de wrote: >> > > On Sat 12 Feb 2022 at 21:07:10 +0100, to...@tuxteam.de wrote:
[...]
>> > > > [1] Had I a say in it, I'd reserve a very special place in Hell >> > > > for those.
[...]
> Interesting. > > Captive portals provide free connectivity. What's the problem? I almost responded to this thread yesterday to say, "Shudder!" My thought process was that it seems like it might be pretty easy for perps hovering out in a parking lot or maybe a nearby building to create a fake captive portal that resembles what users would be expecting to see from the, yes, FREE Internet provider. That would only be possible if this is working like I'm imagining is being described here. That imagination involves a webpage such as what I once encountered popping up unexpectedly while trying to access WIFI through a local grocery store a few years ago.
[...]Yes, it works pretty much as you describe with exactly the problematic aspects (see my other post and the RFC linked before).
It is not _that_ bad for security because of two key points: - Captive portals cannot bypass protection by TLS certificates. Users will instead be unable to access the respective pages and either get a certificate error or no useful error message at all. - In case of unencrypted/unprotected traffic, adversaries can manipulate that even _without_ captive portals if they setup their own (malicious) “free” WiFi service. HTH Linux-Fan öö
pgpm03BfoCPio.pgp
Description: PGP signature