Adding more lists. On Sun, May 17, 2020, at 02:50, Rifaat Shekh-Yusef wrote: > > Here is a quote form the API document: > > "The hostname of the API SHOULD be displayed to the user in order to > > indicate the entity which is providing the API service." > > > > This seems to suggest that the user is expected to inspect the displayed > > name and make sure it is make sense in the context of whoever is providing > > that service.
I don't think that is the case. If this were a security mechanism, then it would use "MUST". This is likely for the purpose of enabling some sort of accountability. In other words, this is to offer maximal information about what is going on. > > Since this would be an easier attack compared to the interception attack, > > and IP address is still permitted, then an attacker might force the use of > > IP address to make it harder for the user to make sense of the displayed > > name. I don't think that is materially different than getting a name with confusable characters (or using the prefix hack, example.com.<some-guid>.example, in an attempt to confuse). _______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals
