<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Hello,<br></div><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><p dir="ltr">
On Jun 13, 2015 4:28 AM, "Michael Catanzaro" <<a href="mailto:mcatanzaro@gnome.org" target="_blank">mcatanzaro@gnome.org</a>> wrote:<br>
> On Fri, 2015-06-12 at 15:49 -0700, Andrew Lutomirski wrote:<br>
> > ><br>
> > But that's not even right. Suppose you have a captive portal that<br>
> > wants you to log in via your Google account. It can send you do<br>
> > <a href="https://accounts.google.com" target="_blank">https://accounts.google.com</a>, and your browser can verify the<br>
> > certificate and show you an indication that the connection is secure.<br>
> > Then you really can safely enter your password.<br>
><br>
> Hmmm, I didn't realize legitimate portals might take you to the public<br>
> Internet.<br></p><p dir="ltr">I think I've seen this in airports and in some hotel chains.</p></blockquote><div>Yes; sadly, many “legitimate portals” (easily 50% of the airport hotspots I have encoutered in Europe) are pretty much attackers.<br></div><div><br></div><div>In particular, many of them want to bypass hotspot detection so that the log in screen does <em>not</em> appear in the sandboxed hotspot sign-on browser; by now it is a pretty standard feature of business access points to have a “bypass hotspot detection” checkbox. (For iOS, this has reportedly been done by recognizing an unique User-Agent used for the hotspot check; not sure about Android.)¹<br></div><div><br></div><div>They want to use the regular, unsandboxed, browser so that</div><div><ul><li> password autofill works</li><li>credit card number autofill works</li><li>your Facebook login state is available to that you can easily “like” the hotspot provider (I’m not entirely sure but I think I did already see “like our page for 15 minutes of free internet” in a public hotspot)<br></li><li>your advertising tracking cookies transfer (for better targeting of ads on the hotspot login page, or so that you can be marked “visited airport $ABC” and related ads can be targeted at you in the future)<br></li></ul><div>What would dnssec-trigger do if an attacker^Wlegitimate hotspot provider deliberately let the hotspot probe lookup and connection through, but kept redirecting everything else?<br></div><div> Mirek<br></div><div><br></div><div>¹ You can guess what this does to any applications which use unauthenticated HTTP to download data in the background: all that data suddenly becomes the hotspot login page and the application may not realize there is anything suspect about it.<br></div></div></div></body></html>