dnssec-trigger + GNOME + NetworkManager integration

Stef Walter stefw at redhat.com
Tue Jun 30 11:46:30 UTC 2015 

On 30.06.2015 11:24, Tomas Hozza wrote:
> On 26.06.2015 17:13, Matthias Clasen wrote:
>> On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
>>
>> Hey, I was out for a week, so this may be a bit of a late reply.
>>
>> As Michael and Bastien already stated, all the GNOME networking UI
>> relies on information gotten from NetworkManager, and we'd like to keep
>> it that way. In particular, NetworkManager has an existing API to
>> inform us about captive portals - if at all possible, you should keep
>> that working.
> 
> Yes, it should work. We didn't change anything related to that. We just
> had our own implementation.
> 
>> [...]
>>
>>> This boils down to what we need from some new version of the UI that 
>>> we
>>> need to be well integrated with GNOME:
>>
>>> 1. Be able to inform user about some situations (Captive portal
>>> detected, network blocks all DNS communication, ...) and enable the 
>>> user
>>> to take an action. (This could be possibly done by the notifications
>>> system in latest GNOME)
>>>
>>> -> this may be solved also in GNOME already, and may be OK if done
>>> technically correctly. Please note my note earlier on NM notifying 
>>> other
>>> services when Captive Portal is detected
>>
>> My perspective on this is that we already have a UI: GNOME shell
>> displays network status, including captive portal. If NetworkManager
>> needs to add a few more connection states related to DNSSEC, we can
>> adapt to that.
> 
> The thing is that some information are unrelated to NM. There is no
> reason to push all information back to NetworkManager, since its role is
> explicitly defined - manage network connections and leave the DNS
> resolution and configuration up to different tool.
> 
>> GNOME shell also launches a browser when needed for captive portal
>> login. If we need to tweak the way the browser is launched to make it
>> work on a dnssec-enabled system, that should be possible.
> 
> I was not able to determine if you rely on the system's stub resolver.
> If that is the case, NM should notify GNOME only after dnssec-trigger
> switches to "hotspot signon mode".
> 
>>> 2. Possibly have some indicator showing if the system is in "Secure" 
>>> or
>>> "Insecure" state.
>>>
>>> 3. Enable the user to switch between those two states manually
>>
>> This seems dubious, at best. What does it mean if my system is
>> 'insecure' ? Will my credit card number be stolen ? Will my system be
>> taken over by intruders if I don't disconnect immediately ? Most users
>> will have no idea, and have to treat such a switch either as "scary,
>> don't touch" or as the "fix the internet" button.
> 
> It means that the site of your bank you are on may not be provided the
> actual host you should be connected to, but instead by some attacker's.
> The insecure mode means that you are vulnerable in the same way as the
> plain DNS is. So you are insecure even now if you don't use DNSSEC
> without realizing it.

Except if your bank is using https and you connected to it that way, and
you have unbroken CA roots. and so on ...

The combinatorial explosion of states between "insecure" (someone just
stole my money) and "secure" (the NSA be crying because they can't touch
this) ... means you end up with about NNNN posibilities to explain to
the user.

It's not possible to represent all of this in a dialog. We'd have to
print a book and mail to to the user.

Stef

More information about the devel mailing list