CAPPORT - 2015-07-22 - 1550-1720 ================================ Chairs: Warren Kumari and Mark Nottingham (aka mnot) Scribes: Patrick McManus and Sean Turner. More information: https://github.com/httpwg/wiki/wiki/Captive-Portals Jabber logs: https://www.ietf.org/jabber/logs/capport/2015-07-22.html Presentation: ——————— Warren Kumari Administrivia / what are we trying to do? https://www.ietf.org/proceedings/93/slides/slides-93-capport-0.pdf ----------------- * Waived description of what a Captive Portal is. * Complaints about them not working properly. * Goals - make Captive Portal communication explicit - Erik Kline notes secure communication as goal.. Aaron Falk +1 * Non-goal - kvetch ------- - Wes George’s preferred behavior is getting his VPN up ASAP and, while in this state (waiting for the CapPort), tell the OS to not send anything! - Aaron Falk - would like to prevent fake captive portals from taking credit card info - Fedora 23 due to have related functionality. - Mike Bishop - There has been lots of work done, but not a lot of success.. notes that Captive Portal whitelist checkers… are the right people (Captive Portal vendors) here? - Mark Nottingham - doesn't believe in hope-based standards ** - Why are CapPort operators specifically defeating the probes that Apple/Google/etc. use? - Tom Chen (?) - use eudroam and 802.x. For all it's sins it's simple. - Alex Rosco (Comcast) why are so many broken? It would be good to get developers to give us tools. - ekr - 1st struck by how the OS have mechanisms to detect them but it's disabled detecting. ** - As above; why are they disabling detecting? - Mark Nottingham - Who thinks there is a problem in this space? EVERYONE (~100) - Mark Nottingham - Who thinks they have some idea on how to improve things? Some - Mark Nottingham - Who works on these kind of products? ~10 - mont - Who works on an implementation that attempts to handle a captive portal? ~10 wow, so we have a lot of implementers... 3x the number I expected. WOW. AWESOME. More than Homenet! - Mark Nottingham declared better than expected - Mark Nottingham - If they just documented what they did - that'd be good too. - Stefan Winter - are you making attacks smooth and easy? - Sanjay Mishra (Verizon) - issues that there are a lot of different kinda that are deployed all over the world. Is there a way to drive an incentive for it to see the light of day. - Warren - why do some vendors do it the way they do? They care about eyeballs (ads in a full featured browser, for instance) - Erik Kline - even if we don't get standard for captive portal - if we get documentation that would be good - Juan Carlos - we need to educate each other, document, etc. - Dave Thaler - speaking as one of the OS vendors: it occurs to him as being similar to a different story - We did this once before in the NAT case so hopefully we've learned from that. Get the captive folks paid and get the users on. Timestamp: 30 mintes —————————— - Warren - we don't want to say captive portals are bad - Christian Huitema, Microsoft - I’m working with a on this kind of stuff. Inherent contradiction between eyeballs and security. We need to have a charter that includes security issues. - Lorenzo - not sure the nat story is the same. There is still potentially a conflict of interest [TODO: Many conflicting sets of interests. We're unlikely to come up with a single solution to satisfy everybody. We should have a document that outlines the different sets of interests that captive portal implementors have.] - Dave Thaler - agree but we need to find some common ground. - Mark Nottingham - this might address the quality of service you get. - Dan York - the point Mark Nottingham made is important. We create protocols just fine and are not often so good at deployment - do we understand the captive portal industry? Should we try to get industry leaders involved? [TODO; Try and find/get outsourced captive portal providers involved.] - Mark Nottingham - there's thousands of captive portal vendors. - Warren - there's an open source captive portal effort that somebody from Google works on. - apparently the largest open source captive portal in use. - Dan Harkins - captive portals are bad (his company makes one he didn't work on it though) because there's an attack vector of an open web page and promote bad user behavior (clickthrough). Advocates IP over DNS VPNs. - Andrew Sullivan - having issues with figuring out what a successful effort looks like? How do we proceed? Who are we trying to make happy: end user, vendor, or other? Need to narrow down to succeed. - ekr - I do think we're going to hear from people who make these things. If we can find common ground then that's the place to start: don't intercept/block TLS connections or things on port 80 (i.e., stop annoying user) - Ted Lemon - success is defining a secure captive portal - Michael Richardson - success is a taxonomy of captive portals and security considerations for each [TODO: taxonomy of captive portals and security considerations for each] Mic: I think success looks like explaining what needs to be done to make a captive portal that we think is secure and implementable, and whatever supporting docs are required to make it work. I think bad actor CP implementors are out of scope. Mic: success for me is having a taxonomy of captive portal techniques, a security considerations for each method. That would be enough for now, because if that's as far as we get, then we can apply Dan Harkins' method. https://github.com/nodogsplash/nodogsplash and http://www.coova.org/ is two other examples - Dave Dolson - everybody loves free WiFi. Not sure it's productive to talk about the quality of the content at the site. Success is standardizing the protocol between device and network. [TODO: Standardize the protocol between network and device.] - Alex Rosco - success: 1) the RA implementation and 2) a user experience or hotspot 2.0 - Warren - what would work for success - arrive with phone, phone tells me I'm behind captive portal, API for all the same (localized), click on it with Apple Pay or Google Wallet, and then five minutes before the time is up it asks to reup. - Clemens - we should not only think about payments - it's a legal problem in some countries. And, we are facing the usual thing that there's a chicken and egg problem. Can we get this implemented on 2 mobile device platforms - we'll probably going to win/widespread support would be adopted. mic: more success is having advice (in DHCP and RA) that says, "this is a captive portal of type FOO" Erik s? - Captive Portal motives - Money is only one. Terms of Service also. Privacy concerns might be more of a regulatory question. UI forms not suitable for vehicles or alternative interface devices Tim Chen - in Prague buy beer get key - seems like a good tradeoff. Uni needs it - Eduroam isn't ignoring this effort. asks about explring multiple SSID space Mark Nottingham notes crowd is boiling the ocean - if we try to make this solution cover everything, we will likely fail. Instead, let's aim for a 60 or 80% use case, and not a 100% use case. ? (cisco) - enterprise firewalls also have problems; it's a broader issue than just for coffee shops and the like. Identify the user to apply policy. Dorothy Aruba Networks - It was not possible to figure out the variety of platforms and the different goals of providers/users. There's a disconnect between the two main what we want to do goals - need to decide which ones you want to do. Agrees that everybody/all use cases cannot be satisfied. I'd prefer to do autologins and suggest the goal of how we can get to a point where we use them more. Dan York (relaying for Ted Lemon) - I don't think we want to compete with eduroam. Automated logins are for big companies, not small CP networks. Dan York - we have to recognize captive portals are here. Many have the goal of marketing, which is direct conflict with automated logins. Timestamp: 1 Hour —————————————— Lorenzo - I like free WiFi but I like Internet access - hates the way OS stops stuff from working. The term is too generic. Suggests Taxonomy as progress Murray K - there's a lot of UI terms and we're not good at that. It might sit beyond our purview. Carlos - there is something that already looks like Warren's success. Skype WiFi Tobias Gondrom - 4 base scenarios: Money, eyeballs, legislation, authentication. Try to solve those and that would help with acceptance. Morgan - as to content when you get one of these landing pages - need to have discussion to provide trust and security. Warren - how do you feel about an API function? Morgan - Yes, but I am generally thinking to direct to an application, not to accept a UAP or login. *** Etherpad starts to crap out ... ugh *** Ted Hardie - think about privacy! How much information is leaking accidentally while the network is an awkward state before accepting the CP. Would like recognized network state of Attached, but Not Connected to the Internet. Would prevent other applications from trying to use and from sending it data. Wes George, via Chat - Isn't that "I have an IP but no default route" that sort of attached but not connected? Dave Crocker - heard it's a complicated space - start at characterize this space with an/multiple information document(s) that gets people to identify what they want/need/like from within and without the IETF. Whether the term is Captive Portal or finding a different term is important. Secondly, characterize what one might do within that state? And then who would implement it? Characterizing is first step, then defining what is worth doing, and then pursue or not. ? - need standardized signal to say you're behind the portal. Most portals want to interact with the user - and we have a standardized way to do that with HTML. So, found a way for the portal to announce itself, fire up a browser that states this is a browser session for your captive portal. Mike Bishop - I would like an informational overview - what problems are out there. Questions are: What do the OS do, what do the CapPorts do, what other techniques are there out there, and where are the gaps? Martin Thompson - wants to see the browser that pops up for the CapPort is highly sandboxed. [ Etherpad truncated itself at this point ] Lorenzo - there's an API (myth?) that allows the browser to open a page in a different network, but it seems that browsers are not currently implementing this. This would be useful to allow logins to happen without breaking the current connections. Mark Nottingham - Requested hum for whether interested in pursuing or not. Response of interested was received. Mark Nottingham - Start by documenting problems in current use cases of CPs. And best practices Mark Nottingham - several people who currently implement CPs are willing to contribute. Mark Nottingham - request hum for whether anybody is interested in technical mechanisms at the same time.Stronger hum than the interest level. Barry Lieber - should keep going, even if not ready to charter immediately. More interested than expected. Reminder/Generic random question: Why don't Captive Portal Probes do a challenge/response to prevent people from defeating them?