[AusNOG] Maximum users per AP

Bill Walker bill at wjw.co.nz
Thu Oct 18 11:36:58 EST 2012


Snap used to use this method to allow people access to secure bank
sites to pay their bill when they were overdue.  

On Fri, 26 Oct 2012
19:43:48 -0700, Scott Howard wrote: 

> On Fri, Oct 26, 2012 at 4:21 PM,
Paul Gear wrote: 
>> So what do you do for the scenario where you're
providing service for BYOD or public networks (as the OP seemed to be)
and have no authority to touch the end user's device? When we tried
this, we came to the conclusion that we would have to allow unfettered
outbound HTTPS if we weren't to have massive user experience rage, and
this basically eliminates the benefit of any filtering.
> It depends
on what you're trying to achieve. If it's simply to block/allow access
to a site you can do this based on the certificate exchange alone. The
certificate sent during the initial SSL handshake includes the hostname
of the website (or at least some variation on hostname, wildcard
hostname, alternate names, etc) and is sent in clear-text, so the
connection can be blocked based on that hostname. 
> It's a very
course solution as at best you can get to the host granularity (not
URL), you can't inspect the content at all (eg, anti-virus), and there's
numerous ways to get around this (think self-signed certs for starters,
but there's countless others) - but it'll stop at least the average
> Scott


[1] mailto:ausnog at libertysys.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121018/348a9335/attachment.html>

More information about the AusNOG mailing list