[AusNOG] Interception?

Mark Andrews marka at isc.org
Thu Jul 5 23:25:01 EST 2012


In message <AC734764-C9EF-4A9A-82E9-DB41E1841355 at yahoo.co.uk>, Lloyd Wood write
s:
> 
> It's IF they start a browser. Say they fire up e.g. Skype sans browser. It w=
> on't work until they fire up a browser and try a normal web request to get a=
>  login. Eventually, users have to learn these necessary steps for networked c
> =
> omms. Https or a local file: url just has the browser running already... Eve=
> rything fails until you spawn the browser and issue a vanilla http request.
> 
> I'd argue that one fix would be a new DHCP option providing a URL, and then t
> =
> he OS spawns the browser to open that page...... The useless dhcp quote serv=
> er option could be reused for this, but that's an IP address, and since most=
>  webservers expect hostname and there's a reverse lookup needed, perhaps a n=
> ew dhcp option is the way to go. I haven't been following e.g. the autoconf i
> =
> etf group; surely this must have been proposed by now?

Actually a IP address is exactly what you need otherwise you need to pass
DNS so that DNSSEC works.  Web servers can work fine with IP addresses and
did so for years.

> On 5 Jul 2012, at 20:38, Skeeve Stevens <skeeve+ausnog at eintellego.net> wrote=
> :
> 
> > Hey all,
> >=20
> > Given the discussions happening on the list at the moment and what happene=
> d with Telstra, and a particular project I am working on at the moment, I th=
> ought I would seek the community's comments.
> >=20
> > In simple terms, the project is a wireless hotspot for a particular purpos=
> e.  The hotspot provides content (all legal) and after a product purchase, i=
> nternet access for a period of time.  All that is simple and nothing many pe=
> ople aren't already doing.
> >=20
> > The issue that I've recently come up against is HTTPS.  Many sites are mov=
> ing to HTTPS as default.  Facebook, Google, etc etc are starting to use it m=
> ore and more.  Now this is not a problem at all, and fully supported as norm=
> al web traffic should be.
> >=20
> > The problem we're facing is that as per normal hotspot solutions, when a u=
> ser connects to the hotspot, they get an IP.  Then they start a browser, and=
>  if it goes to a home-page, it gets redirected to a captive portal page wher=
> e they click some terms and we move on.
> >=20
> > Now that many people are having a HTTPS address as their 'home/startpage/e=
> tc', the HTTPS not able to get anywhere and breaking.  So to solve this issu=
> e, we now also intercept 443 - HTTPD and redirect it back to the portal.
> >=20
> > Due to the user trying to go to https://blah.com/ being re-directed, the b=
> rowser is freaking out with an interception or man-in-the-middle attack pote=
> ntial alert and so on. =20
> >=20
> > Now, I think its possible to work our way around this, but the question re=
> mains - "Is intercepting HTTPS for redirection purposes - an interception is=
> sue" ?
> >=20
> > I am sure there are lots of people who have had this problem and may (or m=
> ay not) have a way around it... but the question is - is there any legal iss=
> ues here we have to worry about?
> >=20
> > Comments welcome.
> >=20
> >=20
> > Skeeve Stevens, CEO - eintellego Pty Ltd
> > skeeve at eintellego.net ; www.eintellego.net
> > Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve
> > facebook.com/eintellego ; linkedin.com/in/skeeve=20
> > twitter.com/networkceoau ; blog: www.network-ceo.net
> >=20
> > The Experts Who The Experts Call
> > Juniper - Cisco =E2=80=93 IBM
> >=20
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> --Apple-Mail-22B9D0E7-08EC-4F4F-90C2-2B3F4E18BC52
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/html;
> 	charset=utf-8
> 
> <html><head></head><body bgcolor=3D"#FFFFFF"><div><div>It's IF they start a b
> =
> rowser. Say they fire up e.g. Skype sans browser. It won't work until they f=
> ire up a browser and try a normal web request to get a login. Eventually, us=
> ers have to learn these necessary steps for networked comms. Https or a loca=
> l file: url just has the browser running already... Everything fails until y=
> ou spawn the browser and issue a vanilla http request.</div><div><br></div><=
> div>I'd argue that one fix would be a new DHCP option providing a URL, and t=
> hen the OS spawns the browser to open that page...... The useless dhcp quote=
>  server option could be reused for this, but that's an IP address, and since=
>  most webservers expect hostname and there's a reverse lookup needed, perhap=
> s a new dhcp option is the way to go. I haven't been following e.g. the auto=
> conf ietf group; surely this must have been proposed by now?</div><br></div>=
> <div><br>On 5 Jul 2012, at 20:38, Skeeve Stevens <<a href=3D"mailto:skeev=
> e+ausnog at eintellego.net">skeeve+ausnog at eintellego.net</a>> wrote:<br><br>=
> </div><div></div><blockquote type=3D"cite"><div>Hey all,<div><br></div><div>=
> Given the discussions happening on the list at the moment and what happened w
> =
> ith Telstra, and a particular project I am working on at the moment, I thoug=
> ht I would seek the community's comments.</div>
> 
> <div><br></div><div>In simple terms, the project is a wireless hotspot for a=
>  particular purpose.  The hotspot provides content (all legal) and afte=
> r a product purchase, internet access for a period of time.  All that i=
> s simple and nothing many people aren't already doing.</div>
> 
> <div><br></div><div>The issue that I've recently come up against is HTTPS. &=
> nbsp;Many sites are moving to HTTPS as default.  Facebook, Google, etc e
> =
> tc are starting to use it more and more.  Now this is not a problem at a
> =
> ll, and fully supported as normal web traffic should be.</div>
> 
> <div><br></div><div>The problem we're facing is that as per normal hotspot s=
> olutions, when a user connects to the hotspot, they get an IP.  Then th=
> ey start a browser, and if it goes to a home-page, it gets redirected to a c=
> aptive portal page where they click some terms and we move on.</div>
> 
> <div><br></div><div>Now that many people are having a HTTPS address as their=
>  'home/startpage/etc', the HTTPS not able to get anywhere and breaking. &nbs=
> p;So to solve this issue, we now also intercept 443 - HTTPD and redirect it b
> =
> ack to the portal.</div>
> 
> <div><br></div><div>Due to the user trying to go to <a href=3D"https://blah.=
> com/">https://blah.com/</a> being re-directed, the browser is freaking out w=
> ith an interception or man-in-the-middle attack potential alert and so on. &=
> nbsp;</div>
> 
> <div><br></div><div>Now, I think its possible to work our way around this, b=
> ut the question remains - "Is intercepting HTTPS for redirection purposes - a
> =
> n interception issue" ?</div><div><br></div><div>I am sure there are lots of=
>  people who have had this problem and may (or may not) have a way around it.=
> .. but the question is - is there any legal issues here we have to worry abo=
> ut?</div>
> 
> <div><br></div><div>Comments welcome.<br><div><div><font face=3D"Calibri"><b=
> ><br><br></b></font></div><div><b style=3D"font-family:Calibri;font-size:13p=
> x">Skeeve Stevens, CEO - </b><span style=3D"font-family:Calibri;font-si=
> ze:13px">eintellego Pty Ltd</span></div>
> 
> <div><div style=3D"font-family:Calibri,sans-serif"><span style=3D"font-size:=
> 13px;font-family:Calibri"><a href=3D"mailto:skeeve at eintellego.net" target=3D=
> "_blank">skeeve at eintellego.net</a> ; <a href=3D"http://www.eintell=
> ego.net/" target=3D"_blank">www.eintellego.net</a></span><span style=3D"colo=
> r:rgb(127,0,127);font-size:13px"><font color=3D"#002060" style=3D"color:rgb(=
> 0,0,0)"><p style=3D"margin:0px;font-family:Calibri">
> 
> Phone: 1300 753 383; Cell +61 (0)414 753 383 ; <a>skype://skeeve</=
> a></p><p style=3D"margin:0px;font-family:Calibri"><a href=3D"http://facebook=
> .com/eintellego" target=3D"_blank">facebook.com/eintellego</a> ; <=
> a href=3D"http://twitter.com/networkceoau" target=3D"_blank"></a><a href=3D"=
> http://linkedin.com/in/skeeve" target=3D"_blank">linkedin.com/in/skeeve</a>&=
> nbsp;</p>
> 
> <p style=3D"margin:0px;font-family:Calibri"><a href=3D"http://twitter.com/ne=
> tworkceoau" target=3D"_blank">twitter.com/networkceoau</a> ; blog:&nbsp=
> ;<a href=3D"http://www.network-ceo.net/" target=3D"_blank">www.network-ceo.n=
> et</a></p></font></span></div>
> 
> </div><div><div style=3D"font-family:Calibri,sans-serif"><div><span style=3D=
> "color:rgb(127,0,127);font-size:13px"><div><span style=3D"color:rgb(127,0,12=
> 7);font-size:13px"><img src=3D"http://eintellego.net/sig/logo.png"><br></spa=
> n></div>
> 
> The Experts Who The Experts Call</span></div><div style=3D"font-size:14px;co=
> lor:rgb(127,0,127)"><span style=3D"color:rgb(0,32,96);font-size:13px">Junipe=
> r - Cisco =E2=80=93 IBM</span></div></div></div><br>
> </div></div>
> </div></blockquote><blockquote type=3D"cite"><div><span>____________________=
> ___________________________</span><br><span>AusNOG mailing list</span><br><s=
> pan><a href=3D"mailto:AusNOG at lists.ausnog.net">AusNOG at lists.ausnog.net</a></=
> span><br><span><a href=3D"http://lists.ausnog.net/mailman/listinfo/ausnog">h=
> ttp://lists.ausnog.net/mailman/listinfo/ausnog</a></span><br></div></blockqu=
> ote></body></html>=
> 
> --Apple-Mail-22B9D0E7-08EC-4F4F-90C2-2B3F4E18BC52--
> 
> --===============1960961395440677349==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> --===============1960961395440677349==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the AusNOG mailing list