"Ted" == Ted Lemon <ted(_dot_)lemon(_at_)nominum(_dot_)com> writes:
Ted> On 07/14/2015 12:24 PM, David Farmer wrote:
>> However, what if the only purpose of the portal is to display
>> marketing and/or acceptance of Term & Conditions? Is DNSSEC and
>> SSL still required in this case? I tend to think not, but I'm
>> happy to hear why I'm wrong.
>>
>> Frequently that is all the captive portal is, a little marketing
>> and maybe T's & C's to keep the lawyers happy. For most coffee
>> shops or restaurants and a lot of other public places this all
>> the portal does.
Ted> The issue is that we want to avoid being infected by malware,
Ted> and if the captive portal controls all of our access to the
Ted> information we'd use to avoid connecting to an untrustworthy
Ted> source, we are in trouble. Chances are that your marketing
Ted> splash is some kind of flash or javascript thing, and we'd like
Ted> to be able to know that we are really talking to you and that
Ted> you aren't on a malware blacklist. DNSSEC and TLS (not SSL,
Ted> all versions of SSL are known to be vulnerable to hacks of
Ted> various kinds) are required to make this work.
>>> My concern is that while this is really good advice, there's no
Just to make sure we're evaluating the tradeoffs here. We're assuming
that the attacker doesn't choose to pay for a plausible domain and a
cert for that domain. I think cheap certs are in the $10 range unless
they've gotten down to free, and domains are under $20.
I'd been thinking TLS was valuable if you were exchanging sensitive
information.
Is the economic disadvantage to the mallware attacker greater than I'm
implying above?