Re: Breaking the internet (hotels, guestnet style)

[Leo Bicknell <bicknell () ufp org>]

In a message written on Wed, Dec 09, 2009 at 01:52:49AM +1100, Mark Andrews wrote:
> >  What if I want to just use ssh?
>
> You still need to authenticate.  It's better if we can reduce the
> amount of collateral damage required to authenticate.  The interception
> is being done today because there is no standard way to say "go here to
> authenticate" and the hotspot provider has to do a man in the middle
> attack to get you to the authentication page.

Most of the hotels I have used don't actually require authentication.
They require a click through indemnification agreement.  No username,
no password, no room number, just a "click here to accept our terms
and conditions".

I would much prefer this be added to the check-in process.  I already
have to sign a contract with the hotel to check in, it should cover use
of the WiFi as well.  Then there is no need for a click through
agreement.

If there is need for authentication at that point (I am the one who
signed the front desk agreement) then using 802.1x authentication would
be the right answer.  If I could do it with an OpenID, or other "public"
account by providing the account name when I sign the paper at the front
desk then I could have all of my devices always on, in a standard way,
and never see these stupid pages.

Imagine, you make a reservation online for a hotel, you use an ID
which is the same as your e-mail so it auto-populates on the online
form.  When you check in you sign the T&C's, and your devices
authenticate with 802.1x, which you just leave configured, since
you're always using the same ID.

No more MITM, all standards based.

-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: _bin
Description: