2016-04-01 - Re: [GRASE-Hotspot] Can portal be secure? https

Header Data

From: Sebastian Schneider <se***r@gmail.com>
Message Hash: f122f267946ff6bf4f48c0f4a5b40ba428a9ebc5c76c6386fd8c8a47df0d5be8
Message ID: <9e831ec8-a1b0-48b7-beda-e7480efa534b@grasehotspot.org>
Reply To: <CAHoMbheXBO32XKG2PCEiZ51uPpeX4ionu18ya8hRAgugzx09dw@mail.gmail.com>
UTC Datetime: 2016-04-01 08:32:27 UTC
Raw Date: Fri, 01 Apr 2016 08:32:27 -0700

Raw message

Hi Henry,

SSL in combination with HTTP is (going to be) the standard for Web.
In our case I think it is a good idea to enable a secure way to log into 
the portal for *everyone*. 
If anyone is facing a problem with javascript, they are forced to use the 
non-js version of the captive portal. In that case a Man-in-the-Middle 
attack is trivial and credentials of YOUR wireless network can get in the 
wrong hands. It's not necessarily just the users problem but yours.
Another point is: Many people use noscript or similar programs to block 
javascript. And I fully understand their decision. 
For exactly these cases we can make sure that the authentication on our 
captive portal is safe.

Using an unencrypted wireless network is insecure for the user anyway. But 
at least I want to try everything possible to keep me and my network safe 
and unwanted people out of my net.

Even there are other methods to get into an unencrypted network...

Best Sebastian


Am Mittwoch, 30. März 2016 22:51:03 UTC+2 schrieb Henry Terkura Swende:
>
> I'm kinda confused here guys kindly help me out? Why would I need SSL when 
> the portal is already secured. I mean what's the advantage of using SSL 
> instead of the JavaScript enabled security in grase?
> On Mar 30, 2016 9:25 PM, "Timothy White" <ti***.@gmail.com <javascript:>> 
> wrote:
>
>> Thats great news Sebastian!
>>
>> Can you do a short writeup on the Wiki for that? 
>> https://github.com/GraseHotspot/grase-www-portal/wiki
>>
>> Regards
>>
>> Tim
>>
>> On Thu, Mar 31, 2016 at 12:18 AM, Sebastian Schneider <
>> se***.@gmail.com <javascript:>> wrote:
>>
>>> Hi Tim,
>>> thanks for that idea. It was obvious but I didn't think about it.
>>> The problem was mixed content, so http traffic in a https session. 
>>> jqchilli.js call: 
>>> var urlRoot = 'http://' + chilliController.host + ':' + chilliController
>>> .port + '/json/'; // TODO make this dynamic
>>> in line 38.
>>> In line 22 and 23 I changed to host var to my DNS Hostname (fitting to 
>>> the cert) and changed to port to 4990.
>>> In my /etc/chilli/config I added:
>>> HS_UAMUISSL=on
>>> HS_REDIRSSL=on
>>> HS_SSLKEYFILE= /path/to/private_key
>>> HS_SSLCERTFILE=/path/to/cert
>>>
>>> The hosts file of the Controller resolves the CN Name of the cert to 
>>> 10.1.0.1
>>>
>>> Now I have SSL enabled, without any errors. 
>>>
>>> Regards
>>>
>>> Se
>>>
>>> Am Dienstag, 29. März 2016 13:05:34 UTC+2 schrieb timwhite88:
>>>>
>>>> Hi Sebastian
>>>>
>>>> Off the top of my head, I'm not sure what the problem is. Try using the 
>>>> browser developer tools to see any error messages you can see.
>>>>
>>>> Feel free to open an issue for it and when I get a chance I'll have a 
>>>> poke as well.
>>>>
>>>> Regards
>>>>
>>>> Tim
>>>>
>>>> On Tue, Mar 29, 2016 at 8:26 PM, Sebastian Schneider <
>>>> se***.@gmail.com> wrote:
>>>>
>>>>> Hi Karotu, hi Tim,
>>>>>
>>>>> with the risk of annoying everyone, I tried to enable SSL yesterday, 
>>>>> as I did before with coova. The CHAP mechanism FAILS when SSL is enabled. 
>>>>> In any case, that shouldn't be the normal, right?
>>>>> I do have a valid CA signed Certificate (startssl, soon letsencrypt) 
>>>>> and my grasehotspot is resolving my address via a local hosts entry. So 
>>>>> internally(connected via hotspot) it's resolving to my controller, 
>>>>> public(not connected via my controller) it's resolving to my website.
>>>>>
>>>>> So apache and everything is running fine, no warnings, no nothing. But 
>>>>> I have to use the "non-secure" variant of the captive portal (non JS 
>>>>> version, non CHAP version) to login successfully, when using HTTPS.
>>>>> I had a look in the ChilliLibrary.js but without any luck.
>>>>>
>>>>> Any ideas from your side?
>>>>>
>>>>> Best
>>>>>
>>>>> Sebastian
>>>>>
>>>>>
>>>>>
>>>>> Am Sonntag, 9. März 2014 21:43:34 UTC+1 schrieb karotu:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Is it possible to make login secure with https?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> Karotu
>>>>>>
>>>>>> -- 
>>>>>> ----------------------------------
>>>>>> Karotu Tannang
>>>>>> Nauoi IT Services
>>>>>> Behind BOK, Betio / PO Box 46, Bairiki
>>>>>> Tarawa, KIRIBATI
>>>>>> Mobile: +686 94038
>>>>>> Like Us on Facebook: http://www.facebook.com/nauoionline
>>>>>>
>>>>>>
>>>>>> -- 
>>>>> This mailing list is for the Grase Hotspot Project 
>>>>> http://grasehotspot.org
>>>>> --- 
>>>>> You received this message because you are subscribed to the Google 
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>>> an email to gr***.@grasehotspot.org.
>>>>> To post to this group, send email to gr***.@grasehotspot.org.
>>>>> Visit this group at 
>>>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>>>> To view this discussion on the web visit 
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/73b262da-42ff-451f-b538-96550a7a706b%40grasehotspot.org 
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/73b262da-42ff-451f-b538-96550a7a706b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>> -- 
>>> This mailing list is for the Grase Hotspot Project 
>>> http://grasehotspot.org
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to gr***.@grasehotspot.org <javascript:>.
>>> To post to this group, send email to gr***.@grasehotspot.org 
>>> <javascript:>.
>>> Visit this group at 
>>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/293b318e-7b39-46d5-b142-774f2a91dfd8%40grasehotspot.org 
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/293b318e-7b39-46d5-b142-774f2a91dfd8%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>> -- 
>> This mailing list is for the Grase Hotspot Project 
>> http://grasehotspot.org
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to gr***.@grasehotspot.org <javascript:>.
>> To post to this group, send email to gr***.@grasehotspot.org 
>> <javascript:>.
>> Visit this group at 
>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Ky4%2BAxESAZNf%3DLhKf%2BvTovLrsQ2wc3XRPvY4Y3psiE0A%40mail.gmail.com 
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Ky4%2BAxESAZNf%3DLhKf%2BvTovLrsQ2wc3XRPvY4Y3psiE0A%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>

Thread

• Return to March 2014
• Return to March 2016
• Return to April 2016

• Return to January 2023

• Return to “Deepak Kaushik <de***3@gmail.com>”
• Return to “Drazen <dr***a@radez.hr>”
• Return to “Henry Terkura Swende <he***e@gmail.com>”
• Return to “Jed Gainer <je***r@gmail.com>”
• Return to “Karotu Tannang <ka***u@nauoi.com.ki>”
• Return to “Sebastian Schneider <se***r@gmail.com>”
• Return to “Johnny Solbu <so***u@solbu.net>”

• Return to “Timothy White <ti***8@gmail.com>”

• 2014-03-09 (Mon, 10 Mar 2014 08:43:34 +1200) - [GRASE-Hotspot] Can portal be secure? https - Karotu Tannang <ka***u@nauoi.com.ki>
  • 2014-03-09 (Sun, 09 Mar 2014 18:17:15 -0700) - Re: [GRASE-Hotspot] Can portal be secure? https - Jed Gainer <je***r@gmail.com>
    • 2014-03-09 (Mon, 10 Mar 2014 15:50:00 +1000) - Re: [GRASE-Hotspot] Can portal be secure? https - Timothy White <ti***8@gmail.com>
    • 2014-03-09 (Mon, 10 Mar 2014 07:00:37 +0100) - Re: [GRASE-Hotspot] Can portal be secure? https - Drazen <dr***a@radez.hr>
    • 2014-03-10 (Tue, 11 Mar 2014 08:32:19 +1200) - Re: [GRASE-Hotspot] Can portal be secure? https - Karotu Tannang <ka***u@nauoi.com.ki>
      • 2014-03-10 (Tue, 11 Mar 2014 06:50:54 +1000) - Re: [GRASE-Hotspot] Can portal be secure? https - Timothy White <ti***8@gmail.com>
        • 2014-03-10 (Mon, 10 Mar 2014 23:32:07 +0100) - Re: [GRASE-Hotspot] Can portal be secure? https - Johnny Solbu <so***u@solbu.net>
          • 2014-03-10 (Tue, 11 Mar 2014 08:57:31 +1000) - Re: [GRASE-Hotspot] Can portal be secure? https - Timothy White <ti***8@gmail.com>
        • 2014-03-10 (Tue, 11 Mar 2014 11:49:18 +1200) - Re: [GRASE-Hotspot] Can portal be secure? https - Karotu Tannang <ka***u@nauoi.com.ki>
  • 2016-03-29 (Tue, 29 Mar 2016 03:26:41 -0700) - Re: [GRASE-Hotspot] Can portal be secure? https - Sebastian Schneider <se***r@gmail.com>
    • 2016-03-29 (Tue, 29 Mar 2016 21:05:32 +1000) - Re: [GRASE-Hotspot] Can portal be secure? https - Timothy White <ti***8@gmail.com>
      • 2016-03-30 (Wed, 30 Mar 2016 07:18:06 -0700) - Re: [GRASE-Hotspot] Can portal be secure? https - Sebastian Schneider <se***r@gmail.com>
        • 2016-03-30 (Thu, 31 Mar 2016 06:25:00 +1000) - Re: [GRASE-Hotspot] Can portal be secure? https - Timothy White <ti***8@gmail.com>
          • 2016-03-30 (Wed, 30 Mar 2016 21:51:01 +0100) - Re: [GRASE-Hotspot] Can portal be secure? https - Henry Terkura Swende <he***e@gmail.com>
            • 2016-04-01 (Fri, 01 Apr 2016 08:32:27 -0700) - Re: [GRASE-Hotspot] Can portal be secure? https - Sebastian Schneider <se***r@gmail.com>
              • 2016-04-01 (Fri, 01 Apr 2016 19:11:40 +0100) - Re: [GRASE-Hotspot] Can portal be secure? https - Henry Terkura Swende <he***e@gmail.com>
                • 2023-01-23 (Mon, 23 Jan 2023 01:25:42 -0800) - Re: [GRASE-Hotspot] Can portal be secure? https - Deepak Kaushik <de***3@gmail.com>