HSTS is a great mechanism to help protect against this. Although it assumes the user has visited the site previously within the HSTS expiration period. There’s also the HSTS preload list: https://hstspreload.org/
I don't think HSTS will help if he is running his own WWW site on his laptop with a proper CA signed cert. If I understand correctly his laptop was presenting a proper WWW login page presumably over HTTPS after victims connected to his WIFI. What he was probably faking was the redirect to the Identity Provider (IDP) by staying on his own properly credentialed HTTPS site which would pass all HSTS checks. He may have also been faking DNS responses to keep users where he wants them.
Exactly this. Apple devices in fact use a domain https://captive.apple.com/ to detect when to redirect to a captive portal which will grant the user access to the internet. HTTPS isn't used here because the captive experience is to re-write all DNS lookups to a local IP to serve the captive experience.
This experience would just redirect the user to a site they've never been to before, say: wa-man-likes-your-data.com. This could have a legitimate signed cert from anywhere and look legitimate to the device with a lock icon. Put the airline's logo and a form for PII, wait a couple of hours and you've collected a plane load of data.
I used to think about doing something similar but as an education campaign. Similar to Phishing Simulators at large corporates, I had the idea to display a captive page that explained what the user did and how they can learn to avoid it in future.
Apple & Google should really make it clearer on phones that users are joining untrusted networks, especially any network not implementing Wi-Fi Certified Passpoint (Hotspot 2.0).
How would they have got a proper CA signed cert for a domain they don't own?
HSTS will only make a HTTPS connection. Without the valid certificate, they should get a warning.
The only way this "works" is if a captive portal pops up a browser to a site that looks the same like amaz0n.com. Password manager wouldn't popup, but many people don't use them.
Faking DNS also won't help with the TLS warning, they won't have the certificate.
Criminals are smart enough to skip any of that -- they'll trick you into opening a site that has the "same" domain and looks the same, except that the domain uses a Unicode character that is just a tiny bit different from the real one. (Thank you ICANN!) I get junk email from them every day. Even if just 1 out of 50 people fall for this, they get a good payout.
And that's just one of the many possible scenarios. When you control someone else's Internet, there is a lot of things you can do. Google's certificate transparency is going to help a lot here, but only as much as what happens in a browser.
HSTS does absolutely nothing to protect against evil portals. These portals aren't spoofing DNS for google.com, they're typically displaying their own TLS-enabled site with a familiar-looking login flow, i.e. "Log in with Facebook/Google/Amazon to access Wi-Fi."
Just do a captive portal redirect to "google.johnsmith.example.com" with a properly signed certificate, add google logo and login fields, and after a user enters his credentials, just redirect them to actual google.com.
Most people don't look at domains in the url. You can actually probably register a domain like "freegooglewifi.com" or something.
Can you give an example?
I can't think of a single situation where whitespace matters in Ruby (unless of course you forget to put a space between two commands or something silly).
`foo + bar` and `foo+bar` are `foo()+bar`, but `foo +bar` is `foo(+bar)`
ternary ? : also has some interesting whitespace dependent mixups with symbols, but I cannot remember what. I think that parser has many gotchas like that, but they are really really rare to bite you, because ruby's magic follows human intuition as much as possible.
I ran into similar limitations for relatively simple tasks. For example I wanted access to the token usage metadata in the response. This seems like such an obvious use case. This wasn’t possible at the time, or it wasn’t well documented anyway.
I could imagine automating this to set the threshold to the current battery level, and incrementing the threshold by 1% every N minutes to control charge speed.
Right now I try to keep it at 50% max charge like this while plugged in at home.
> When I’m plugging my phone in before bed to charge for the next 8 hours it doesn’t need fast charging.
iPhones do this with "Optimised Battery Charging" turned on (which I believe is the default setting) - "allow iPhone to wait to finish charging past 80% until the time you need to use it" (which it learns over time.)
Android has something similar. A notification pops up when I plug in at night, letting me know that it's charging slowly because I usually leave it plugged in overnight, and that I can disable it (once or permanently) to switch to fast charging.
It's harder to do with a usb-c charger and laptop because the spec requires higher voltages are made available with higher wattages, and manufacturers only make products to hit sweet spots in the specs and market.
You might end up with a readily available 65W charger to get the necessary 20V, even if you don't want 3A.
i have 2 chargers near my bed, one has 3 amps, the other one has 1. i use one on another depending on how fast i need it charged. not the best solution, but it works.
I have a wireless charging cradle on my nightstand intentionally hooked to a slow charger. It works fine most of the time except on the rare occasion when the phone charge is low and I'm going somewhere in a couple of hours. It would be great if there was a charging cradle with a simple "fast/slow" charge switch.
Or even better, if phones had a built-in charge status UI that instead of just saying "NN% charged / TT minutes until full" had a slider controlling charge speed that showed a range of "time until full". That way users could intelligently choose the charge speed vs time based on context.
Betting the HDMI port is connected to the NVIDIA GPU too. That might be great for gaming, but NVIDIA drivers are still a mess on modern Linux, especially if they have to render your desktop.
reply