In a message written on Wed, Dec 09, 2009 at 01:52:49AM +1100, Mark Andrews wrote:
What if I want to just use ssh?
You still need to authenticate. It's better if we can reduce the amount of collateral damage required to authenticate. The interception is being done today because there is no standard way to say "go here to authenticate" and the hotspot provider has to do a man in the middle attack to get you to the authentication page.
Most of the hotels I have used don't actually require authentication. They require a click through indemnification agreement. No username, no password, no room number, just a "click here to accept our terms and conditions". I would much prefer this be added to the check-in process. I already have to sign a contract with the hotel to check in, it should cover use of the WiFi as well. Then there is no need for a click through agreement. If there is need for authentication at that point (I am the one who signed the front desk agreement) then using 802.1x authentication would be the right answer. If I could do it with an OpenID, or other "public" account by providing the account name when I sign the paper at the front desk then I could have all of my devices always on, in a standard way, and never see these stupid pages. Imagine, you make a reservation online for a hotel, you use an ID which is the same as your e-mail so it auto-populates on the online form. When you check in you sign the T&C's, and your devices authenticate with 802.1x, which you just leave configured, since you're always using the same ID. No more MITM, all standards based. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/