Hello,
OpenDNS by default blocks websites that are used for phishing and optionally
other sites as configured by the deployer. It does this by DNS poisoning: it
responds with a forged A or AAAA response that redirects to their server. An
example website blocked by OpenDNS in this manner is
https://internetbadguys.com/.
When OpenDNS blocks a website that is served by HTTPS, the user is presented
with a "Certificate Error" message. To see what happened, she then has to accept
the incorrect certificate or visit the plain HTTP version of the webpage. This
creates some problems: aside from a bad user experience, it makes users
accustomed to ignoring certificate errors.
Another problem is created by captive portals: networks that use "a web page
which is displayed to newly connected users before they are granted broader
access to network resources." (Wikipedia).
This could be solved by specifying two new values of AlertDescription:
access_administratively_disabled and captive_portal as well as a new field to
struct Alert: alert_message.
Let alert_message be a fixed-length UTF-8-encoded string. It would be only valid
for
(description == access_administratively_disabled
||
description == captive_portal)
and otherwise a client would HAVE TO ignore it. It would be plain-text for
simplicity, shortness and security. It would be null-terminated and then
randomly padded to a size of perhaps 100 bytes. A TLS client would HAVE TO
filter the message for any odd characters, invalid UTF-8 sequences, etc. as will
be specified in the standard.
Greetings,
Mateusz Jończyk
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
