Differences between revisions 5 and 6
Revision 5 as of 2005-03-16 10:28:55
Size: 1063
Editor: WikiMinion
Revision 6 as of 2007-11-23 18:02:10
Size: 1063
Editor: localhost
Comment: converted to 1.6 markup
No differences found!

CaptivePortal gateways such as NoCatAuth are great ways for community networks to provision free wireless AccessPoints. However as a commercial authenticaion system they have some weaknesses. I won't elaborate too much here but since DNS is typically required in order to seemlessly capture the clients request you can do IP over DNS tunnels. -- AdamShand

Further if the gateway allows ICMP there are more problems:

There are of course fixes for all of these problems, the most obvious is don't allow ICMP traffic to pass until the cusomter is authenticated. For DNS it's a little harder but I'm sure someone can think of something :-)

Two common ideas like only authorise DNS to the knowned DNS servers served by the DHCP or installing a local caching only nameserver both won't work, because these DNS-servers will happily forward the DNS-requests to the target nameserver


CaptivePortalInsecurities (last edited 2007-11-23 18:02:10 by localhost)