Breaking the internet (hotels, guestnet style)

Leo Bicknell bicknell at
Tue Dec 8 09:40:22 CST 2009

In a message written on Wed, Dec 09, 2009 at 01:52:49AM +1100, Mark Andrews wrote:
> >  What if I want to just use ssh?
> You still need to authenticate.  It's better if we can reduce the
> amount of collateral damage required to authenticate.  The interception
> is being done today because there is no standard way to say "go here to
> authenticate" and the hotspot provider has to do a man in the middle
> attack to get you to the authentication page.

Most of the hotels I have used don't actually require authentication.
They require a click through indemnification agreement.  No username,
no password, no room number, just a "click here to accept our terms
and conditions".

I would much prefer this be added to the check-in process.  I already
have to sign a contract with the hotel to check in, it should cover use
of the WiFi as well.  Then there is no need for a click through

If there is need for authentication at that point (I am the one who
signed the front desk agreement) then using 802.1x authentication would
be the right answer.  If I could do it with an OpenID, or other "public"
account by providing the account name when I sign the paper at the front
desk then I could have all of my devices always on, in a standard way,
and never see these stupid pages.

Imagine, you make a reservation online for a hotel, you use an ID
which is the same as your e-mail so it auto-populates on the online
form.  When you check in you sign the T&C's, and your devices
authenticate with 802.1x, which you just leave configured, since
you're always using the same ID.

No more MITM, all standards based.

       Leo Bicknell - bicknell at - CCIE 3440
        PGP keys at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list