[GRASE-Hotspot] Can portal be secure? https

[Karotu Tannang]

Hi,

Is it possible to make login secure with https?

Thanks.

Karotu

--
----------------------------------
Karotu Tannang
Nauoi IT Services
Behind BOK, Betio / PO Box 46, Bairiki
Tarawa, KIRIBATI
Mobile: +686 94038
Like Us on Facebook: http://www.facebook.com/nauoionline

[Jed Gainer]

It would need to be hosted on the Internet to use a valid SSL cert the users browser would not reject.

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Grase-hotspot mailing list
Grase-...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/grase-hotspot

[Timothy White]

The login is already secured between browser and server if using JavaScript as it then does a CHAP login, so no plain text passwords on the wire.
SSL to the server requires a valid certificate and a public DNS name.

Tim

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

[Drazen]

On 10.3.2014 2:17, Jed Gainer wrote:

It would need to be hosted on the Internet to use a valid SSL cert the users browser would not reject.

This is not quite correct.
Host position in not a issue. Basically It is necessary to set Apache to use SSL what is well described procedure on the net.
By doing this certificate will be created by server. This certificate is unknown to anybody because it i self signed.
It is possible that we tell user to accept certificate  permanently and thing will work.
Other way is to pay official signed certificate and replace self signed. However, it is not possible to get signed certificate for private IP addresses or private DNS names which is the case.
If I understood well, radius may not understand SSL encryption from some clients.

Seems Tim was quicker
Drazen

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

[Karotu Tannang]

Thanks Jed.

So is it possible to make server with a public ip (with valid certs) but serve private ips to clients? i.e 10.1.0.x

my understanding.. the host server has to be in the same subnet of the served ips?

thanks

Karotu

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

_______________________________________________
Grase-hotspot mailing list
Grase-...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/grase-hotspot

[Timothy White]

It is possible but not worth it.
Peoples logins are going over a local network already encrypted. Why add SSL? It's not going over a network you don't control and it's not in plain text.

Tim

[Johnny Solbu]

On Monday 10. March 2014 21.50, Timothy White wrote:
> It's not going over a network you don't control

Yes it does. No one controls the air in which it flows. In a physical network one have to hook into a physical wire or a switch, while the air traffic can be sniffed and with the right tools (such as a Really powerfull computer) crack the encryption. Which is exaclty why I don't like wireless networks, so I don't have one.

> and it's not in plain text.

Correct.

--
Johnny A. Solbu
web site, http://www.solbu.net
PGP key ID: 0xFA687324

[Timothy White]

On Tue, Mar 11, 2014 at 8:32 AM, Johnny Solbu <so...@solbu.net> wrote:

On Monday 10. March 2014 21.50, Timothy White wrote:
> It's not going over a network you don't control

Yes it does. No one controls the air in which it flows. In a physical network one have to hook into a physical wire or a switch, while the air traffic can be sniffed and with the right tools (such as a Really powerfull computer) crack the encryption. Which is exaclty why I don't like wireless networks, so I don't have one.

True. However you do control the hardware, and you control the nodes between the client and the Grase server. So in theory, the chance of any kind of attack is much less. A MITM attack is also next to impossible as we use CHAP authentication.

Tim

[Karotu Tannang]

Thank you Tim. Good to know all is safe and secure. So no need for https then.

Many thanks Tim and the rest who have contributed.

[Sebastian Schneider]

Hi Karotu, hi Tim,

with the risk of annoying everyone, I tried to enable SSL yesterday, as I did before with coova. The CHAP mechanism FAILS when SSL is enabled. In any case, that shouldn't be the normal, right?
I do have a valid CA signed Certificate (startssl, soon letsencrypt) and my grasehotspot is resolving my address via a local hosts entry. So internally(connected via hotspot) it's resolving to my controller, public(not connected via my controller) it's resolving to my website.

So apache and everything is running fine, no warnings, no nothing. But I have to use the "non-secure" variant of the captive portal (non JS version, non CHAP version) to login successfully, when using HTTPS.
I had a look in the ChilliLibrary.js but without any luck.

Any ideas from your side?

Best

Sebastian

[Timothy White]

Hi Sebastian

Off the top of my head, I'm not sure what the problem is. Try using the browser developer tools to see any error messages you can see.

Feel free to open an issue for it and when I get a chance I'll have a poke as well.

Regards

Tim

--
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspo...@grasehotspot.org.
To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/73b262da-42ff-451f-b538-96550a7a706b%40grasehotspot.org.

[Sebastian Schneider]

Hi Tim,
thanks for that idea. It was obvious but I didn't think about it.
The problem was mixed content, so http traffic in a https session.
jqchilli.js call:

var urlRoot = 'http://' + chilliController.host + ':' + chilliController.port + '/json/'; // TODO make this dynamic

in line 38.
In line 22 and 23 I changed to host var to my DNS Hostname (fitting to the cert) and changed to port to 4990.
In my /etc/chilli/config I added:

HS_UAMUISSL=on
HS_REDIRSSL=on
HS_SSLKEYFILE= /path/to/private_key
HS_SSLCERTFILE=/path/to/cert

The hosts file of the Controller resolves the CN Name of the cert to 10.1.0.1

Now I have SSL enabled, without any errors.

Regards

Se

[Timothy White]

Thats great news Sebastian!

Can you do a short writeup on the Wiki for that? https://github.com/GraseHotspot/grase-www-portal/wiki

Regards

Tim

To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/293b318e-7b39-46d5-b142-774f2a91dfd8%40grasehotspot.org.

[Henry Terkura Swende]

I'm kinda confused here guys kindly help me out? Why would I need SSL when the portal is already secured. I mean what's the advantage of using SSL instead of the JavaScript enabled security in grase?

To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0Ky4%2BAxESAZNf%3DLhKf%2BvTovLrsQ2wc3XRPvY4Y3psiE0A%40mail.gmail.com.

[Sebastian Schneider]

Hi Henry,

SSL in combination with HTTP is (going to be) the standard for Web.
In our case I think it is a good idea to enable a secure way to log into the portal for everyone.
If anyone is facing a problem with javascript, they are forced to use the non-js version of the captive portal. In that case a Man-in-the-Middle attack is trivial and credentials of YOUR wireless network can get in the wrong hands. It's not necessarily just the users problem but yours.
Another point is: Many people use noscript or similar programs to block javascript. And I fully understand their decision.
For exactly these cases we can make sure that the authentication on our captive portal is safe.

Using an unencrypted wireless network is insecure for the user anyway. But at least I want to try everything possible to keep me and my network safe and unwanted people out of my net.

Even there are other methods to get into an unencrypted network...

Best Sebastian

[Henry Terkura Swende]

Wow! Thanks Sebastian Schneider, I guess I better looking to enable SSL on grase too....digging up your tutorial! Thanks.

To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/9e831ec8-a1b0-48b7-beda-e7480efa534b%40grasehotspot.org.

[Deepak Kaushik]

Hi Tim,

I am also trying to move uam to ssl but it is not working correctly is there any process or steps that we can follow to move uam to https as iOS new version will only allow to open https pages.