The hotels I've stayed out with this functionality all had an Aruba Wireless system with a hospitality model AP on a 1-gang wall box somewhere near the floor or strapped to the back of the TV.
Aruba wireless (like many enterprise wireless vendors) has a mDNS proxying and filtering system which is essential for places like college campuses. Airplay and Miracast (infrastructure mode) both use mDNS for service discovery. In Aruba the system is called Airgroup. When seeing a new MAC address the wireless controllers queries the RADIUS server. The RADIUS server can return a configuration for that new MAC address which tells the controller what other devices can interact with this new device using mDNS.
I always assumed this vendor adds and removes Airgroup configuration to allow the phone and the TV to see mdns from each other while preventing this from other nearby devices on the same VLAN or SSID. This trick might be enough but also pushing a DACL to the wireless controller to properly packet filter all network traffic from unapproved devices would strengthen the solution.
The bugzilla tickets linked from that article frustrates me. They should autoplay Yakety Sax music as they dodge around fixing the real @#$@ing bug:
Just copy Chrome and confine all modal dialog boxes such as HTTP basic auth and Javascript alert() to the individual browser tab. No individual tab should every be allowed to pop a modal that prevents interaction with any other tab, any other browser window.
This problem immediately goes away and you don't need to play rate limit wackamole games or do stupid things like have a dialog box that asks if you want to see another modal dialog box.
As someone who interacts with HTTP basic auth frequently Firefox's behavior here is maddening. Fix the bad UI.
This reminds me of one of my favorite historical audio clips. A few minutes before the 1965 Blackout in NYC the power frequency dipped as low as 51Hz (US is 60Hz). Playback equipment with motors setting speed based on the power frequency sllllooowwwweeeeddd down.
Tons of places outside of F500 are doing that. At work we just disabled IMAP for almost all O365 accounts and any other method of authentication that doesn't implement our two factor authentication. The rising number of compromised accounts because the user used the same password elsewhere, apparent bruteforce attacks, etal forced the issue.
Of course MDM is not required for any of this. Worst case is on Android you're forced to use Microsoft's Outlook app.
I'll give 4500 a whirl to see if it increases the success rate. It's a good idea. However it's not inconceivable to have sites like cafes that only allow 80/tcp and 443/tcp because that was an option in the UI on their wifi router for guest networks.
At this point if I was designing a VPN for client devices I'd have a mode that looked at as close to HTTPS as possible. There is one tool to tunnel over websocket but this was already sucking up too much of my play time. :)
Cisco AnyConnect, while expensive and bloated, works great as it initially connects on 443/tcp and then tries to setup UDP. If UDP fails it just sticks with the TCP connection and "just works".
I setup Wireguard and was pleased with the setup. Unfortunately I tried to use it over the next week only to quickly realize I should have kept my OpenVPN install instead.
Outbound port filtering is incredibly common on public and guest wifi networks and I found three use cases in my first week where OpenVPN on 443/tcp would have worked fine. The inability to use Wireguard over TCP and bypass most outbound port filtering by using tcp 443/etal makes it unusable in my daily life. I can understand why TCP isn't performant but my choice isn't performance vs non-performant. It's works somewhat vs GFY.
And yes I've seen the udp over tcp forwarding hacks. They don't work on iOS and some look outright dangerous (hello open proxy).
Hopefully this can be addressed before Wireguard hits 1.0.
"The company doesn't work directly with services such as Uber and Lyft, but a number of apps, such as Sherpashare (which is primarily used by ride-hailing drivers for services like Uber and Lyft), HopSkipDrive, eDriving and a variety of navigation apps use Zendrive's technology to monitor ride safety."
Hurray for malware. What other apps is this hiding in?
Aruba wireless (like many enterprise wireless vendors) has a mDNS proxying and filtering system which is essential for places like college campuses. Airplay and Miracast (infrastructure mode) both use mDNS for service discovery. In Aruba the system is called Airgroup. When seeing a new MAC address the wireless controllers queries the RADIUS server. The RADIUS server can return a configuration for that new MAC address which tells the controller what other devices can interact with this new device using mDNS.
I always assumed this vendor adds and removes Airgroup configuration to allow the phone and the TV to see mdns from each other while preventing this from other nearby devices on the same VLAN or SSID. This trick might be enough but also pushing a DACL to the wireless controller to properly packet filter all network traffic from unapproved devices would strengthen the solution.