Xfinity Blocks all User accounts when on cruise ship - Asks to constantly reset password --

@vanitycollectio​ Yeah.  That's not a factually accurate answer from support.  Not sure where that came from, but you can get a lot of goofy answers from "support" these days from a lot of places.  

Where you can run into a problem, is if the network you are connected to is running a proxy server.  Folks do that to save bandwidth by caching images/content.  You can also run one for nefarious purposes, and stealing information from people who connect to a network.  Legit companies also run them in their building for security reasons, block various places on the web, facebook/twitter personal email so you don't contaminate them, or to spy on employees with an insane HR.  

Travel often?  Cruise ship?  Hotel chain?  Captive portal authentication to gain access might give you a heads up on that.  Someone is managing the network.  It's pretty common.  Bars, restaurants?  Usually not.  Nobody is doing IT work at those usually and a proxy would be odd.  Could happen though. 

First thing you want to do when you connect to an untrusted network is go to a site you know.  Now click on the lock icon in your browser and take a look at the certificate.  Who did it come from?  The domain of the site you contacted listed on it, or did you get a generic cert from the network you connected to?  If it's the network, then you've got a "man-in-the-middle" who can see your data.  That's super sketch.  Check your mail, someone else can read it too.   Maybe they did you a favor.  Let's talk to a mail server directly:

# openssl s_client -connect imap.comcast.net:993 -crlf 

What do we see?  The certificate info comes up first.  Who am I talking to?  Yep  imap.comcast.net.  This is an abbreviated conversation:

CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
.......
depth=0 C = US, ST = Pennsylvania, O = Comcast Corporation, CN = imap.email.comcast.net
verify return:1
---
Certificate chain......

Server certificate
-----BEGIN CERTIFICATE-----
MIIH4TCCBsmgAwIBAgIRAOmBBWxiE6qfs17vx5xaqW4wDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgN,,,,,,,,

The important bits of the authentication are next.  In this case, I agreed with Xfinity that TLSv1.2 and that Cipher was secure enough for us to continue the conversation.  I would have prefered TLSv1.3, and maybe a different Cipher, but this works.  A mail server session starts.  The server also tells me what type authentication I can try.  Your email client will do this too, and then you are ready to exchange a password and get your mail. 

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN AUTH=OAUTHBEARER AUTH=XOAUTH2] Dovecot ready.

What can happen with a proxy is they're using outdated libraries or can't agree on the Cipher.  Then this conversation is over and we get an auth fail.  It just didn't work out.   That might be what happened on your boat.  We can't check because we're not on their network, but that's how you would poke at it to look at the auth issue.

How can you do this in a more secure way, even if running on a hotel proxy?  Depends on how good their IT is, and how sneaky you want to be.  For travel, run your own VPN server, but be evil about it.  Put it on port 443 or 80.  It's a sysadmin nightmare because they don't block connections on 443 or 80 usually.  Now you can have an active connection to your house, and if you are smart about it, you've hijacked the default gateway in the server side config so all traffic from the connected device is routed through the VPN tunnel when it's active. It's encrypted before the data is sent too.   If you can't connect, you're blocked.  You are being intercepted.  They already thought about that.  Usually, you can sneak around em. 

Try wireguard or openVPN.  They're active projects, opensource, and free.  So are the clients.  Going to be slow on a boat in the middle of the ocean?  Yep, but you're not leaking data.  Flip on your VPN connection anytime you are connected to a public WiFi.  You never know who is creeping on your data.

@vanitycollectio​ 

I sent you a direct message a moment ago.  When you have a moment, can you take a look and reply?

To look at DMs, click on the little note icon way up at the top right-ish.

thanks,

XfinityDaveL

@Rustyben​ Not just anyone's VPN, or a VPN service you buy from some provider.  Then you got the same problem.  You've got a man-in-the-middle that may be intercepting your data.  A lot of people don't understand that, and will flip on a VPN to some cloud company, and plug in credit card numbers thinking they are "secure".  That's not the case. 

Run your OWN VPN server.  Then you know where your data is going.

*On another interesting note, the comcast server can't do TLSv1.3, which is odd.  They went through the trouble to discontinue TLSv1.1 and older.  Might as well allow TLSv1.3 as long as you're in the config file on a dovecot server.  That's just adding an allowed protocol on the same line when you removed the other one.  AT&T uses either 1.2 or 1.3.

# openssl s_client -connect imap.comcast.net:993 -crlf -tls1_2

    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

# openssl s_client -connect imap.comcast.net:993 -crlf -tls1_3

New, (NONE), Cipher is (NONE)

That would have been an auth fail.

# openssl s_client  -connect imap.mail.att.net:993 -crlf

    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

We can't tell if it was the TLS version or the Cipher library on the cruise ship, or perhaps even the cert authority library was dated.  You'd have to poke at it on their network. 

If you do start suddenly seeing auth failures with a client, when it previously worked on your cell network a minute ago, and you just connected to a random WiFi network, that's a heads up something weird is going on.  Wouldn't have a whole lot of trust on that network.