blogng/blog/2019-04-05-on-captive-portals.markdown

---
layout: post
title: "On captive portals"
date: 2019-04-05
comments: true
tags: firefox, privacy
---

Following is a rant, feel free to just skip it. You've been warned.

Captive portals are bad! For the unitiated, they are the annoying
websites you have to click through on public hotspots, Demanding an
arm, leg or just your email address.

Most of them work by hijacking HTTP pages[^1], for any http pages
visted before _"authenticated"_, one would get a temporary redirect to
the captive portal url. But most of the popular websites deploy HSTS,
which would [instruct the clients to never even hit HTTP
version](https://tools.ietf.org/html/rfc6797#section-2.4.1.1) of their
server. Try asking firefox to goto http://google.com - it would force
rewrite it to https before sending even a peep out.[^2]

So in an alternate life you'd be staring at your browser waiting for
google.com that never loads. Browsers and OSes workaround this problem
by detecting captive portals - Firefox does this by trying to fetch
`http://detectportal.firefox.com/sucess.txt`, and if it doesn't come
back assume the browser to be behind a portal.

Firefox keeps making this requests periodically, and its kinda
annoying to me because its the networking version of "lit like a
christmas tree".

![Firefox portal requests](/images/ff_portal.png)

One could turn off firefox's behavior by toggling
`network.captive-portal-service.enabled` in `about:config`. But then
you are responsible for manually going to an HTTP-only url after
connected to a public hotspot. The same firefox url should be
fine.[^3]

I understand that there are "legal" requirements to setup captive
portals (or other reasons?, enlighten me). But after you
"authenticate" most systems grant you access by your MAC and/or
IP. Both of which someone motivated can easily sniff and spoof.

So yeah, I think captive portals are BAD.


[^1]: There are one that hijacks DNS, but usually devices have DNSs cached, so that seems to be not popular.
[^2]: This could also be because firefox is caching `301` redirects it has seen before.
[^3]: I run a similiar URL at <http://nossl.dbalan.in>, but you should trust mozilla one than my tiny server.
Drafts for captive portal 2019-04-06 11:06:15 +00:00			`---`
			`layout: post`
			`title: "On captive portals"`
			`date: 2019-04-05`
			`comments: true`
			`tags: firefox, privacy`
			`---`

			`Following is a rant, feel free to just skip it. You've been warned.`

			`Captive portals are bad! For the unitiated, they are the annoying`
			`websites you have to click through on public hotspots, Demanding an`
			`arm, leg or just your email address.`

Fix footnotes 2019-05-12 10:34:33 +00:00			`Most of them work by hijacking HTTP pages[^1], for any http pages`
Drafts for captive portal 2019-04-06 11:06:15 +00:00			`visted before _"authenticated"_, one would get a temporary redirect to`
			`the captive portal url. But most of the popular websites deploy HSTS,`
			`which would [instruct the clients to never even hit HTTP`
			`version](https://tools.ietf.org/html/rfc6797#section-2.4.1.1) of their`
			`server. Try asking firefox to goto http://google.com - it would force`
Fix footnotes 2019-05-12 10:34:33 +00:00			`rewrite it to https before sending even a peep out.[^2]`
Drafts for captive portal 2019-04-06 11:06:15 +00:00
			`So in an alternate life you'd be staring at your browser waiting for`
			`google.com that never loads. Browsers and OSes workaround this problem`
			`by detecting captive portals - Firefox does this by trying to fetch`
			`http://detectportal.firefox.com/sucess.txt`, and if it doesn't come
			`back assume the browser to be behind a portal.`

			`Firefox keeps making this requests periodically, and its kinda`
			`annoying to me because its the networking version of "lit like a`
			`christmas tree".`

			`![Firefox portal requests](/images/ff_portal.png)`

			`One could turn off firefox's behavior by toggling`
			`network.captive-portal-service.enabled` in `about:config`. But then
			`you are responsible for manually going to an HTTP-only url after`
			`connected to a public hotspot. The same firefox url should be`
Fix footnotes 2019-05-12 10:34:33 +00:00			`fine.[^3]`
Drafts for captive portal 2019-04-06 11:06:15 +00:00
			`I understand that there are "legal" requirements to setup captive`
			`portals (or other reasons?, enlighten me). But after you`
			`"authenticate" most systems grant you access by your MAC and/or`
			`IP. Both of which someone motivated can easily sniff and spoof.`

			`So yeah, I think captive portals are BAD.`

Fix footnotes 2019-05-12 10:34:33 +00:00
			`[^1]: There are one that hijacks DNS, but usually devices have DNSs cached, so that seems to be not popular.`
			[^2]: This could also be because firefox is caching `301` redirects it has seen before.
Use a Link! 2019-08-03 22:01:58 +00:00			`[^3]: I run a similiar URL at <http://nossl.dbalan.in>, but you should trust mozilla one than my tiny server.`