2019-04-06 11:06:15 +00:00
|
|
|
---
|
|
|
|
layout: post
|
|
|
|
title: "On captive portals"
|
|
|
|
date: 2019-04-05
|
|
|
|
comments: true
|
|
|
|
tags: firefox, privacy
|
|
|
|
---
|
|
|
|
|
|
|
|
Following is a rant, feel free to just skip it. You've been warned.
|
|
|
|
|
|
|
|
Captive portals are bad! For the unitiated, they are the annoying
|
|
|
|
websites you have to click through on public hotspots, Demanding an
|
|
|
|
arm, leg or just your email address.
|
|
|
|
|
2019-05-12 10:34:33 +00:00
|
|
|
Most of them work by hijacking HTTP pages[^1], for any http pages
|
2019-04-06 11:06:15 +00:00
|
|
|
visted before _"authenticated"_, one would get a temporary redirect to
|
|
|
|
the captive portal url. But most of the popular websites deploy HSTS,
|
|
|
|
which would [instruct the clients to never even hit HTTP
|
|
|
|
version](https://tools.ietf.org/html/rfc6797#section-2.4.1.1) of their
|
|
|
|
server. Try asking firefox to goto http://google.com - it would force
|
2019-05-12 10:34:33 +00:00
|
|
|
rewrite it to https before sending even a peep out.[^2]
|
2019-04-06 11:06:15 +00:00
|
|
|
|
|
|
|
So in an alternate life you'd be staring at your browser waiting for
|
|
|
|
google.com that never loads. Browsers and OSes workaround this problem
|
|
|
|
by detecting captive portals - Firefox does this by trying to fetch
|
|
|
|
`http://detectportal.firefox.com/sucess.txt`, and if it doesn't come
|
|
|
|
back assume the browser to be behind a portal.
|
|
|
|
|
|
|
|
Firefox keeps making this requests periodically, and its kinda
|
|
|
|
annoying to me because its the networking version of "lit like a
|
|
|
|
christmas tree".
|
|
|
|
|
|
|
|
![Firefox portal requests](/images/ff_portal.png)
|
|
|
|
|
|
|
|
One could turn off firefox's behavior by toggling
|
|
|
|
`network.captive-portal-service.enabled` in `about:config`. But then
|
|
|
|
you are responsible for manually going to an HTTP-only url after
|
|
|
|
connected to a public hotspot. The same firefox url should be
|
2019-05-12 10:34:33 +00:00
|
|
|
fine.[^3]
|
2019-04-06 11:06:15 +00:00
|
|
|
|
|
|
|
I understand that there are "legal" requirements to setup captive
|
|
|
|
portals (or other reasons?, enlighten me). But after you
|
|
|
|
"authenticate" most systems grant you access by your MAC and/or
|
|
|
|
IP. Both of which someone motivated can easily sniff and spoof.
|
|
|
|
|
|
|
|
So yeah, I think captive portals are BAD.
|
|
|
|
|
2019-05-12 10:34:33 +00:00
|
|
|
|
|
|
|
[^1]: There are one that hijacks DNS, but usually devices have DNSs cached, so that seems to be not popular.
|
|
|
|
[^2]: This could also be because firefox is caching `301` redirects it has seen before.
|
2019-08-03 22:01:58 +00:00
|
|
|
[^3]: I run a similiar URL at <http://nossl.dbalan.in>, but you should trust mozilla one than my tiny server.
|