Drafts for captive portal
This commit is contained in:
parent
c944882a01
commit
26fd43c6a0
51
blog/2019-04-05-on-captive-portals.markdown
Normal file
51
blog/2019-04-05-on-captive-portals.markdown
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
---
|
||||||
|
layout: post
|
||||||
|
title: "On captive portals"
|
||||||
|
date: 2019-04-05
|
||||||
|
comments: true
|
||||||
|
tags: firefox, privacy
|
||||||
|
---
|
||||||
|
|
||||||
|
Following is a rant, feel free to just skip it. You've been warned.
|
||||||
|
|
||||||
|
Captive portals are bad! For the unitiated, they are the annoying
|
||||||
|
websites you have to click through on public hotspots, Demanding an
|
||||||
|
arm, leg or just your email address.
|
||||||
|
|
||||||
|
Most of them work by hijacking HTTP pages[1], for any http pages
|
||||||
|
visted before _"authenticated"_, one would get a temporary redirect to
|
||||||
|
the captive portal url. But most of the popular websites deploy HSTS,
|
||||||
|
which would [instruct the clients to never even hit HTTP
|
||||||
|
version](https://tools.ietf.org/html/rfc6797#section-2.4.1.1) of their
|
||||||
|
server. Try asking firefox to goto http://google.com - it would force
|
||||||
|
rewrite it to https before sending even a peep out.[2]
|
||||||
|
|
||||||
|
So in an alternate life you'd be staring at your browser waiting for
|
||||||
|
google.com that never loads. Browsers and OSes workaround this problem
|
||||||
|
by detecting captive portals - Firefox does this by trying to fetch
|
||||||
|
`http://detectportal.firefox.com/sucess.txt`, and if it doesn't come
|
||||||
|
back assume the browser to be behind a portal.
|
||||||
|
|
||||||
|
Firefox keeps making this requests periodically, and its kinda
|
||||||
|
annoying to me because its the networking version of "lit like a
|
||||||
|
christmas tree".
|
||||||
|
|
||||||
|
![Firefox portal requests](/images/ff_portal.png)
|
||||||
|
|
||||||
|
One could turn off firefox's behavior by toggling
|
||||||
|
`network.captive-portal-service.enabled` in `about:config`. But then
|
||||||
|
you are responsible for manually going to an HTTP-only url after
|
||||||
|
connected to a public hotspot. The same firefox url should be
|
||||||
|
fine.[3]
|
||||||
|
|
||||||
|
I understand that there are "legal" requirements to setup captive
|
||||||
|
portals (or other reasons?, enlighten me). But after you
|
||||||
|
"authenticate" most systems grant you access by your MAC and/or
|
||||||
|
IP. Both of which someone motivated can easily sniff and spoof.
|
||||||
|
|
||||||
|
So yeah, I think captive portals are BAD.
|
||||||
|
|
||||||
|
## Footnotes
|
||||||
|
[1] There are one that hijacks DNS, but usually devices have DNSs cached, so that seems to be not popular.
|
||||||
|
[2] This could also be because firefox is caching `301` redirects it has seen before.
|
||||||
|
[3] I run a similiar URL at `nossl.dbalan.in`, but you should trust mozilla one than my tiny server.
|
BIN
images/ff_portal.png
Normal file
BIN
images/ff_portal.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 220 KiB |
Loading…
Reference in New Issue
Block a user