diff --git a/blog/2019-04-05-on-captive-portals.markdown b/blog/2019-04-05-on-captive-portals.markdown index b7b6cf0..25327a1 100644 --- a/blog/2019-04-05-on-captive-portals.markdown +++ b/blog/2019-04-05-on-captive-portals.markdown @@ -12,13 +12,13 @@ Captive portals are bad! For the unitiated, they are the annoying websites you have to click through on public hotspots, Demanding an arm, leg or just your email address. -Most of them work by hijacking HTTP pages[1], for any http pages +Most of them work by hijacking HTTP pages[^1], for any http pages visted before _"authenticated"_, one would get a temporary redirect to the captive portal url. But most of the popular websites deploy HSTS, which would [instruct the clients to never even hit HTTP version](https://tools.ietf.org/html/rfc6797#section-2.4.1.1) of their server. Try asking firefox to goto http://google.com - it would force -rewrite it to https before sending even a peep out.[2] +rewrite it to https before sending even a peep out.[^2] So in an alternate life you'd be staring at your browser waiting for google.com that never loads. Browsers and OSes workaround this problem @@ -36,7 +36,7 @@ One could turn off firefox's behavior by toggling `network.captive-portal-service.enabled` in `about:config`. But then you are responsible for manually going to an HTTP-only url after connected to a public hotspot. The same firefox url should be -fine.[3] +fine.[^3] I understand that there are "legal" requirements to setup captive portals (or other reasons?, enlighten me). But after you @@ -45,7 +45,7 @@ IP. Both of which someone motivated can easily sniff and spoof. So yeah, I think captive portals are BAD. -## Footnotes -[1] There are one that hijacks DNS, but usually devices have DNSs cached, so that seems to be not popular. -[2] This could also be because firefox is caching `301` redirects it has seen before. -[3] I run a similiar URL at `nossl.dbalan.in`, but you should trust mozilla one than my tiny server. + +[^1]: There are one that hijacks DNS, but usually devices have DNSs cached, so that seems to be not popular. +[^2]: This could also be because firefox is caching `301` redirects it has seen before. +[^3]: I run a similiar URL at `nossl.dbalan.in`, but you should trust mozilla one than my tiny server.