Web lists-archives.com

Re: Captive network account (w/ login redirect) and HSTS




On Sun 02 Apr 2017 at 18:36:25 +0200, Marc SCHAEFER wrote:

> with a basic Debian jessie install and a recent Firefox, I observe the
> following:
> 
>    [1] Debian has no specific support for detecting captive networks
>        (e.g. Android, iOS) and redirecting automatically the browser to
>        the captive login page
> 
>    [2] launching Firefox on the default page doesn't work (doesn't get
>        redirected properly to the login page but fails with a HTTPS
>        certificate error), if there is a recent HSTS[*] security
>        configuration cache for the default domain page (e.g. google.com)
> 
> [1] is not really an issue: I wouldn't like myself that connecting to
> a WiFi captive network starts a browser. Also, open captive networks are
> messing up, dangerous, a WPA/RADIUS auth would be much better.
> 
> However, open captive networks are quite commons in hotels, airports,
> parks, etc.  So it cannot be dismissed.
> 
> [2] the only fix is to type an URL you know is HTTP, not HTTPS and does
> not configure HSTS, and does not support DNSSEC. In my case I used
> ptiturl.ch
> 
> Maybe this could be in the Debian User manual somehow?
> 
> Feel free to contact me if you want help in writing the documentation.
> 
> https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Probably the best place for this is the wiki. Anyone can create a page
on the topic of captive networks there. Maybe there one is in existence
which can be added to. Feel free to add to such a page or start a new
one.

-- 
Brian.