Re: Captive network account (w/ login redirect) and HSTS
- Date: Mon, 3 Apr 2017 13:55:08 +0100
- From: Darac Marjal <mailinglist@xxxxxxxxxxxx>
- Subject: Re: Captive network account (w/ login redirect) and HSTS
On Sun, Apr 02, 2017 at 06:36:25PM +0200, Marc SCHAEFER wrote:
with a basic Debian jessie install and a recent Firefox, I observe the
 Debian has no specific support for detecting captive networks
(e.g. Android, iOS) and redirecting automatically the browser to
the captive login page
 launching Firefox on the default page doesn't work (doesn't get
redirected properly to the login page but fails with a HTTPS
certificate error), if there is a recent HSTS[*] security
configuration cache for the default domain page (e.g. google.com)
 is not really an issue: I wouldn't like myself that connecting to
a WiFi captive network starts a browser. Also, open captive networks are
messing up, dangerous, a WPA/RADIUS auth would be much better.
However, open captive networks are quite commons in hotels, airports,
parks, etc. So it cannot be dismissed.
 the only fix is to type an URL you know is HTTP, not HTTPS and does
not configure HSTS, and does not support DNSSEC. In my case I used
Maybe this could be in the Debian User manual somehow?
Feel free to contact me if you want help in writing the documentation.
I believe the way Android works is, when the network interface changes,
a request is fired off to a known page on Google. If that page returns a
known HTTP code (200, I think), then everything is OK. But if it returns
301 (Moved Permanently), 302 (Found) or, preferably 511 (Network
Authentication Required), then a one-shot browser is opened.
I think this would be a great feature request for Network-Manager (which
has the abiliity to monitor the network AND has a GUI AND is part of the
For more information, please reread.