Wikipedia:Reference desk/Archives/Computing/2021 March 4
| Computing desk | ||
|---|---|---|
| < March 3 | << Feb | March | Apr >> | Current desk > |
| Welcome to the Wikipedia Computing Reference Desk Archives |
|---|
| The page you are currently viewing is a transcluded archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages. |
March 4
editProtocols for Public wifi redirect to login website
editwhen I find a public wifi on a train, in an airport or hotel for example, I am redirected to a url to agree terms of service, or provide login details or wifi password. What is the protocol that maps a wifi SSID to a landing url. In android there is a specific login app for wifi connections, it only starts when login is required, and the app name is hidden. What are the protocols for this app, and does it have analogs in other OSes? Bogger (talk) 11:28, 4 March 2021 (UTC)
- This technique is called a captive portal. See also RFC 7710 and RFC 8910 -- Finlay McWalter··–·Talk 19:06, 4 March 2021 (UTC)
- Note that many OSes, including Android, often detect captive portals simply by trying to access some built in HTTP URL list and determining if they get the expected URL or are redirected somewhere. See [1] for more. Nil Einne (talk) 11:39, 5 March 2021 (UTC)
- For example, iOS uses captive.apple.com to check. The device attempts connects to the server and if it returns something other than the usual response ("Success", you can check by clicking the link), it displays the result to the user. ―sportzpikachu my talkcontribs 11:43, 5 March 2021 (UTC)
- Fairly sure that would be http://captive.apple.com. Redirecting from https would generally be identified by most browsers as a possible MITM attack since the server lacks certificates for captive.apple.com. While the OS and mini browser could just ignore this when it's trying to detect captive portals, for safety reasons it's better to avoid this by using http URLs. Also, I think some captive portals don't intercept HTTPS requests given the confusion it may cause. Actually I think the move to HTTPS everywhere is one reason why OSes and browsers started to implement captive portal detection. In the past, the user would often simply come across the redirection themselves during browsing attempts. Now they wont either because the browser is blocking it as it's happening on HTTPS, or it's not happening at all since the captive portal doesn't intercept HTTPS. Nil Einne (talk) 11:54, 5 March 2021 (UTC)
- @Nil Einne: Ah right, forgot about HTTP/S haha ―sportzpikachu my talkcontribs 11:56, 5 March 2021 (UTC)
- Fairly sure that would be http://captive.apple.com. Redirecting from https would generally be identified by most browsers as a possible MITM attack since the server lacks certificates for captive.apple.com. While the OS and mini browser could just ignore this when it's trying to detect captive portals, for safety reasons it's better to avoid this by using http URLs. Also, I think some captive portals don't intercept HTTPS requests given the confusion it may cause. Actually I think the move to HTTPS everywhere is one reason why OSes and browsers started to implement captive portal detection. In the past, the user would often simply come across the redirection themselves during browsing attempts. Now they wont either because the browser is blocking it as it's happening on HTTPS, or it's not happening at all since the captive portal doesn't intercept HTTPS. Nil Einne (talk) 11:54, 5 March 2021 (UTC)
- I should clarify I mean stock Android, although most variants are similar except maybe with different URLs and different browsers, and maybe different ways of notifying the user there is a captive portal. Nil Einne (talk) 11:54, 5 March 2021 (UTC)
- For example, iOS uses captive.apple.com to check. The device attempts connects to the server and if it returns something other than the usual response ("Success", you can check by clicking the link), it displays the result to the user. ―sportzpikachu my talkcontribs 11:43, 5 March 2021 (UTC)
- Note that many OSes, including Android, often detect captive portals simply by trying to access some built in HTTP URL list and determining if they get the expected URL or are redirected somewhere. See [1] for more. Nil Einne (talk) 11:39, 5 March 2021 (UTC)