Captive portal is a network service that requires a user connecting to the Web to perform some actions to gain access to the Internet . Usually used for charging, subscriber authentication , or advertising . For the first time [1] described by experts at Stanford University in 1999 [2] .
When you try to access any site from a device whose captive portal does not know the MAC address , the http request is redirected to the portal start page. Technically, a redirect is done either with the help of a distorted response to the DNS request, or by means of a router . As a rule, in response to the initial request, an HTTP response is received with the code 302 , but in 2012 it was suggested to enter code 511 specifically for such cases [3] .
Since the captive portal script works correctly only in the browser when accessing a non-https site, most modern client operating systems, after connecting to the network, check for its presence:
- Android , starting with version 4, a few seconds after connecting, it requests from one of Google’s servers a file called
generate_204and, without receiving code 204 in the http response, creates a corresponding notification that, when clicked, opens a captive portal in the browser. - Windows and Windows Phone use the Network Connectivity Status Indicator service , which requests a file from a Microsoft-owned site, expecting to receive predefined content. In some cases, the site’s IP address returned by the DNS server is checked against the benchmark. When a captive portal is detected in the same way as in Android, a notification is generated for the user [4] .
- iOS devices, like Windows, request a file (from one of several hundred [5] Apple-owned sites) and compare its contents. If a captive portal is found in a pop-up window, the Captive Network Assistant opens, which is a browser without HTTP cookies .
Many Captive portal systems are vulnerable to mediator attacks [6] . There may be problems with redirection of users who connect from devices that do not recognize the captive portal and open sites that force the use of https (for example, with HSTS enabled ). According to Chrome developers, about 5% of SSL / TLS error messages are caused by Captive portals [7] .
See also
- Hot spot (Wi-Fi)
Notes
- ↑ Haidong Xia, Jose Brustoloni. Detecting and Blocking Unauthorized Access in Wi-Fi Networks (English) // Networking 2004: Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; IFI-TC6 Networking Conference Athens, Greece, May 9–14, 2004: Proceedings. - Springer Berlin Heidelberg, 2004. - p . 795-806 . - ISBN 978-3-540-21959-0 . - ISSN 0302-9743 . - DOI : 10.1007 / 978-3-540-24693-0_65 .
- ↑ Guido Appenzeller, Mema Roussopoulos, Mary Baker. User-Friendly Access Control for Public Network Ports (English) // INFOCOM '99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Processions Ieee. - 1999. - Vol. 2. - p. 699-707. - ISBN 0-7803-5417-6 . - ISSN 0743-166X . - DOI : 10.1109 / INFCOM.1999.751456 .
- ↑ RFC 6585 Additional HTTP Status Codes April 2012 “6.1. The 511 Status Code and Captive Portals »
- ↑ Nathan Hinkle. Windows 7 Network Awareness: How Windows knows it has an internet connection May 16, 2011). The appeal date is July 30, 2015
- ↑ Readme for iOS 7 WebAuth on Cisco Wireless LAN Controller, Release 7.4 MR 2 . Cisco (September 2013). The appeal date is July 30, 2015
- ↑ APAN Meetings | Asia Pacific Advanced Network (APAN)
- ↑ https://cabforum.org/wp-content/uploads/Improving-SSL-Warnings.pdf
Links
- UNRUPTING WI-FI HOTSPOT USING CAPTIVE PORTAL TECHNOLOGY , xakep.ru, 2013
- Weekend project: set up a secure Wi-Fi guest connection in Linux , rus-linux.net, 2011 translation publication:
- Wi-Fi with Linux / Linux.com, December 10, 2010 ( Nathan Willis, Weekend Project )