Return of experience on the portails captifs by Antoine Boisjibault, Systems Engineer at UCOPIA, a French company specialising in captive portals, gives us his feedback on this subject. This applies to the many projects carried out by UCOPIA, but also to any captive portal technology.
Portail captif Wifi : definition
To alleviate the “HSTS” error problems reported by users, OS/Hardware publishers have implemented a so-called “CNA” assistant (the “Captive Network Assistant” is specific to Apple products).
This assistant avoids the need for the user to launch a web browser in order to display the captive portal.
In layman’s terms : Captive portals are a mechanism that intercepts the user flow and presents them with content that they have not requested themselves, in order to force them to authenticate themselves.
What are the user issues in relation to the captive portal?
The purpose of the HTTP protocol (and the HSTS overlay that uses it) is to guarantee that the content received by a client is actually the content requested. The two technologies are incompatible.
Here’s how it works:
– When a non-authenticated user on UCOPIA (or any other captive portal) attempts to access a secure site (https://www.google.fr, or https://www.mabanque.com ), the captive portal (also secure, in HTTPS) is presented.
– The browser used then recovers the certificate of the captive portal and not that of the site initially requested, hence this security alert, which can simply be accepted in standard HTTPS (and which is blocking in HSTS).
This is why most operating system publishers (for computers or mobiles) have recently been implementing wizards for connecting to captive portals:
Apple CNA for Apple mobile (and MAC) devices: the famous page that opens by itself when you connect to Wi-Fi.
This appears as a notification for Android devices (request to http://connectivitycheck.gstatic.com/generate_204 under Marshmallow and http://clients3.google.com/generate_204 for Kitkat).
Consistent Connection Handling for Microsoft,
– which works in the same way as for Apple-branded mobile devices
– opens a browser on Windows 8.1
– displays a notification in the tray system on Windows 7
– opens the browser on Windows 10
So the problem of the first page in HTTPS does not arise when using these mechanisms: it is taken care of by the operating system.
You can then check that a notification inviting users to open their browser is sent to the smartphones and tablets concerned.
For equipment running Windows 8 and 10: you can use the Wi-Fi wizard.
Once authenticated on UCOPIA, the user will no longer see this security alert.
Alternatively, changing the browser’s default home page to an HTTP page will prevent the certificate alert message from appearing.
If the user does not go through these mechanisms (either because they deliberately click to close them, or because their system does not have them), and their first request is in HTTPs or even HSTS :
– They will get an error in their browser telling them that they have requested https://www.google.com and that https://controller.access.network/ (the default in the case of UCOPIA) is responding.
– This error can be ignored for HTTP sites.
– If the site initially requested supports HSTS, then the error cannot be ignored and the user cannot proceed any further.
To obtain the redirection to the captive portal, the user can simply request a page in HTTP so that the redirection can be carried out.
Finally, it should be noted that the latest versions of the most common web browsers are starting to benefit from a Wizard dedicated to captive portal concepts. Here is an example of the rendering on Firefox 52 :
An example of the rendering of the alert obtained (no more HSTS blocking) as well as an opening of the captive portal in a new tab with a call to http://detectportail.firefox.com/success.txt which allows redirection to the portal.
This should soon be available in other editors such as Chrome or IE, as it is already available under Chromium.
An IETF working group has been set up to monitor progress and implement standards in response to the problems associated with captive portals: more information on this subject at this address.
