GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)
Andrew Lutomirski
luto at mit.edu
Mon Jun 15 19:23:39 UTC 2015
On Mon, Jun 15, 2015 at 12:07 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 15 Jun 2015, Stephen John Smoogen wrote:
>
>> Is the code on how ChromeOS or Android detects captivity part of the
>> 'public' code? It seems to do a 'good' job in finding many captive
>> portals so might be something to get an idea on how many weird ways
>> things are out there.
>
>
> I think everyone does it similarly. Apple, Google, etc.
>
> You have a web server with a guarantee on no HTTP redirect. You expect
> some specific content, typicall "OK" to be there in the proper mime
> type. (usually text) If you get different text or a redirect or other
> error (eg forbidden) then you assume you're in a captive portal.
>
> Apple (foolishly) used to use something like http://apple.com/hotspot
> on their main site itself, which meant that using a VPN on demand could
> never protect apple.com because the iphone had to leave that domain out
> of the vpn trigger list or else all hotspot detection would be broken. It
> seems they have switched to captive.apple.com with returns "Success". It
> has a TTL of 10 (after a CNAME redirect into Akamai) but it is missing
> a AAAA record. Guess there aren't many ipv6 captive portals yet :P
Using http://apple.com/[anything] is an extra-terrible idea because
it's rather fundamentally incompatible with HSTS unless you fudge it
client-side to ignore HSTS.
--Andy
More information about the devel
mailing list