As a heads up your project is MIT licensed - that means companies do not need to reach out to purchase a license for commercial use. It might make sense to change that to an offer for official support (or relicense the project to meet your desires if applicable).
Yes but that is specifically (they actually mention this) because some companies don’t recognize public domain license, so those companies rather buy a few thousand dollar license than going through the internal bureaucracy to get it approved - if even possible.
The readme of repository includes a paragraph suggesting that companies should reach out for a commercial license. For an MIT licensed codebase that is unusual. I believe the top-level commenter is assuming that discrepancy is by mistake and is giving a heads up.
From the readme:
>Note: Companies interested in purchasing a license to use the source code commercially can contact this number on WhatsApp
You are right, I forgot to delete the mit license.
I have now removed the mit license and modified the license to accommodate commercial use of the source code.
As much as we need infrastructure to move us all the way to IPv6 (no more CGNAT please!), I'm not sure I want more captive portals in the world. I'd much rather an addition to the WiFi standard to support interactive login, though I suppose that would be hard pressed to come by now.
Interactive auth sounds attractive at first but it's really the wrong place for an answer once you look at all of the ways captive portals are used (i.e. more than just "check this agreement box"). You really need the power of the browser to display a custom form behind the solution or you end up with n+1 solutions instead of replacing captive portals.
Something like a DHCP option or NDP option ends up being a lot more natural: "Hey, here's your IP along with the information needed to access the network" is already a function of that layer. Some devices (e.g. macOS/iOS/iPadOS, Windows, Android) take a similar approach in the reverse by probing for a specific test url. That's also a bit hacky and unreliable (e.g. it can falsely trigger) but some minor standardization of it to e.g. a well known DNS name could be another good option.
A DHCP option would be the correct way to specify a captive portal on a LAN. We have DHCP options for tons of things: IP phones, TFTP servers, cable boxes. One more option for a captive portal authentication URL would properly inform clients that there is a captive portal and how to access it. (It being a URL means it can also specify the protocol, so you aren't even locked into web browsers)
My assumption is this wasn't adopted because operators want the option of placing the captive portal upstream of the local network DHCP server. DNS spoofing works great over multiple network hops, but DHCP doesn't. (I'm not sure if that's a valid argument, but I'm sure somebody insisted on it)
If they got the top 5 wifi router vendors to support it, for sure you'd see other clients support it too, because the whole point of captive portal support in browsers is to react to what those routers are doing for captive portaling.
Since those vendors largely use open source tools, if you patched open source DHCP servers with that option, it would get adopted quicker by them.
There already was! It was called Passpoint R2 Online Sign-Up, but it never got traction on the phone side of things, so it's now being deprecated by the Wi-Fi alliance.
It's really a business problem. IMO you shouldn't have to solve this just because you've gone indoors – you already pay a carrier for connectivity – but many carriers don't want to own that responsibility.
Hotels absolutely don’t want to provide open access to all for obvious reasons.
Although I have a “global unlimited” business SIM, I find it rarely works all that great.
Getting a local SIM is not always an option.
What if legal wants to show a TOS page, or you want finer grained authentication than a shared key?
>Or do not offer internet access at all. People carry their own already-connected devices anyway.
Travelers don't typically have gigabytes of bandwidth to spare. I for one like having unmetered internet access even when there's theoretically internet access available through roaming (absurdly expensive) or esims (expensive)
Gues they just won't provide access then. Oh, what's that? There's a reason they need to provide access? Well, too bad the IT standards people invented a way to make sure we didn't interfere!
Is WPA enterprise authentication still a dumpster fire? Last time I set it up it was still a hassle because you had to import CAs and manually choose the authentication protocol. Definitely not a good experience for someone who's stopping by a cafe for 30min and wants wifi.
If someone makes you import a CA, you have to assume they intend to eavesdrop on ssl encrypted communications. Enterprise WPA doesn't require it.
The right flavour of incompetence might get you there without bad intentions but really if you give someone the capability of eavesdropping you have to behave as if they're intending to use it
Doesn't seem like it. For instance the WPA enterprise setup dialog has a field specifically for a CA certificate[1]. Other OSes have something similar [2]. Presumably that's only used for WPA authentication purposes rather than being added as a sytem CA.
In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
>In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
From an access control perspective, it probably doesn't matter much for a coffee shop, but matters more for something for a hotel where you want to limit to certain guests only (eg. ones with room or loyalty program members)
From a legal perspective, having an interstitial might provide cover for when a baddie uses the connection to order drugs or whatever. IANAL and I'm not sure whether it's actually needed or not, but most companies rather not risk it. Moreover it's unlikely that no jurisdictions require it, so you'd still support for it.
>As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
No idea. Last time I had to use WPA enterprise, the organization providing the connection isn't exactly small and couldn't afford a certificate, but still required me to import a CA. That makes me think it might be an inherent issue with WPA enterprise.
> Legal cover for when a baddie uses the connection to order drugs or whatever.
.... Is this meant to be a joke?
> still required me to import a CA
It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed; but either way, and regardless of the technology in question, I wouldn't suggest it's particularly meaningful to use one organisation's setup as the basis for how things inherently work.
Are you a lawyer? I wasn't making a definitive statement, but if you have stronger evidence to the contrary please present them rather than making shallow dismissals.
>It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed
Captive portals are used for many, many things that aren't just internet access gateways. Many IoT devices use them to enter wifi credentials so the device can connect to the wifi router. One of my projects is an IoT device with a custom web interface that can be used from a cellphone when there are no nearby wifi routers for the IoT device and phone to connect to - the phone connects directly to the IoT device and gets the custom device control interface.
IIRC there was some hullabaloo made with RIPE in ~2017. Half of it was "go to IPv6 and it isn't a problem" and the other half was "or also log the source ports so we can complete the identification through CG-NAT".
It's nearly 8 years later, we haven't moved to IPv6, and they stopped making noise so I'm left to assume they either got more source port logging or found some other method?
I wonder how captive portals are supposed to work with IPv6 temporary private addresses (RFC4941).
I’ve never run a captive portal but I always assumed that the router just redirects all port 80 packets to the portal (and rejects everything else), and then upon authenticating, the gateway puts your IP in the “allow” bucket and you get access.
But if you’re generating random addresses every few minutes, you’d need to continually reauthenticate, unless the system has some way of associating the temporary addresses with the original connection. Maybe it listens to ndp and uses MAC addresses to associate? That would be more advanced than most captive portals I’ve seen which seem to only care about ip addresses. Maybe just none of them use IPv6, or simply break with temporary addresses?
There are 3 main types of "random Wi-Fi MAC addresses". The most well known one is randomization of the MAC while the client is probing from SSIDs (prior to connection). This has been around for many years and doesn't change the actual connection MAC later on. Another randomization type that's slightly more common these days (e.g. iPhones default to it now) is choosing a random MAC per SSID. That way you can't be tracked by MAC across multiple networks but you still have consistency for captive portals and business networks. The third is true rotating randomization - this is relatively uncommon as it breaks captive portals (there is no well known algorithm or it'd be relatively pointless). iPhones were going to adopt this with rolling MACs but it was too broken and offered little over approach 2 in terms of privacy.
I guess different captive portals work differently, because I’ve heard of plenty of them that can be bypassed by simply statically assigning the address of someone else who’s already authenticated (ie session hijacking), but it makes sense that any “decent” captive portal system uses MAC addresses to mitigate this.
The randomization I refer to is of the outgoing IPv6 address, not the MAC address… nothing that I’m aware of randomly cycles MAC addresses (Apple’s OSes can be configured to randomly generate a MAC every time you connect to a network, but it won’t regenerate them continuously in a session. IPv6 addresses however are continuously generated, as per the RFC4941 spec.) If the system is using MAC addresses to identify users, then temporary/cycled IPv6 addresses should be no problem.
This is really cool. Nice work and I find the MIT license you've chosen to be interesting. I chose the very same license for my own open source project because I wanted there to be few excuses not to use it.
Damn, you've done significant work on this. Will have to check this out more in depth.
Indeed. MIT license means you are working for large corporations for free, if your software is useful. As a capitalist parasite, I strongly support its use.
As a heads up your project is MIT licensed - that means companies do not need to reach out to purchase a license for commercial use. It might make sense to change that to an offer for official support (or relicense the project to meet your desires if applicable).
SQLite is public domain, but they apparently get enough enquiries about purchasing licenses, that they offer a warranty of title.
https://www.sqlite.org/purchase/license
Yes but that is specifically (they actually mention this) because some companies don’t recognize public domain license, so those companies rather buy a few thousand dollar license than going through the internal bureaucracy to get it approved - if even possible.
Was going to make a similar comment.
> Note: Companies interested in purchasing a license to use the source code commercially can contact this number
and then
> This project is licensed under the MIT License.
I guess they didn't understand the MIT license and what rights it confers.
I forgot to delete the mit license. I have now removed the mit license and modified the license to accommodate commercial use of the source code.
Best regards
You are right, I forgot to delete the mit license.
I have now removed the mit license and modified the license to accommodate commercial use of the source code.
Best regards
It says right in the readme:
The readme of repository includes a paragraph suggesting that companies should reach out for a commercial license. For an MIT licensed codebase that is unusual. I believe the top-level commenter is assuming that discrepancy is by mistake and is giving a heads up.
From the readme:
>Note: Companies interested in purchasing a license to use the source code commercially can contact this number on WhatsApp
You are right, I forgot to delete the mit license. I have now removed the mit license and modified the license to accommodate commercial use of the source code.
Best regards
As much as we need infrastructure to move us all the way to IPv6 (no more CGNAT please!), I'm not sure I want more captive portals in the world. I'd much rather an addition to the WiFi standard to support interactive login, though I suppose that would be hard pressed to come by now.
Interactive auth sounds attractive at first but it's really the wrong place for an answer once you look at all of the ways captive portals are used (i.e. more than just "check this agreement box"). You really need the power of the browser to display a custom form behind the solution or you end up with n+1 solutions instead of replacing captive portals.
Something like a DHCP option or NDP option ends up being a lot more natural: "Hey, here's your IP along with the information needed to access the network" is already a function of that layer. Some devices (e.g. macOS/iOS/iPadOS, Windows, Android) take a similar approach in the reverse by probing for a specific test url. That's also a bit hacky and unreliable (e.g. it can falsely trigger) but some minor standardization of it to e.g. a well known DNS name could be another good option.
A DHCP option would be the correct way to specify a captive portal on a LAN. We have DHCP options for tons of things: IP phones, TFTP servers, cable boxes. One more option for a captive portal authentication URL would properly inform clients that there is a captive portal and how to access it. (It being a URL means it can also specify the protocol, so you aren't even locked into web browsers)
My assumption is this wasn't adopted because operators want the option of placing the captive portal upstream of the local network DHCP server. DNS spoofing works great over multiple network hops, but DHCP doesn't. (I'm not sure if that's a valid argument, but I'm sure somebody insisted on it)
There is a DHCP option for a captive portal URL. It isn't very well supported and nobody uses it.
https://datatracker.ietf.org/doc/html/rfc7710
Apparently, there's a newer one that is supported by Android 11+, iOS 14+, and macOS Big Sur, at least
https://www.rfc-editor.org/rfc/rfc8910.html https://www.rfc-editor.org/rfc/rfc8908.html
https://developer.android.com/about/versions/11/features/cap... https://developer.apple.com/news/?id=q78sq5rv
If they got the top 5 wifi router vendors to support it, for sure you'd see other clients support it too, because the whole point of captive portal support in browsers is to react to what those routers are doing for captive portaling.
Since those vendors largely use open source tools, if you patched open source DHCP servers with that option, it would get adopted quicker by them.
- KEA DHCPD supports it as option 114: https://gitlab.isc.org/isc-projects/kea/-/blob/master/src/li...
- ISC DHCPD is officially ended (whoa!), but it looks like it supports option 114: https://gitlab.isc.org/isc-projects/dhcp/-/blob/master/commo...
- Dnsmasq author says they added the option (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelley...) but I don't see it in their latest release
- Udhcpd doesn't seem to support it, so somebody could send them a patch, looks trivial to add
There already was! It was called Passpoint R2 Online Sign-Up, but it never got traction on the phone side of things, so it's now being deprecated by the Wi-Fi alliance.
It's really a business problem. IMO you shouldn't have to solve this just because you've gone indoors – you already pay a carrier for connectivity – but many carriers don't want to own that responsibility.
Is there even an alternative to captive portals?
Just give internet access directly.
Or do not offer internet access at all. People carry their own already-connected devices anyway.
16% of Canadians in 2022 didn't have a data plan on their phone, according to Statistics Canada. Roughly 6 million Canadians or so.
So not everyone. Actually a decent number of people that don't.
seems easy to confuse % of plans with % of ppl. probably a lot of obscure use-cases in there
Hotels absolutely don’t want to provide open access to all for obvious reasons. Although I have a “global unlimited” business SIM, I find it rarely works all that great. Getting a local SIM is not always an option.
What if legal wants to show a TOS page, or you want finer grained authentication than a shared key?
>Or do not offer internet access at all. People carry their own already-connected devices anyway.
Travelers don't typically have gigabytes of bandwidth to spare. I for one like having unmetered internet access even when there's theoretically internet access available through roaming (absurdly expensive) or esims (expensive)
>What if legal wants to show a TOS page?
The reality is that nobody wants to bother with any of that.
Either just connect me to the internet without extra steps, or don't at all. Don't waste my time.
>The reality is that nobody wants to bother with any of that.
I don't either, but for IT departments in large organizations, ignoring the legal department isn't an option.
Gues they just won't provide access then. Oh, what's that? There's a reason they need to provide access? Well, too bad the IT standards people invented a way to make sure we didn't interfere!
I appreciate the sentiment, but having a shitty Wi-Fi is better than none at all IMO.
> or you want finer grained authentication than a shared key?
Configure your access points to use RADIUS or SAML for auth?
Is WPA enterprise authentication still a dumpster fire? Last time I set it up it was still a hassle because you had to import CAs and manually choose the authentication protocol. Definitely not a good experience for someone who's stopping by a cafe for 30min and wants wifi.
If someone makes you import a CA, you have to assume they intend to eavesdrop on ssl encrypted communications. Enterprise WPA doesn't require it.
The right flavour of incompetence might get you there without bad intentions but really if you give someone the capability of eavesdropping you have to behave as if they're intending to use it
Doesn't seem like it. For instance the WPA enterprise setup dialog has a field specifically for a CA certificate[1]. Other OSes have something similar [2]. Presumably that's only used for WPA authentication purposes rather than being added as a sytem CA.
[1] https://askubuntu.com/questions/1317320/how-can-i-automatica...
[2] https://documentation.meraki.com/MR/Encryption_and_Authentic...
In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
>In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
From an access control perspective, it probably doesn't matter much for a coffee shop, but matters more for something for a hotel where you want to limit to certain guests only (eg. ones with room or loyalty program members)
From a legal perspective, having an interstitial might provide cover for when a baddie uses the connection to order drugs or whatever. IANAL and I'm not sure whether it's actually needed or not, but most companies rather not risk it. Moreover it's unlikely that no jurisdictions require it, so you'd still support for it.
>As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
No idea. Last time I had to use WPA enterprise, the organization providing the connection isn't exactly small and couldn't afford a certificate, but still required me to import a CA. That makes me think it might be an inherent issue with WPA enterprise.
> Legal cover for when a baddie uses the connection to order drugs or whatever.
.... Is this meant to be a joke?
> still required me to import a CA
It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed; but either way, and regardless of the technology in question, I wouldn't suggest it's particularly meaningful to use one organisation's setup as the basis for how things inherently work.
>.... Is this meant to be a joke?
Are you a lawyer? I wasn't making a definitive statement, but if you have stronger evidence to the contrary please present them rather than making shallow dismissals.
>It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed
It's an organization where BYOD is very common.
Captive portals are used for many, many things that aren't just internet access gateways. Many IoT devices use them to enter wifi credentials so the device can connect to the wifi router. One of my projects is an IoT device with a custom web interface that can be used from a cellphone when there are no nearby wifi routers for the IoT device and phone to connect to - the phone connects directly to the IoT device and gets the custom device control interface.
... use regular authenticated wifi?
CGNAT is ok for IPV4 because it provides us some level of protection against state ( sponsored ) actors.
You’re going to have to explain that one.
I don’t see how CGNAT does anything but allow easier access to attacks (using private ip space outside of the local network)
All the details can be found in the EUROPOL publications begging for it to be banned.
IIRC there was some hullabaloo made with RIPE in ~2017. Half of it was "go to IPv6 and it isn't a problem" and the other half was "or also log the source ports so we can complete the identification through CG-NAT".
It's nearly 8 years later, we haven't moved to IPv6, and they stopped making noise so I'm left to assume they either got more source port logging or found some other method?
politics still clinging to the idea of identifying ppl by obvious traffic meta-data
Ah, allows hiding behind a massively shared single address with less traceability.
I wonder how captive portals are supposed to work with IPv6 temporary private addresses (RFC4941).
I’ve never run a captive portal but I always assumed that the router just redirects all port 80 packets to the portal (and rejects everything else), and then upon authenticating, the gateway puts your IP in the “allow” bucket and you get access.
But if you’re generating random addresses every few minutes, you’d need to continually reauthenticate, unless the system has some way of associating the temporary addresses with the original connection. Maybe it listens to ndp and uses MAC addresses to associate? That would be more advanced than most captive portals I’ve seen which seem to only care about ip addresses. Maybe just none of them use IPv6, or simply break with temporary addresses?
In general they work by having an allow list and by using a captive DNS. Some will also try to redirect http/https.
Once the agreement is accepted the MAC is added to the allow list.
Not sure how MAC address randomization works in these schemes, but it does. There must be some standard algorithm that everyone follows.
There are 3 main types of "random Wi-Fi MAC addresses". The most well known one is randomization of the MAC while the client is probing from SSIDs (prior to connection). This has been around for many years and doesn't change the actual connection MAC later on. Another randomization type that's slightly more common these days (e.g. iPhones default to it now) is choosing a random MAC per SSID. That way you can't be tracked by MAC across multiple networks but you still have consistency for captive portals and business networks. The third is true rotating randomization - this is relatively uncommon as it breaks captive portals (there is no well known algorithm or it'd be relatively pointless). iPhones were going to adopt this with rolling MACs but it was too broken and offered little over approach 2 in terms of privacy.
I guess different captive portals work differently, because I’ve heard of plenty of them that can be bypassed by simply statically assigning the address of someone else who’s already authenticated (ie session hijacking), but it makes sense that any “decent” captive portal system uses MAC addresses to mitigate this.
The randomization I refer to is of the outgoing IPv6 address, not the MAC address… nothing that I’m aware of randomly cycles MAC addresses (Apple’s OSes can be configured to randomly generate a MAC every time you connect to a network, but it won’t regenerate them continuously in a session. IPv6 addresses however are continuously generated, as per the RFC4941 spec.) If the system is using MAC addresses to identify users, then temporary/cycled IPv6 addresses should be no problem.
This is really cool. Nice work and I find the MIT license you've chosen to be interesting. I chose the very same license for my own open source project because I wanted there to be few excuses not to use it.
Damn, you've done significant work on this. Will have to check this out more in depth.
I forgot to delete the mit license. I have now removed the mit license and modified the license to accommodate commercial use of the source code.
Best regards
Indeed. MIT license means you are working for large corporations for free, if your software is useful. As a capitalist parasite, I strongly support its use.
I forgot to delete the mit license. I have now removed the mit license and modified the license to accommodate commercial use of the source code.
Best regards