
NeverSSL - EduardoBautista
http://neverssl.com/
======
xenadu02
The worst code I ever had to write was captive portal detection for the
PlanGrid app.

I discovered there is a whole host of sysadmins out there attempting to
actively subvert the iOS capitve portal detection. They try to figure out the
domains used and whitelist them so iOS will think it is connected to a good
network, but they redirect everything else which horribly breaks SSL
connections. The whole thing is an arms race where Apple adds new domains to
iOS but doesn't start using them until a certain date to evade the whitelist.

The stated reason for this stupidity? The mini-browser that pops up doesn't
work with their stupid captive portal login or payment page. Fix the page?
Nahhh, let's just fuck everyone's network connections instead. It caused an
endless barrage of battery-draining network errors, eating the retry count and
eventually causing POST requests to error out. The complete lack of respect
for the users, internet protocol standards, etc was extremely evident.

We ultimately stuck a file with a specific phrase in a text file on the site,
then when the app was having network trouble the code tries to fetch that
file. If it gets an HTML response it marks it as in captive portal mode. IIRC
it offered to take the user to safari and would open some non-HTTPS URL so the
captive portal redirect could fire and let the user know.

I hope anyone trying to circumvent captive portal detection dies a very
painful death, then gets revived, recovers through the miracle of modern
medical technology, then dies another painful death.

~~~
sangnoir
Android detects wifi with captive portals automatically and pops-up a
notification that says "Wifi network requires sign-in". Clicking on that takes
you to non-HTTPS page in a browser that is intended to be intercepted.

There is no reason why Apple can't add captive portal detection at OS level
like Android does.

~~~
asherkin
As the OP said, that is already in iOS - it is just that more and more captive
portals are whitelisting the domains it hits to check for a captive portal.

~~~
Mayzie
> captive portals are whitelisting the domains it hits to check for a captive
> portal.

Why?

~~~
citruspi
As the OP said,

> ...so iOS will think it is connected to a good network... The stated reason
> for this stupidity? The mini-browser that pops up doesn't work with their
> stupid captive portal login or payment page.

------
bisby
It's sad, because these are the kinds of things that confuse the hell out of
"common folk" and explaining requires explaining HTTPS, HSTS, how captive WiFi
portals work, and then ultimately, why there isn't a better solution... which
maybe doesn't have a great answer.

I feel like this "workaround" site is designed to draw attention to the
problem at hand more than it is meant to be useful for the task at hand?

~~~
hannob
> why there isn't a better solution...

There is a better solution: No captive portals.

~~~
Filligree
What would you suggest for the case of someone wanting payment for the
connection?

Like it or not, a lot of places do that.

~~~
omginternets
Honestly? It's 2017. Just throttle bandwidth and give your internet away for
free.

There are some obvious cases in which this is unacceptable, but they are few
and far between. The overwhelming majority of captive portals I see are just
trying to get your contact info... so now you have _two_ reasons why they
should disappear.

~~~
innocenat
There are still part of the world where you are require by law to log who is
accessing the internet, in case he/she does something illegal.

~~~
slang800
Yet another fantastic reason to get rid of captive portals. They spy on you
_and_ are frequently broken.

------
snuxoll
I really wish there was a standard way of handling captive wifi portals, macOS
and GNOME try to detect these portals and show them but sometimes it is
unreliable.

It'd be really nice if there was a reserved DNS entry (like captive.portal or
something) that operating systems could try to resolve and if it points to
anything other than an expected value (loopback address, maybe?) it will bring
up a window to sign into the network instead of relying on these nasty hacks
that leave users confused when they can't visit a site over HTTPS because they
aren't authenticated / paid / whatever.

~~~
deathanatos
There is; both Router Advertisements and DHCP include options for captive
portals[1]. In the case of DHCP for example, the DHCP server can send the URI
of the portal, which the OS can display to the user. The mechanism in [1] is
what OS X uses, I believe.

[1]:
[https://tools.ietf.org/html/rfc7710](https://tools.ietf.org/html/rfc7710)

~~~
epimenov
I think OS X opens captive.apple.com

~~~
zuck9
It does, and so does iOS when you connect to a WiFi network that has a portal.

------
bloudermilk
Leaving this feedback here because there's no contact info on the page: for
the purpose of accessing captive portals, it would be a good idea to disable
page caching. Since this was posted I've had to use it twice and the second
time I had to hard refresh to see the portal.

~~~
colmmacc
Will do, thanks! Feel free to send me any specifics colm AT allcosts.net.

Update: I've added Cache-Control and Expire HTTP headers to the HTTP responses
for neverssl.com

------
tekklloneer
example.com works as well. it doesnt redirect to
[https://example.com](https://example.com)

~~~
cdowns
[http://captive.apple.com/](http://captive.apple.com/) also. That's what Apple
devices use when trying to present the login for a captive network.

~~~
TurningCanadian
Is that better in any way than using example.com?

~~~
cdowns
If I regularly used that as a known-good site that should be up with no SSL,
I'd trust that an apple-maintained site (backed by akamai) would be up before
"example.com".

I'm sure there are plenty of others, but someone might remember that URL over
another so I thought it would be helpful.

~~~
viraptor
example.com is maintained by IANA. It's an official example address for
documentation purposes. So on one hand, it will survive even if Apple
disappears, on the other, they're likely not expecting any significant
traffic.

~~~
dom0
Using the site for captive portal access does not actually generate any
traffic for the site, because the middlebox intercepts and rewrites the
request. Traffic only occurs if there is no captive portal. Hence the easily
parsed "Success" body of the Apple site.

~~~
viraptor
Phones confirm whether you passed the captive portal by requesting the usual
check url again. That means they'll still get one request after a successful
login.

------
notJim
I was really hoping for a (possibly unhinged) manifesto against ssl, but this
is good too.

------
andygambles
Captive portal craziness.

"Click the confirmation link in the email we sent you to get online"

"Enter the code we sent you via SMS to confirm your number"

"Login via Facebook - provide permission to post on your behalf"

"Share on FaceBook for internet access"

"Confirm acceptance of our 6000 word terms and conditions"

------
AntiRush
[http://http.rip](http://http.rip) is another site with this purpose. Pretty
easy to remember too.

------
dongslol
You don't even need an actual website. I just type 1.2.3.4 and it always
redirects fine for me.

~~~
homero
Afaik portals use dns

~~~
innocenat
Many portals just mitm the HTTP connection.

~~~
Piskvorrr
Some do, some rely on DNS spoofing.

------
zpallin
I hope this site can reword their explanation. It's a bit confusing what their
intent is, especially in the final paragraph.

------
knownunown
I just use connectivitycheck.gstatic.com/generate_204. The URL is a bit long,
but I have it bookmarked.

~~~
bfred_it
0118 999 881 999 119 725 — 3

~~~
knownunown
Well, this was my solution before this shorter way came along. A force of
habit, really, since I noticed that it was Android's internal method of
detecting captive portals. There's really no reason to use this over
neverssl.com, other than the gstatic.com page returning an empty response (or
redirecting you if you're actually behind a captive portal). Somewhat useful
if you don't want to leave the new tab page.

------
shapath
Can some ELI5 (explain like I'm 5) to me? I don't get this. Seems like
something I should know about.

~~~
iandanforth
Some routers and networks try to intercept all requests and replace them with
a 'captive portal' page for logging into that network. When you make a request
to a webpage using [https://](https://) (i.e. SSL) the network has a much
harder time injecting the login page, so you end up seeing nothing. The
connection isn't going through and the network's login page can't break
through SSL battle-warrior-armor.

~~~
Kiro
But what is the purpose of this page?

~~~
codemusings
The scenario is: You want to connect to a public wifi hotspot and use their
internet connection. In order to do so you need to trigger the login page in
your browser after you connect to the hotspot.

However if you open common urls like google.com or facebook.com you'll
automatically get redirected to secure connections (https) and they can't
intercept this to present the login page. This is because TLS (the protocol
behind HTTPS connections) uses end-to-end encryption.

Thus the author proposes to open this simple unprotected website. However most
hotspots manage to automatically trigger the vendor specific mechanism as soon
as you connect to their Wifi.

Don't use public wifi unless you really need to!

~~~
SZJX
> Don't use public wifi unless you really need to!

Well if you always turn on VPN I don't think it would be such a huge issue
would it

------
johnhenry
So, this is for use captive wi-fi portals that are served over HTTP that would
otherwise not work when initially connecting to a site using HTTPS?

~~~
Bartweiss
Yep. Most default browser homepages use SSL, as do many popular second
locations like Facebook. It can get a bit annoying to remember who _won 't_
serve you SSL when you're waiting to get an approval page injected into your
browsing, so this site promises to do it.

It's especially relevant now that Chrome is threatening a big unsecure site
warning for HTTP pages, so many sites which don't strictly need security are
going to switch.

------
pkinsky
I've always used example.com for this purpose, but this is cool. Thanks!

------
bogomipz
I might just be really stupid but I read the "what" and the "how" a couple of
times and I still don't understand. I only inferred from the comments that
this is to get through captive portals used in coffee shops by exploiting the
fact that they have to to permit HTTP unauthenticated in order for the
redirect to the login page to work.

But can someone walk me through how never SSL allows me to connect to FB once
my browser loads their default page? I feel like I am missing something which
is maybe obvious?

~~~
GrayShade
With a captive portal, your first HTTP request will be redirected to the
network's login page or whatever they have. Many large sites now use HTTPS and
HSTS and if you visit them once, they will always (or until the max-age header
expires) be loaded over HTTPS by your browser.

As a result, many people will be unable to see the network's login page. If
you are in this situation, you can load neverssl.com once, log in to the
network, then browse normally.

~~~
bogomipz
Ah OK thanks for the explanation. I guess they don't want to redirect HTTPS
traffic as well for obvious reasons.

~~~
GrayShade
I'm sure they'd like to, but you can't do that over HTTPS without installing a
certificate on the system. Many companies do that for HTTPS interception.

------
amenghra
For the French speakers among us, [http://perdu.com/](http://perdu.com/) has
been around since the 90s.

------
r1ch
Not sure about Apple, but isn't this automatically handled by Android these
days? Every time it connects to a network it pings
[http://google.com/generate_204](http://google.com/generate_204) and if the
response code isn't 204 then it should prompt you to open the browser to the
redirected URL.

~~~
Namidairo
The current list is
[https://www.google.com/generate_204](https://www.google.com/generate_204)
[http://connectivitycheck.gstatic.com/generate_204](http://connectivitycheck.gstatic.com/generate_204)
[http://www.google.com/gen_204](http://www.google.com/gen_204)

according to
[https://github.com/android/platform_frameworks_base/blob/5b2...](https://github.com/android/platform_frameworks_base/blob/5b22a826d561be3d416eb4491738eda492e8631b/services/core/java/com/android/server/connectivity/NetworkMonitor.java#L89-L92)

------
andreareina
My go-to for this situation is
[http://www.example.com](http://www.example.com)

------
jaimex2
Cool, I've been using www.cats.com. This will do nicely.

------
foo101
I don't understand how this website works. If I visit
[http://neverssl.com/](http://neverssl.com/) I just see a home page that
explains how it works which is to visit
[http://neverssl.com/](http://neverssl.com/). Can someone explain me step by
step how to use [http://neverssl.com/](http://neverssl.com/)?

~~~
pricechild
I think the idea is that many wifi networks out there require
registration/payment to use. They also do this in really, really weird ways
because making stuff is hard.

Some of these only work by capturing http requests and rewriting them to take
you to their portal. Funnily enough, that and other methods often work very
badly and so you might be left trying to visit a site getting timeouts. Maybe
your browser visited it previously and saw HSTS for example and so only tries
https?

The point of this site is that when you realise this has happened, you type in
'[http://neverssl.com'](http://neverssl.com') into your browser to force an
http connection which hopefully the network will grab, mangle and take you to
the login page.

It's a solution to a problem that really shouldn't exist.

Annoyingly, different client venders require different things. Here's an
example of someone working on this: [http://www.revk.uk/2016/08/captive-
portals-apple.html](http://www.revk.uk/2016/08/captive-portals-apple.html)
(and a money quote from the comments: "OS X only does it if you're on Wifi
though - for some reason they assume you'll never see a captive portal when
wired"

~~~
foo101
Thanks for the lucid explanation!

------
crumpled
I've suffered from routers or captive portals poisoning my dns when they do
dns redirects, so I usually opt for a nonsense domain like
fjlsdfoierldoidflug.com

But I know that some appliances do content injection or 302 redirects which
only work over http.

I like knowing about this neverssl. I like that all the page assets are
inlined to limit the page load to one request. Makes it easy to see what is
being injected by your browser and the network.

------
lathiat
I often just type in an IP address, 1.2.3.4 often works. Having said that i've
had alot of problems where iOS refuses to detect the captive portal, but also
decides it has no internet so doens't route any intentional web browser visits
to the wi-fi.. driving me crazy. Just restored without a backup.. see if that
fixes it :(

~~~
lathiat
for clarity, this was happening when another iOS device worked fine right next
to me. So "probably" not the network, but who knows what weird interaction
causes the issue.

------
red_admiral
There's already a site for that: [http://example.com](http://example.com)

------
sigi45
The name is bad :(

SSL is not used any more and it shouldn't get into people minds. Its either
https (as a common word) or tls.

~~~
rando832
Words get to have more than one meaning. Your comment is not made from a cow,
but there's nothing wrong with calling it bs.

------
venantius
Thank you for doing this. For years the NYT has been my unencrypted go-to;
having something like this is great.

------
Pxtl
This is handy. I was at an airport and was helping numerous people with
android devices get through the wifi portals, and dealing with the same
frustrating failure of the captive-portal redirect. Android is _supposed_ to
detect that there's a redirect and give you a notification that takes you to
the login page, but it's very inconsistent.

I usually use Xkcd for that purpose, one of the few lightweight non-ssl sites
I can think of offhand.

Only problem with neverssl is that it's a big jargon-laden for laymen, I mean
the name.

~~~
majewsky
I bought unencryptedwebsite.com last week after running into the same problem
without knowing that neverssl.com exists. I still have to set it up, though.
Too bad I'm lazy. :/

~~~
Nadya
Ask the owner of neverssl.com if you can redirect the domain to them until it
lapses. That way it might see at least some use. :)

------
codewithcheese
Most have a favourite non SSL site they use for captive portals. My is
[http://chairs.com](http://chairs.com), i've typed that so many times I now
have a special relationship with it. With an ad blocker is very conveniently
light weight.

------
dorianm
Nice, I use [http://perdu.com](http://perdu.com) usually

------
asenna
I always used msn.com but yes, I see this site as being helpful.

------
Cogito
I'll add mine to the list - [http://bom.gov.au](http://bom.gov.au)

Useful to see the weather updates as well!

------
oxguy3
I've always just used asdf.com, but I suppose there's always the risk it might
switch over to HTTPS; might switch to this instead.

------
equalunique
For this purpose, I usually use [http://example.com/](http://example.com/) or
.org

------
hobonumber1
Or you could just go to any non-http site like
[http://purple.com](http://purple.com).

~~~
zellyn
foo.com is my weapon of choice :-)

------
keeganjw
I was just thinking about this today! The New York Times had been my go to
site but that won't work anymore. This is perfect!

------
swrobel
Great idea but wish it was a shorter url. I use cnn.com because it's quick to
type even on mobile.

~~~
enknamel
I usually use rawr.com It has no guarantees but the site hasn't been updated
in a very long time.

------
pedro2
[http://www.bing.com](http://www.bing.com) also works ^^

------
brak1
example.com is something that'll do the same job, and its reserved
[https://en.wikipedia.org/wiki/Example.com](https://en.wikipedia.org/wiki/Example.com)

------
kowdermeister
I don't get it. What does it do stop redirecting users to the https version?

~~~
peteretep
It doesn't. It loads a page that's HTTP only, so that the wifi provider's
login page can be displayed without an SSL error.

~~~
kowdermeister
> so that the wifi provider's login page can be displayed without an SSL error

AHA! That's it. Now it makes sense.

------
noway421
I was always using ya.ru

Easier to type and they never plan to add HSTS because of that reason.

------
sfrailsdev
I've been using bing.com for this, but this will probably replace that.

------
cwmma
Ah something for the day xkcd[1] makes https mandatory.

1\. [http://xkcd.com](http://xkcd.com)

~~~
nullc
I use yahoo. I don't want to use a site that I would otherwise intentionally
use-- captive portals often poison the DNS.

~~~
geocar
Yahoo is starting to use Strict-Transport-Security now...

I'd love to be in the meeting where they discuss adding security features
lowers their traffic volumes...

------
formula_ninguna
use example.org, that's it.

------
utbabya
example.com ?

------
evinism
always used xkcd for this

~~~
cantagi
always used [http://vimcasts.org/](http://vimcasts.org/) . So glad someone
made neverssl

