
NeverSSL - rahuldottech
http://fdbhclmrkstnvwxz.neverssl.com/online
======
m0dest
If you’re using a mainstream OS that automatically detects standard captive
portals, the main reason why you’ll need this is for “tiered” captive portals
like the ones offered on some airplanes.

Those tiered captive portals have unique requirements that conflict with OS
behavior:

A) By default, they want to offer some limited Internet access, such as
accessing a sponsored site (often a shopping site like Amazon) or streaming
videos (from some server on the airplane LAN).

B) For premium, paying users, they want to offer (mostly) full Internet access

For this to work, they have to fool devices in Tier A into believing that they
have Internet access, by spoofing responses from standard captive portal
detection URLs like captive.apple.com. Otherwise, if the network fails the
captive portal test, many devices won’t stay connected to the Wi-Fi network,
preventing access to the sponsored sites or LAN streaming apps.

At the same time, they want users to be able to upgrade from Tier A (limited
access) to Tier B (full access) at any time. So they enable these upgrades by
serving a captive portal page... to every HTTP site _except_ the standard OS
captive portal detection pages that would affect OS behavior.

That’s when the user needs to visit an HTTP site other than the standard
captive portal pages. One like neverssl.com

It’s obviously a fragile solution and is becoming an increasingly poor
experience as sites adopt HTTPS, HSTS, and other standards. At the same time,
I don’t know of any upcoming solutions to the tiered captive portal problem.
Does anyone know what should replace this?

~~~
ay
[https://tools.ietf.org/html/rfc7710](https://tools.ietf.org/html/rfc7710)
tries to solve this at network level..

~~~
m0dest
Unless I’m missing something, RFC7710 doesn’t offer anything to address this
“tiered” captive portal scenario; it just provides a less vendor-dependent
protocol for the captive portal checks that are already being performed by the
OS.

------
hk__2
[http://neverssl.com/changes](http://neverssl.com/changes)

> I also want to keep neverssl.com ad free, but as it's now costing me about
> $2,000 a year to host it, […]

Wait, how could hosting a static website cost $2k/year?!

~~~
Iv
I have been using [http://perdu.com/](http://perdu.com/) for 20 years for that
purpose.

Simple, probably a 386 computer plugged in somewhere. Never changed.

It is just a joke, the domain means "lost" in French and says "Lost on the
internet? Don't panic! We are here to help you: * <\- you are here"

Hasn't changed in 20 years, has no javascript, no tracker. Exist since before
websites had ads everywhere, and know it would be laughable to put ads on it.

~~~
Zarel
I have a similarly funny one I like to use for this purpose:
[http://zombo.com/](http://zombo.com/)

~~~
stjohnswarts
Looks like pi-hole is blocking it, any idea why? or did it get hackernews'd?

------
etskinner
[http://example.com](http://example.com) also does this, albeit without the
promise of never switching

~~~
Thorrez
In both Chrome and Firefox, when I type "example.com" into the URL bar, I go
to [https://example.com](https://example.com) , probably because I've visited
the https site before and they remember that. So I do not recommend
example.com .

~~~
shakna
I don't think the IANA domains make use of HSTS or anything of the like.

    
    
        HTTP/2.0 304 Not Modified
        cache-control: max-age=604800
        date: Sat, 02 Nov 2019 22:22:19 GMT
        etag: "3147526947+gzip"
        expires: Sat, 09 Nov 2019 22:22:19 GMT
        last-modified: Thu, 17 Oct 2019 07:18:26 GMT
        server: ECS (sjc/4E71)
        vary: Accept-Encoding
    

If you type "example.com" into the URL, both Firefox and Chrome will try HTTPS
first. If you want plain HTTP, you just need to ask for it:
"[http://example.com"](http://example.com")

~~~
Thorrez
I don't think HTTPS is the default automatically. When I create a new Chrome
profile, then type example.com into the url bar and hit enter, I go to
[http://example.com](http://example.com) . Then when I type
[https://example.com](https://example.com) twice (each time hitting enter)
then type example.com and hit enter, I go to
[https://example.com](https://example.com) . So I think it might be whichever
is more common in your history.

Firefox behaves very similarly, except I don't have to visit
[https://example.com](https://example.com) twice before it becomes the
default, I just have to visit it once.

~~~
ramshorns
This could also happen because of an extension like HTTPS Everywhere, which
requests the https by default when both are available.

~~~
amarshall
HTTPS Everywhere uses built-in rules, not heuristics, to determine when to
rewrite an HTTP request to HTTPS. There does not appear to be a rule for
example.com, so HTTPS Everywhere does not cause a rewrite.

~~~
shakna
It also sends the "Upgrade-Insecure-Request" header, which can cause that
switch to take place.

------
pmoriarty
_" This website is for when you try to open Facebook, Google, Amazon, etc on a
wifi network, and nothing happens. Type
"[http://neverssl.com"](http://neverssl.com") into your browser's url bar, and
you'll be able to log on."_

I don't get it. How does browsing to
[http://neverssl.com](http://neverssl.com) help you to log in to _other_
websites?

~~~
saghm
On some public wifi networks, you need to load a captive portal page and hit a
button (usually to accept terms and conditions) before network to route you to
any actual sites. The network often enforces this by redirecting you to that
page whenever you try to visit something else. However, this doesn't occur
properly when accessing a page with HTTPS. The easiest way to to directly to
to the captive portal is to try to go to a non-HTTPS site, but fewer and fewer
sites provide this (for obvious securityv reasons). The purpose of this site
is to provide an easy-to-remember domain that the owner guarantees will never
use HTTPS so that users of such networks can type it in as a way to load the
captive portal. I've used it a number of times when using wifi on Amtrak
trains.

~~~
_bxg1
Thanks for the explanation - I've definitely encountered that situation. Do
you know _why_ it works that way?

~~~
manigandham
Captive portals require intercepting and redirecting your HTTP request. You
can't do that with HTTPS because it's encrypted. Most sites now automatically
redirect to HTTPS and are cached that way by browsers so it's hard to find a
HTTP-only site that will get redirected on these networks.

------
riffic
[http://example.com](http://example.com) is my captive portal triggering
website go-to. IANA reserved and will be there when I need it _forever_.

~~~
GranPC
Doesn't work for me, seems to fail to resolve.
[https://i.ibb.co/KmBk7DB/Screenshot-20191103-002332.png](https://i.ibb.co/KmBk7DB/Screenshot-20191103-002332.png)

~~~
riffic
your recursive resolver may be doing funny things. It's a valid and resolvable
host:

[https://www.whatsmydns.net/#A/example.com](https://www.whatsmydns.net/#A/example.com)

------
st3fan
I just use [http://captive.apple.com](http://captive.apple.com)

~~~
lima
That upgrades to SSL for me

~~~
fastball
Really? When I try to visit the site over SSL it gives me an error.

------
NilsIRL
Since everyone is posting alternatives, here is Firefox's way:

detectportal.firefox.com

------
333c
This site is so useful. Whenever I'm in an airport, or on a plane, or in a
hotel, I use it to make sure I make it into the portal.

It's also especially helpful that recently[0] it's started redirecting to a
random subdomain to defeat caching.

[0]:
[https://twitter.com/NeverSSL/status/1136488879106666496](https://twitter.com/NeverSSL/status/1136488879106666496)

------
rosstex
The fact you need this is incredibly unintuitive to anyone without technical
prowess.

~~~
antonvs
Even with technical prowess - I'm a software developer and spent much of today
designing a cloud load balancer architecture for a startup's global
infrastructure - I had never realized that this issue had to do with SSL.

I usually just futz around with things like the local gateway IP or the
business's domain name (e.g. hotel domain name) until it works.

------
1123581321
My favorite to use is [http://perdu.com/](http://perdu.com/)

I don’t know where I found it, but it’s charming!

~~~
MrEldritch
Mine is always good old [http://zombo.com](http://zombo.com).

------
mikelward
This will be much easier to remember than
[http://clients3.google.com/generate_204](http://clients3.google.com/generate_204).

------
gk1
I use captive.apple.com if a public network fails to load the login/getting-
started page.

~~~
monocularvision
I used the same until I recently hit a network that allowed that site but was
captive for everything else. No idea what would inspire that configuration.

~~~
tprynn
iOS won't consider itself connected to a WiFi network until it can hit that
domain and get the response it expects, but some networks want you to be
connected even though they don't actually give you full internet access. For
example, plane wifi networks where you can stream video to your device but
would have to pay for actual internet. So those networks will allow the
connection for that site and other captive detectors but intercept actual
connection attempts.

~~~
monocularvision
Sorry, I understand all of that. This was not one of those situations. I could
not get to any place on the network because they had a captive portal but iOS
didn’t know to open it because they allowed captive.apple.com through. After
navigating to neverssl.com I was properly redirected to the captive portal and
able to agree to whatever guest WiFi terms were available.

That’s why I just use neverlssl.com now.

------
vortico
Why not just alksjdhflkjahdskjfhalskjdhfas.com or something that definitely
doesn't exist? Since there's no HSTS on domains that don't exist, it should
allow the wifi network to redirect to
[http://myloginportal/whatever](http://myloginportal/whatever) and do its
thing so you can access the network.

~~~
kees99
Some captive portals do TCP redirection, but no DNS redirection.

And for good reason. Once user has finished jumping through whatever hoops
captive portal want them to jump, a new connection to the same server is
likely to be attempted, and having a fake DNS response cached somewhere in
libresolv or browser in the client is not the least bit conductive to that.

~~~
antonvs
Of course some portals do use DNS and so you end up with your favorite site's
home page getting a bunch of irrelevant arguments appended to it, resulting in
an error page.

------
mmastrac
Shortest SSL-free domain I've found is "x.com". Also works for email.
Apologies to x@x.com (sorry Elon!).

~~~
yuubi
That used to belong to a company selling a proprietary implementation of X11 a
while back (I want to say MetroLink? They had ads in the Linux print magazines
at the time).

~~~
jaimex2
It used to belong to Elon Musk's online banking platform which went on to
become PayPal.

Paypal recently transferred it back to Musk.

------
lolinder
Any idea why [http://neverssl.com](http://neverssl.com) redirects to
[http://{random_characters}.neverssl.com](http://{random_characters}.neverssl.com)?

~~~
paulirish
Apparently because ISPs sometimes muck with caching headers?
[https://twitter.com/NeverSSL/status/1136491293113180160](https://twitter.com/NeverSSL/status/1136491293113180160)

------
quicklime
I've been using [http://ftp.debian.org](http://ftp.debian.org) and
[http://archive.ubuntu.com](http://archive.ubuntu.com) for the same purpose.
APT mirrors provide GPG signatures for packages, so they don't usually use
HTTPS.

There's no guarantee that they won't move over to HTTPS in the future though,
so it's nice to know that NeverSSL exists.

------
hansvs
I just wanted to give a shout out both the OP for posting this, and other
users here for providing alternatives like
[http://perdu.com/](http://perdu.com/) or
[http://example.com](http://example.com)! It made my day (currently on ICE in
Germany, and WiFi portal came up instantly like a charm)!.

------
cwyers
So, sites like this are useful. (It's certainly better than memorizing the URL
that various hotels use for their wifi portals, which I have done before,
sadly.) But is there anybody working on solving this problem transparently to
the end user? It seems user-hostile to require people to remember a non-HTTPS
URL, especially as more and more sites move.

~~~
JoshTriplett
> But is there anybody working on solving this problem transparently to the
> end user?

Yes. RFC 7710 defines a DHCP option to supply a URI for a captive portal page.

[https://tools.ietf.org/html/rfc7710](https://tools.ietf.org/html/rfc7710)

~~~
tialaramex
And if you think there are things that need doing beyond RFC7710 (you would be
correct) the place to go help/ bring your ideas is the IETF's capport (Captive
Portal Interaction) Working Group:
[https://datatracker.ietf.org/wg/capport/about/](https://datatracker.ietf.org/wg/capport/about/)

------
withinrafael
You can also use Microsoft's Network Connection Status Indicator (NCSI) URL:
[http://www.msftconnecttest.com/](http://www.msftconnecttest.com/)

Also has an IPv6 endpoint:
[http://ipv6.msftconnecttest.com/](http://ipv6.msftconnecttest.com/)

~~~
jonny_eh
Not nearly as memorable.

~~~
antonvs
Just remember it has two non-adjacent t's, two adjacent t's, two adjacent n's,
and two non-adjacent s's. It's easy!!

------
MrMorden
I used [http://www.dia.mil](http://www.dia.mil) for years, and expected that
if anyone could be relied on to computer as wrong as possible it would be the
US government; but that now 301s to the HTTPS version.

~~~
rrdharan
That’s a surprising expectation given that they funded and created the
Internet.

~~~
MrMorden
DIA is a HUMINT agency, so they should have been among the first organizations
to go HTTPS-only. Instead they were among the last.

------
arkadiyt
Serves a completely different purpose but I also frequently use badssl.com for
testing TLS configurations (for instance you can load it on a kiosk, gym
screen, etc - if it loads successfully then your connection is not being
verified and could be MITM-ed)

------
oceliker
I believe [http://captive.apple.com/hotspot-
detect.html](http://captive.apple.com/hotspot-detect.html) does the same
thing.

edit: woah, two other comments at the same time pointing it out.

------
euroclydon
It's SSL that causes this? I always thought it was DNS caching. That's why I
just try an address I've never been to, or just make something up,
adfkjghasdkfg.com, and I get to the wifi consent page.

------
xg15
So far, I used [http://example.com](http://example.com) for (manual) portal
detection. Is there some reasonable risk that it will go away in the future?

------
RcouF1uZ4gsC
I think captive.apple.com also works for this use case.

------
purerandomness
Typing 1.1.1.1 (Cloudflare DNS) or 8.8.8.8 (Google DNS) into the address bar
does the same job, is quicker, can be easily remembered, and is safer.

~~~
judge2020
1.1.1.1 might be HSTS preloaded in the future (although not in the near future
- there were issues with captive portals[0])

0:
[https://chromium.googlesource.com/chromium/src.git/+/36b8980...](https://chromium.googlesource.com/chromium/src.git/+/36b8980c6b8763633161ee0472e10b4b4fd72ce3)

------
ajaimk
I use captive.apple.com regularly but just realized that https was the issue
being worked around on WiFi. Learning something new.

~~~
asveikau
What do you mean by "the issue being worked around"?

The issue is that https cannot be intercepted by such an access point, and is
increasingly popular for all types of web use. "Being worked around" makes it
sound like something different, perhaps even sinister.

~~~
dijit
He means that TLS on all domains breaks some use-cases and thus, in those
cases, there needs to be some way of working around the situation presented.

You can argue the merits of this being a good thing or not. But it’s fair to
call it a work around.

~~~
asveikau
Consumer operating systems started detecting captive portals long ago, and at
a time when HTTPS was much less common than it is today for casual usage.
Post-Snowden, there has really been a multi-industry push to use HTTPS
everywhere even for "boring" use cases where a naive person wouldn't assume
snooping to have much consequence. But captive portal detection appeared from
Microsoft, Apple, Google, etc. years before that push.

HTTPS absolutely _should_ reject a captive portal trying to hijack it, that is
the point of it.

But "work around HTTPS" remains a weird way to describe this. The captive
portal is the culprit in need of a workaround, not https which is doing what
it's supposed to be.

------
jaimex2
There's actually an RFC on a DHCP option for captive portal advertisement.

[https://tools.ietf.org/html/rfc7710](https://tools.ietf.org/html/rfc7710)

Not a single OS or browser has bothered to implement it. Instead they all
idiotically try all kinds of bs trying to figure out if a redirect is
occurring.

------
smitty1e
Then there is [http://uselessaccount.com/](http://uselessaccount.com/)

------
janoc
Mamma mia, this is so wrong and so bad on so many levels. So instead of fixing
the borked captive portal (there are other ways of intercepting the
connections not requiring messing with encryption) we tell users to _disable_
encryption? Somewhere on a public wifi where you actually need it the most?!

Holy cow ...

------
rjeli
Everyone seems to understand this but me... how does connecting to a non-ssl
website disable ssl on other sites?

~~~
ajb
It doesn't, it gets you into the wifi network's login portal, from which you
can log in and then ssl will start working.

[Edited to add] The problem is that websites that require ssl prevent you from
getting into the login portals.

I have [http://detectportal.firefox.com](http://detectportal.firefox.com)
bookmarked on my phone for this exact reason.

------
retrobox
I often use this for awkward public WiFi hotspots. Short, easy to remember and
keeps its promise ;)

------
pbhjpbhj
Huh, I've had that problem before but recently found that if you visit a local
(non-routable, I guess) address then it picks up the captive portal.

For me that means type "1", the browser fills the rest, hit enter: boom,
captive portal.

YMMV, of course.

------
imroot
This is my homepage for my cell phone and my laptop -- immensely useful for
airplane wifi and hotel wifi.

If you travel more than once a month, save yourself the frustration of
believing that you have an internet connection, and switch here.

------
ape4
Thank you neverssl. Since reading about it here I have used it countless
times!

------
foobarbecue
I've always used
[http://www.msftconnecttest.com/](http://www.msftconnecttest.com/) which I
guess is Microsoft's.

------
mypalmike
I miss the old purple page at purple.com which unintentionally served the same
purpose. Comcast techs used to use it as a test for whether you were in their
captive portal.

------
crippledshyness
I've seen the described behaviour on an _internal_ network for a major wifi
provider.

Every week or so you'd have to visit a non-https site so you'd be reconnected.

------
cipehr
Here is another similar site i've been using for years:
[http://amionline.net/](http://amionline.net/)

~~~
lucb1e
Well now that text isn't very helpful, might be cached by any middlebox or
endpoint. I expected at least a time like "Yes as of 2019-11-03T19:19:19Z" (I
have a subdomain, [http://time.lucb1e.com](http://time.lucb1e.com), that does
I use for this)

------
ckaygusu
[http://icanhazip.com](http://icanhazip.com) is also good for this.

~~~
kuratkull
Redirected me to https, I have not visited that site before (probably).

~~~
lucb1e
It didn't for me (over ipv6, not sure if that makes a difference).

------
kaycebasques
When I’m having trouble logging into a Wi-Fi network I just go to 128.1.1.1.
Seems to work every time.

~~~
lucb1e
I always used my own IP until I got to a portal that didn't work with that.
Now I use a subdomain of my site. Then one very smart captive portal "moved
permanently"'d that and my browser cached it, as it should, and on the next
WiFi it tried to load the old one's captive portal x_x. Not sure what the
solution is for that, it would happen with neverssl or any of the alternative
domains mentioned here as well. I guess you'd have to manually type a random
subdomain of neverssl or so.

~~~
fastball
NeverSSL already does that for you.

~~~
lucb1e
Yeah but if that redirect gets overridden...

------
morpheuskafka
I just use captive.apple.com for this purpose--I believe Microsoft and Google
have similar domains.

------
ncsurfus
[http://httpforever.com](http://httpforever.com)

------
TulliusCicero
Are there any plans for a newer version of WiFi to fix the need for this sort
of hack?

------
yoavm
Another alternative, that seems to be lighter, is nohttps.com

~~~
333c
Doesn't load for me.

~~~
yoavm
It's a completely empty page, which is probably why it's lighter.

~~~
333c
Well, now it's just a parked domain. Are you sure you got the right site?

------
infinity0
I've been using nossl.google.com even before I worked at Google. Somehow I
found out about it in the crazy wild west internet of the 2000s and most of my
colleagues didn't even know about it. Still works today.

------
withinboredom
I just use bestbuy.com. It’s much easier to remember.

------
teinac
just use [http://captive.apple.com](http://captive.apple.com)

------
sigsergv
well, [https://neverssl.com](https://neverssl.com)

------
alib
I love this, so useful, thank you.

------
tamwahba
seems strange that trying to use it over ssl gives a security warning

------
collsni
Just got to 1.1.1.1.....

------
s09dfhks
literally used this this weekend at motel6.

Thanks!

------
louchenyao
nossl.cn

------
gsich
test.at

