New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS interception #3
Comments
nodogsplash doesn't accept/handle HTTPS request. It is possible to intercept HTTPS. But the browser will clearly state that the certificate is wrong and might tell you that you are subject to a man-in-the-middle attack. The splash page won't be shown depending on the browser because of this. Well, I haven't tried. |
Hi This works well in other captive portals like the one built-into the Fortinet Fortigate devices. As long as the traffic is intercepted (from first packet) the client would not be able to tell that it is a man-in-the-middle attack, would it? With the Fortigate as captive portal my web browser simply shows a certificate warning saying the certificate does not match the URL and that it is not trusted (it's a self-signed certificate). I accept the risk and get the splashpage. The behavior as seen in the Fortigate should be preferred as then it enables users to get to the splash page even if they have configured an HTTPS page as their browser home page. With nodogsplash such a user could be mislead to believe the internet connection is broken altogether. Rgds, |
If that's the case I agree with you - it would be a useful feature. The main problem is to find someone interested to implement it. |
I just had a look on this issue. I think, it's not that easy to implement. It's not only an iptables rule to forward port 443 to port 80. This won't work. But nodogsplash needs to handle SSL/TLS connections itself. Even then of course the user will get a certification error. But as far I can see, libhttpd doesn't support this. |
I'm using stunnel for this purpose - forwarding all port 443 traffic to it, stunnel then forwards it to standard nds port. To implement it natively would mean a change of http library - which might be a good thing anyway since libhttpd is bit dated and not maintaned afaik. |
@gluedig Thank you. I didn't know stunnel, but I will try it. libhttpd seems really outdated. E.g. using curl -I to just get the response header fails with nds, because it doesn't recognize this as HTTP request. But this is really another issue. |
@gluedig I have an another solution. function handle_request(env) uhttpd.send("Status: 302 Found\r\n") uhttpd.send("Location: http://192.168.1.1:2050/\r\n") uhttpd.send("Connection: close\r\n") end The biggest drawback I saw is the ps. If your uhttpd doesn't dispatch requests to lua handler for all URL, make sure this patch exist in your uhttpd. |
@sayuan your approach seems better and i guess there should be no problem to set "redir" as well |
hey guys im trying to do what sayuan suggested but when i try to open the uhttpd https server page which should redirected based on the lua handler, instead i get Bad Gateway The process did not produce any response. this is my /etc/config/uhttpd config uhttpd 'main' and this is my /etc/config/nossl.lua function handle_request(env) i know the Location: should goto the nodogsplash page, but im currently just testing a basic request to the httpd directly on my lan as my AP is several kilometers away and i can't test the splash page from here. but in theory, pointing my browser to any IP on the AP, and port 443, or https://apsipaddress, should run that lua handler and redirect me to http://internode.on.net:80. is there something im doing wrong? i tried removing /etc/config/nossl.lua and restarting the uhttpd and i just get a directory content listing when viewing the server's page in a browser, so i know it's working and trying to parse the nossl.lua command when i have it loaded, i'm just not sure what to make of this error and how to proceed from here. |
Hi epipenau, I tried the same and had the same result als you in the first tries. Two things fixed this:
Have a look on the Embedded Lua Example: |
I don't like this functionality in nodogsplash, because it requires https:// breakage. Most modern OS now honor captive portal via http:// checks against known URL and notify the user. |
lynxis, In my experience the OS captive portal detection is slow. Users (myself included) are trying to browse web pages immediately after they get connected. Users might easily have ignored/overlooked notification of captive portal from OS too, again because they are both slow at appearing and do not necessarily stand out visually. |
@vidarak I still don't like the idea of https:// redirecting, but maybe somebody would like to enable. |
Hey ! 1/ Did i need to generate the crt files you use in the config ? If yes how ?
2/ Is this config right ? I tried to add the additional \r\n" at the end of the line /etc/config/nossl.lua
|
I have the same problem as Daemon024, also tried change from "uhttpd.send("Location: http://IP:80/\r\n")r\n" to ""uhttpd.send("Location: http://IP:80/\r\n\r\n")" but does not redirect. Thanks |
Hi Guys, |
more and more sites are using https by default (which is awesome) and redirecting https clients as well (maybe downgrade and redirect them to the http://splashpage) should be implemented. Otherwise the splashpage won't show up as a lot of users uses a https://favorite-search-engine as their start page. |
Hello everyone, can somebody tell how to solve https problem with NDS? I've read previous posts & don't understand if someone have solved it for sure. I've tried what @gluedig and @sayuan suggest, but haven't got the result. Maybe I do something wrong, I'm not as experienced as you guys, so if there is a solution for this problem can someone tell the step-by-step instruction. I'm sure this instruction will be helpful for many people. |
Hi guys, As ArtMartin89 is already asking, I am trying to revive this thread one more time. Does anyone have any recommendations how to get nodogsplash to forward to the splash page, when a https request was made by the user. Anything I can try out, even if it has the obious drawbacks of breaking the SSL etc... Thank you very much, this would be a great help. |
@haircrime well, someone has to implement something. :-) |
It would be nice but the question is - Is it worth the effort? |
Hi, yes you certainly have a point. And until a couple of weeks ago, you were right. Lately I have received a lot more complaints about not working hotspot connections. By doing some research I discovered that some newer Samsung mobile phones, running Android launch the browser with HTTPS://Google.com , when detecting a captive portal. I have no idea why in the world Samsung would change the normal Android behavior, but of course this leads to a time out on nodogsplash. |
I have just tried on a Samsung phone with the very latest updates and see the following: Requested URL: http://www.google.com/ Can you capture the user agent string from one of the problem devices? |
@haircrime |
@haircrime |
thank you for your input and I have checked #113 but this is not the cause. Attached you can find screenshots of 2 samsung phones I can replicate this issue with. After selecting the free hotspot that runs nodogsplash, the android notification asks the user to sign in. After clicking, the regular browser opens. The browser tried to load https://google.com and times out. There is no way for the user to get to the redirect page, unless he enters by hand a non-ssl url - which is rare. What I normally find on android phones is, that after clicking the captive portal notification, a webview popup browser will open. This browser has limited feates (no javascript, no cookies etc..) and it loads a normal "non-ssl" url (gstatic...) which will result in a redirect to the nodogsplash landing page. So this behaviour is great and easy to use. Why does Samsung change the Android behaviour? Does nobody else experience similar effect? Thanks a lot... |
I have access to three Samsung phones at the moment running various versions of Android ranging from before your examples to versions after. All work normally and also I have not received any complaints from potential users. It is possible (on rooted devices) to disable Portal detection entirely. Other operating system vendors have their own versions eg.: Changing the url to https will break Portal Detection. Samsung would not (intentionally) do this and I cannot see any other evidence that they have done so. So what is causing your problem? For example - on my laptop computer, if I connect to a Nodogsplash hotspot, start Firefox and click my bookmark for http://google.com I get the splash page. If I do not use the laptop for a while and the Nodogsplash idle timeout is exceeded but Firefox is still running and I click the bookmark, I find Firefox has cached the Google redirect to https and of course I will not get the splash page. Is perhaps something like this happening? |
I think it might boil down to which browser is the default browser on the phone and what web page is the startup/home page in the browser? Scenario:
|
Yes @vidarak ! |
I'm not so sure the browser is supposed have the detection URL passed to it. That would be very counter-intuitive as the response from the detection URL is a blank response. I think you got that part wrong...? I don't question the fact that the OS is using the detection URL outside of the browser - for the detection. It's just not passing that URL to the browser (and it is not supposed to!). Perhaps some phones have been hard-coded to pass a different URL (like http://google.com), but that is outside any standards AFAIK. |
@haircrime @bluewavenet somthing like this wifidog/wifidog-gateway#6 If nds is based on wifidog and this issue is closed, I think it could work for the moment I create an static domain in dns srv of the router, ie: internet.com, and redirect to the gateway:2050 👎 |
Hi, I am a bit late with this, but have you found a solution for Samsung phones? https://drive.google.com/file/d/0B0tIo4L0lOvqS2FVLVUxNzVfVVU/view?usp=sharing Reading about it, it has nothing to do with DNS but what the site "throws" at the browser. QUOTE from WIKI (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797. UNQUOTE So the samsung phones/tables redirect to www.google.com and Chrome converts to https! |
I have tested extensively now with Samsung and cannot replicate the error, but have not tried with Chrome as in your video. If you make the Samsung browser the default again (as it will be on the phone initially) then it will work, as indeed it will with Firefox. It seems it is the Chrome browser that breaks CPD. |
Thanks. If you see the video, Firefox has no problem. I guess users (I have about 400 routers out there) with Samsung and Chrome Best regards (sent from mobile device) On 27 September 2016 4:23:54 p.m. bluewavenet notifications@github.com wrote:
|
Yes, works fine with both Samsung browser and Firefox. The CPD on Android seems to invoke the default browser. |
I do however think something else is going wrong somewhere. |
@bluewavenet Thak you for replies. The more I look at this the more the more I am sure it is a SAMSUNG - CHROME problem. But finally Chrome! I have now tested with serveral android devices and: 1> Samsung "log on to WIFI" pushes www.google.com. This comes down to a "too stric" implementation of HSTS by Chrome. By the looks of it, HSTS pushes someting to the browser telling it that "next time" it should use HTTPS to reach the address... QUOTE from https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS mechanism overview A server implements an HSTS policy by supplying a header over an HTTPS connection (HSTS headers over HTTP are ignored).[12] For example, a server could send a header such that future requests to the domain for the next year (max-age is specified in seconds; 31,536,000 is equal to one non-leap year) use only HTTPS: Strict-Transport-Security: max-age=31536000. When a web application[13] issues HSTS Policy to user agents, conformant user agents behave as follows:[14]
The HSTS Policy helps protect web application users against some passive (eavesdropping) and active network attacks.[16] A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server while the user's browser has HSTS Policy in effect for that web application. UNQUOTE So YES! this should (and I will) be reported to google and also Samsung!! I have the feeling that this can not be overcome without them! |
Any CPD should try its tests on the network directly and not via a browser. If detection of the captive portal is positive then the browser should be invoked, passing a URL to the browser on the command line. I suspect Chrome is ignoring this and trying https://google.com instead. I will try a few more tests. |
I have just installed Chrome on a SG5 and made it the default and can now replicate the error. Chrome when invoked immediately tries https://google.com |
unless you clear the cache... then it woks a few times.. my guess is unill you visit www.google.com and then it downloads that "stupid" HSTS file.... |
It was a fresh, first time install of Chrome that I tried and it failed at the first attempt so I am not sure what is happening, however you seem to be on the right track ;) |
Looking closely at a few more tests: |
http://google.com does a 302 redirect to https://www.google.com |
just as a"cherry on the cake". I have tested on a device that is not even online (wifi off and sim card out). Chrome transforms www.google.com (that I typed in) to https://www.google.com!! |
Hi, i have been researching the same issue for the last couple of weeks because i am facing customers complains too. I have reached the same conclusion. The latest version of Chrome when is the default browser, messes up the captive portals because of the HSTS implementation only on android lollipop. We need to open a ticket somewhere and get a response from them. |
Hello everyone! I am facing the same problem. The captive is displayed in some phones (Samsung J1) as https://www.google.com, then the customer navigates freely to some HTTPS sites (like Facebook) and after a little while they are kicked out of the connection as the phone thinks there is no internet... |
I have just checked the logs of an extremely busy hotspot I have installed. In over 2500 logins, some 200 or so were using Chrome 55.0.2883, at the time of writing, the current release version I think. https will NOT bring up the splash page in any circumstances as Captive Portal Detection (lets call it CPD) is designed to use its own http port 80 request and NDS ignores all non 80 requests. On Linux CPD is built into Networkmanager. Different distributions use their own url but all of them are designed to return 204 "no content" return code or a pre defined response string. This signals to the CPD that a valid Internet connection is present. If the CPD receives anything other than 204 or the response string with a 304 (see below) it will assume a splash page, if it receives nothing it will assume no connection to the internet. All this is done on port 80. The configuration is in the NetworkManager.conf file, found usually in /etc/networkmanager or thereabouts. in OpenSuse Leap it is: In Debian it is: On Android and iOS it is similar, but you have to root the device to see the details. Note the interval defaults to 300 seconds. On first connecting to the WiFi the CPD will try the configured URL. Then it will retry at 300 second intervals. What some people may be seeing is the following sequence:
Also if you are using the version distributed with Barrier Breaker (0.9_beta9.9.8-1), it is broken and lets everything through except port 80. @pmosse - the symptom of this is as you describe here. I have now tried again, testing with Chrome 55.0.2883 and can only replicate using the scenario I describe here. This actually happens with ANY browser. |
Hey @bluewavenet, thanks for the full explanation! Yes, it is as you say. I am actually using the version 1.0... Do you think there is any way to display the Splash for the users that have an HTTPS site as the default (or maybe they don't but Google is displayed anyway)? Maybe playing with the DNS servers and changing Google's IPs to something else? Or intercepting the requests at some level? |
The point here is that even with a home page set up for https, the CPD will still always use its own port 80 request. |
Any suggestion for Nodogsplash equivalent Captive Portal software which can handle SSL requests and return 302? Maybe some kind of packet software which includes light weight DNS and https server inside only serve for this purpose. Also I wonder if SDN approach can be successful? OpenWrt supports OpenFlow, so a SDN controller attached to an AP can solve this? |
We went with MikroTik RouterOS on virtual machines... and some physical appliances shortly after I started this thread. Have been very satisfied with their reliability. |
@vidarak So you run virtual RouterOS on PC attached to an OpenWRT APs to handle captive portal? |
We run virtual RouterOS on ESXi servers (where available), and RouterOS on RouterBoards where we don't have local ESXi servers. The RouterOS is the gateway/dhcp server of the VLAN. We use mostly Cisco APs with multiple SSIDs attached to separate VLANs. Only the guest VLAN has the captive portal (in RouterOS, APs are just L2). |
@vidarak , it is good that you found a workable solution for your application. Is there a genuine environment where this is not enough, given the rapid increase in support for CPD over the past couple of years? |
Hi Folks, |
Things have moved on and CPD has matured more and more. |
I think this was all a combination of mismatching native CPD and Browser CPD that has now been resolved by the various vendors, both OS and Browser. |
This last part: "https redirection is not required in just about all situations where NDS is likely to be employed now that CPD is mature." Is not true, I've tried NDS with more than 650 phones and non of them got the CPD working, since now, most of the Captive Portal tools support https. This Issue should be reopened since NDS is causing several problems in all the networks I manage, by the lack of https support. Please fix this! |
CPD is the universally excepted standard by all OSs and (just about) all browsers and I could show you logs from NDS based captive portals showing hundreds of thousands of operating CPDs on mobiles, tablets, laptops and desktops. |
Hi
Is it possible to get nodogsplash to intercept HTTPS requests also?
Rgds,
Vidar
The text was updated successfully, but these errors were encountered: