As a heads up your project is MIT licensed - that means companies do not need to reach out to purchase a license for commercial use. It might make sense to change that to an offer for official support (or relicense the project to meet your desires if applicable).
The readme of repository includes a paragraph suggesting that companies should reach out for a commercial license. For an MIT licensed codebase that is unusual. I believe the top-level commenter is assuming that discrepancy is by mistake and is giving a heads up.
From the readme:
>Note: Companies interested in purchasing a license to use the source code commercially can contact this number on WhatsApp
As much as we need infrastructure to move us all the way to IPv6 (no more CGNAT please!), I'm not sure I want more captive portals in the world. I'd much rather an addition to the WiFi standard to support interactive login, though I suppose that would be hard pressed to come by now.
Interactive auth sounds attractive at first but it's really the wrong place for an answer once you look at all of the ways captive portals are used (i.e. more than just "check this agreement box"). You really need the power of the browser to display a custom form behind the solution or you end up with n+1 solutions instead of replacing captive portals.
Something like a DHCP option or NDP option ends up being a lot more natural: "Hey, here's your IP along with the information needed to access the network" is already a function of that layer. Some devices (e.g. macOS/iOS/iPadOS, Windows, Android) take a similar approach in the reverse by probing for a specific test url. That's also a bit hacky and unreliable (e.g. it can falsely trigger) but some minor standardization of it to e.g. a well known DNS name could be another good option.
A DHCP option would be the correct way to specify a captive portal on a LAN. We have DHCP options for tons of things: IP phones, TFTP servers, cable boxes. One more option for a captive portal authentication URL would properly inform clients that there is a captive portal and how to access it. (It being a URL means it can also specify the protocol, so you aren't even locked into web browsers)
My assumption is this wasn't adopted because operators want the option of placing the captive portal upstream of the local network DHCP server. DNS spoofing works great over multiple network hops, but DHCP doesn't. (I'm not sure if that's a valid argument, but I'm sure somebody insisted on it)
There already was! It was called Passpoint R2 Online Sign-Up, but it never got traction on the phone side of things, so it's now being deprecated by the Wi-Fi alliance.
It's really a business problem. IMO you shouldn't have to solve this just because you've gone indoors – you already pay a carrier for connectivity – but many carriers don't want to own that responsibility.
IIRC there was some hullabaloo made with RIPE in ~2017. Half of it was "go to IPv6 and it isn't a problem" and the other half was "or also log the source ports so we can complete the identification through CG-NAT".
It's nearly 8 years later, we haven't moved to IPv6, and they stopped making noise so I'm left to assume they either got more source port logging or found some other method?
Captive portals are used for many, many things that aren't just internet access gateways. Many IoT devices use them to enter wifi credentials so the device can connect to the wifi router. One of my projects is an IoT device with a custom web interface that can be used from a cellphone when there are no nearby wifi routers for the IoT device and phone to connect to - the phone connects directly to the IoT device and gets the custom device control interface.
What if legal wants to show a TOS page, or you want finer grained authentication than a shared key?
>Or do not offer internet access at all. People carry their own already-connected devices anyway.
Travelers don't typically have gigabytes of bandwidth to spare. I for one like having unmetered internet access even when there's theoretically internet access available through roaming (absurdly expensive) or esims (expensive)
Is WPA enterprise authentication still a dumpster fire? Last time I set it up it was still a hassle because you had to import CAs and manually choose the authentication protocol. Definitely not a good experience for someone who's stopping by a cafe for 30min and wants wifi.
In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
>In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
From an access control perspective, it probably doesn't matter much for a coffee shop, but matters more for something for a hotel where you want to limit to certain guests only (eg. ones with room or loyalty program members)
From a legal perspective, having an interstitial might provide cover for when a baddie uses the connection to order drugs or whatever. IANAL and I'm not sure whether it's actually needed or not, but most companies rather not risk it. Moreover it's unlikely that no jurisdictions require it, so you'd still support for it.
>As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
No idea. Last time I had to use WPA enterprise, the organization providing the connection isn't exactly small and couldn't afford a certificate, but still required me to import a CA. That makes me think it might be an inherent issue with WPA enterprise.
> Legal cover for when a baddie uses the connection to order drugs or whatever.
.... Is this meant to be a joke?
> still required me to import a CA
It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed; but either way, and regardless of the technology in question, I wouldn't suggest it's particularly meaningful to use one organisation's setup as the basis for how things inherently work.
Are you a lawyer? I wasn't making a definitive statement, but if you have stronger evidence to the contrary please present them rather than making shallow dismissals.
>It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed
This is really cool. Nice work and I find the MIT license you've chosen to be interesting. I chose the very same license for my own open source project because I wanted there to be few excuses not to use it.
Damn, you've done significant work on this. Will have to check this out more in depth.
As a heads up your project is MIT licensed - that means companies do not need to reach out to purchase a license for commercial use. It might make sense to change that to an offer for official support (or relicense the project to meet your desires if applicable).
SQLite is public domain, but they apparently get enough enquiries about purchasing licenses, that they offer a warranty of title.
https://www.sqlite.org/purchase/license
It says right in the readme:
The readme of repository includes a paragraph suggesting that companies should reach out for a commercial license. For an MIT licensed codebase that is unusual. I believe the top-level commenter is assuming that discrepancy is by mistake and is giving a heads up.
From the readme:
>Note: Companies interested in purchasing a license to use the source code commercially can contact this number on WhatsApp
As much as we need infrastructure to move us all the way to IPv6 (no more CGNAT please!), I'm not sure I want more captive portals in the world. I'd much rather an addition to the WiFi standard to support interactive login, though I suppose that would be hard pressed to come by now.
Interactive auth sounds attractive at first but it's really the wrong place for an answer once you look at all of the ways captive portals are used (i.e. more than just "check this agreement box"). You really need the power of the browser to display a custom form behind the solution or you end up with n+1 solutions instead of replacing captive portals.
Something like a DHCP option or NDP option ends up being a lot more natural: "Hey, here's your IP along with the information needed to access the network" is already a function of that layer. Some devices (e.g. macOS/iOS/iPadOS, Windows, Android) take a similar approach in the reverse by probing for a specific test url. That's also a bit hacky and unreliable (e.g. it can falsely trigger) but some minor standardization of it to e.g. a well known DNS name could be another good option.
A DHCP option would be the correct way to specify a captive portal on a LAN. We have DHCP options for tons of things: IP phones, TFTP servers, cable boxes. One more option for a captive portal authentication URL would properly inform clients that there is a captive portal and how to access it. (It being a URL means it can also specify the protocol, so you aren't even locked into web browsers)
My assumption is this wasn't adopted because operators want the option of placing the captive portal upstream of the local network DHCP server. DNS spoofing works great over multiple network hops, but DHCP doesn't. (I'm not sure if that's a valid argument, but I'm sure somebody insisted on it)
There is a DHCP option for a captive portal URL. It isn't very well supported and nobody uses it.
https://datatracker.ietf.org/doc/html/rfc7710
Apparently, there's a newer one that is supported by Android 11+, iOS 14+, and macOS Big Sur, at least
https://www.rfc-editor.org/rfc/rfc8910.html https://www.rfc-editor.org/rfc/rfc8908.html
https://developer.android.com/about/versions/11/features/cap... https://developer.apple.com/news/?id=q78sq5rv
There already was! It was called Passpoint R2 Online Sign-Up, but it never got traction on the phone side of things, so it's now being deprecated by the Wi-Fi alliance.
It's really a business problem. IMO you shouldn't have to solve this just because you've gone indoors – you already pay a carrier for connectivity – but many carriers don't want to own that responsibility.
CGNAT is ok for IPV4 because it provides us some level of protection against state ( sponsored ) actors.
You’re going to have to explain that one.
I don’t see how CGNAT does anything but allow easier access to attacks (using private ip space outside of the local network)
All the details can be found in the EUROPOL publications begging for it to be banned.
IIRC there was some hullabaloo made with RIPE in ~2017. Half of it was "go to IPv6 and it isn't a problem" and the other half was "or also log the source ports so we can complete the identification through CG-NAT".
It's nearly 8 years later, we haven't moved to IPv6, and they stopped making noise so I'm left to assume they either got more source port logging or found some other method?
politics still clinging to the idea of identifying ppl by obvious traffic meta-data
Ah, allows hiding behind a massively shared single address with less traceability.
Is there even an alternative to captive portals?
Just give internet access directly.
Or do not offer internet access at all. People carry their own already-connected devices anyway.
16% of Canadians in 2022 didn't have a data plan on their phone, according to Statistics Canada. Roughly 6 million Canadians or so.
So not everyone. Actually a decent number of people that don't.
seems easy to confuse % of plans with % of ppl. probably a lot of obscure use-cases in there
Captive portals are used for many, many things that aren't just internet access gateways. Many IoT devices use them to enter wifi credentials so the device can connect to the wifi router. One of my projects is an IoT device with a custom web interface that can be used from a cellphone when there are no nearby wifi routers for the IoT device and phone to connect to - the phone connects directly to the IoT device and gets the custom device control interface.
What if legal wants to show a TOS page, or you want finer grained authentication than a shared key?
>Or do not offer internet access at all. People carry their own already-connected devices anyway.
Travelers don't typically have gigabytes of bandwidth to spare. I for one like having unmetered internet access even when there's theoretically internet access available through roaming (absurdly expensive) or esims (expensive)
>What if legal wants to show a TOS page?
The reality is that nobody wants to bother with any of that.
Either just connect me to the internet without extra steps, or don't at all. Don't waste my time.
>The reality is that nobody wants to bother with any of that.
I don't either, but for IT departments in large organizations, ignoring the legal department isn't an option.
I appreciate the sentiment, but having a shitty Wi-Fi is better than none at all IMO.
> or you want finer grained authentication than a shared key?
Configure your access points to use RADIUS or SAML for auth?
Is WPA enterprise authentication still a dumpster fire? Last time I set it up it was still a hassle because you had to import CAs and manually choose the authentication protocol. Definitely not a good experience for someone who's stopping by a cafe for 30min and wants wifi.
In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
>In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."
From an access control perspective, it probably doesn't matter much for a coffee shop, but matters more for something for a hotel where you want to limit to certain guests only (eg. ones with room or loyalty program members)
From a legal perspective, having an interstitial might provide cover for when a baddie uses the connection to order drugs or whatever. IANAL and I'm not sure whether it's actually needed or not, but most companies rather not risk it. Moreover it's unlikely that no jurisdictions require it, so you'd still support for it.
>As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?
No idea. Last time I had to use WPA enterprise, the organization providing the connection isn't exactly small and couldn't afford a certificate, but still required me to import a CA. That makes me think it might be an inherent issue with WPA enterprise.
> Legal cover for when a baddie uses the connection to order drugs or whatever.
.... Is this meant to be a joke?
> still required me to import a CA
It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed; but either way, and regardless of the technology in question, I wouldn't suggest it's particularly meaningful to use one organisation's setup as the basis for how things inherently work.
>.... Is this meant to be a joke?
Are you a lawyer? I wasn't making a definitive statement, but if you have stronger evidence to the contrary please present them rather than making shallow dismissals.
>It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed
It's an organization where BYOD is very common.
... use regular authenticated wifi?
This is really cool. Nice work and I find the MIT license you've chosen to be interesting. I chose the very same license for my own open source project because I wanted there to be few excuses not to use it.
Damn, you've done significant work on this. Will have to check this out more in depth.