Archives

Date
  • 01
  • 02
  • 03
  • 04
  • 05
  • 06
  • 07
  • 08
  • 09
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31

Death to the Wifi login page (part 1)

It’s the bane of the wanderer. A large fraction of open Wifi access points don’t connect you to the internet, but instead want you to login somehow. They do this by redirecting (hijacking) any attempt to fetch a web page to a login or terms page, where you either have to enter credentials, or just click to say you agree to the terms of service. A few make you watch an ad. It’s sometimes called a captive portal.

I’m going to contend that these hijack screens are breaking a lot of things, and probably not doing anybody — including portal owners — any good.

The terms of service generally get you to declare you will be a good actor. You won’t spam or do anything illegal. You won’t download pirated content or join torrents of such content. You waive rights to sue the portal. Sometimes you have to pay money or show you are a hotel guest or have an access card.

These screens are a huge inconvenience, and often worse than that. All sorts of things go wrong when they are in place:

  • Until you do the login with the browser, your other apps, like e-Mail, don’t work though it looks like internet is there.
  • With devices that don’t have keyboards, like Google Glass, you can’t use the network at all!
  • Some redirect you from the link you wanted, and don’t pass you on to that link when you are logged in, you have to type it in again.
  • If you go to a secure URL (https) some of them attempt an insecure redirect and cause browser security warnings. They look like a hijack because they are a hijack! This trains people to be more tolerant of browser security warnings, and breaks tools that try to improve your security and stop more malicious hijacks properly.
  • Some for “security” block the remembering of credentials, making it hard to login every time.
  • Really bad ones time-out quickly, and make you repeat the login process every time you suspend your laptop, and worse, every time you turn off and turn on your phone — making the network almost unusable. Almost all require re-login one or two times a day — still very annoying.
  • Every so often the login systems are broken on mobile browsers, locking out those devices.

A lot of headaches. And one can perhaps understand the need for this when you must pay for the network or only authorized users are allowed in, though WPA passwords are much better for that because they need only one-time setup and also offer security on the wireless connection.

With all this pain, the question the world needs to answer is, “is it worth it?” What is the value of this hijack and “I agree” terms page? Nobody reads the terms, and people who connect, and would ignore the terms to spam or do other bad things, will happily agree to them and ignore them, and they will do so anonymously leaving no way to punish them for violating the terms. This is not to say that certain entities have not desired to actually find users of open Wifi networks and try to enforce terms on them, but this is extremely rare and almost certainly not desirable to most access point operators.

There are thus just a few remaining purposes for the hijack screen.

Charging money

If you want to charge money, you might need a login screen. I don’t deny the right of a provider to ask for money, but there are different ways to do it. There are a variety of aggregator networks (Such as Boingo and FON) which will handle billing. They have already installed an app on the user’s device which allows it to authenticate and handle billing (mostly) seamlessly for the user. The very common skype application is one of these, and people pay from their skype credit accounts. Of course, you may not like Skype’s rates or the cut it takes, so this may not be enough.

You might also want to consider why you are charging the money. If bandwidth is very expensive, I can see it, but it’s not been uncommon to find some sites like cafes saying they charge — I kid you not — because the whole system including the charging gateway — is expensive to run. A cheap free gateway would have been much more affordable. Many operators decide that it’s worth it to offer it free, since it draws people in to restaurants, cafes and hotels. Cheap hotels usually give free Wifi — only expensive hotels put on fat charges.

It could be that your real goal is just to get attention…

Letting them know who provided the Wifi

I’ve seen a number of gateways that primarily seem to exist just to let you know who provided the gateway. Very rarely (I’ve mostly seen this at airports) they will make you watch a short ad to get your free access. They break a lot of stuff to do this. The SSID name is another way to tell them, though of course it’s not nearly as satisfactory.

Reducing the amount of usage

There is a risk that fully open networks will get overused by guests, and often thanklessly, too. You may be afraid your neighbours will realize they don’t need to buy internet at all, and can just use your open network. Here, making it hard to use and broken is a feature, not a bug. If you have to go through the hijack every so often it’s a minor burden to cafe patrons but a bigger annoyance to overusing neighbours. Those neighbours can play tricks, like using programs that do automatic processing of hijack gateways, but not too many do. They can also change their MAC addresses to get past restrictions based on that. You can do MAC limiting without a hijack screen, and it’s a great way to do it, possibly saving the hijack for after they reach the limit, not using it at the start. Clever abusers can change their MACs, though again most people don’t.

Covering your ass

The large number of complex terms of service suggest that people believe, or have been told, that it is essential they keep themselves covered in case a user of open Wifi does something bad, such as spamming or violating copyrights or even nastier stuff. They figure that if they made them agree to a terms-of-service that forbade this, this absolves them of any responsibility for the bad actions, and even, just maybe, offers a way to go after the unwanted guest.

Turns out that there is much less need to cover your ass in this situation, at least in the USA. You aren’t liable for coypright infringement by your guests if you did not encourage it. Thanks to the DMCA and CDA rules, you are probably not liable for a lot of other stuff these unwanted guests might do.

I am interested to hear reports from anybody of how they used the fact that Wifi guests had to agree to terms of service to protect themselves in an actual legal action. I have not heard of any, and I suspect there are few. It would be a great shame to confirm that everybody is breaking their networks in hope of a protection that’s actually meaningless.

It is true that you can get in real world trouble for what your unwanted guests do. If they violate copyrights, you might be the one getting the nasty letter from the copyright holder. The fact that you are not actually liable may not be much comfort when you are faced with taking the time and cost to point that out. Often these lawsuits come with offers to settle for less than the cost of consulting a lawyer on the matter. Naturally, those interested in violating copyrights are unlikely to be all that worried that they clicked on a contract that promised they wouldn’t. This is just a risk of an open network.

Likewise, if they send spam over your network, you may find yourself on spam-blocking blacklists who don’t care that it wasn’t you who did the spamming. Those vigilante groups run by their own rules. Again, the contract isn’t much protection. You may instead want to look to technical measures, including throttling the use of certain ports or bandwidth limits on guests. (It is better if you can throttle rather than cut off, since your guests probably do need to send e-Mail, just not thousands of them.)

Towards a protocol of open guest WIFI

How could we do this better? In part two I talk about how to have a secure open WIFI and the problems in doing that. Part three will talk about how to make it easy to connect to any of these networks automatically.