Death to the Wifi login page (part 1)

It’s the bane of the wanderer. A large fraction of open Wifi access points don’t connect you to the internet, but instead want you to login somehow. They do this by redirecting (hijacking) any attempt to fetch a web page to a login or terms page, where you either have to enter credentials, or just click to say you agree to the terms of service. A few make you watch an ad. It’s sometimes called a captive portal.

I’m going to contend that these hijack screens are breaking a lot of things, and probably not doing anybody — including portal owners — any good.

The terms of service generally get you to declare you will be a good actor. You won’t spam or do anything illegal. You won’t download pirated content or join torrents of such content. You waive rights to sue the portal. Sometimes you have to pay money or show you are a hotel guest or have an access card.

These screens are a huge inconvenience, and often worse than that. All sorts of things go wrong when they are in place:

  • Until you do the login with the browser, your other apps, like e-Mail, don’t work though it looks like internet is there.
  • With devices that don’t have keyboards, like Google Glass, you can’t use the network at all!
  • Some redirect you from the link you wanted, and don’t pass you on to that link when you are logged in, you have to type it in again.
  • If you go to a secure URL (https) some of them attempt an insecure redirect and cause browser security warnings. They look like a hijack because they are a hijack! This trains people to be more tolerant of browser security warnings, and breaks tools that try to improve your security and stop more malicious hijacks properly.
  • Some for “security” block the remembering of credentials, making it hard to login every time.
  • Really bad ones time-out quickly, and make you repeat the login process every time you suspend your laptop, and worse, every time you turn off and turn on your phone — making the network almost unusable. Almost all require re-login one or two times a day — still very annoying.
  • Every so often the login systems are broken on mobile browsers, locking out those devices.

A lot of headaches. And one can perhaps understand the need for this when you must pay for the network or only authorized users are allowed in, though WPA passwords are much better for that because they need only one-time setup and also offer security on the wireless connection.

With all this pain, the question the world needs to answer is, “is it worth it?” What is the value of this hijack and “I agree” terms page? Nobody reads the terms, and people who connect, and would ignore the terms to spam or do other bad things, will happily agree to them and ignore them, and they will do so anonymously leaving no way to punish them for violating the terms. This is not to say that certain entities have not desired to actually find users of open Wifi networks and try to enforce terms on them, but this is extremely rare and almost certainly not desirable to most access point operators.

There are thus just a few remaining purposes for the hijack screen.

Charging money

If you want to charge money, you might need a login screen. I don’t deny the right of a provider to ask for money, but there are different ways to do it. There are a variety of aggregator networks (Such as Boingo and FON) which will handle billing. They have already installed an app on the user’s device which allows it to authenticate and handle billing (mostly) seamlessly for the user. The very common skype application is one of these, and people pay from their skype credit accounts. Of course, you may not like Skype’s rates or the cut it takes, so this may not be enough.

You might also want to consider why you are charging the money. If bandwidth is very expensive, I can see it, but it’s not been uncommon to find some sites like cafes saying they charge — I kid you not — because the whole system including the charging gateway — is expensive to run. A cheap free gateway would have been much more affordable. Many operators decide that it’s worth it to offer it free, since it draws people in to restaurants, cafes and hotels. Cheap hotels usually give free Wifi — only expensive hotels put on fat charges.

It could be that your real goal is just to get attention…

Letting them know who provided the Wifi

I’ve seen a number of gateways that primarily seem to exist just to let you know who provided the gateway. Very rarely (I’ve mostly seen this at airports) they will make you watch a short ad to get your free access. They break a lot of stuff to do this. The SSID name is another way to tell them, though of course it’s not nearly as satisfactory.

Reducing the amount of usage

There is a risk that fully open networks will get overused by guests, and often thanklessly, too. You may be afraid your neighbours will realize they don’t need to buy internet at all, and can just use your open network. Here, making it hard to use and broken is a feature, not a bug. If you have to go through the hijack every so often it’s a minor burden to cafe patrons but a bigger annoyance to overusing neighbours. Those neighbours can play tricks, like using programs that do automatic processing of hijack gateways, but not too many do. They can also change their MAC addresses to get past restrictions based on that. You can do MAC limiting without a hijack screen, and it’s a great way to do it, possibly saving the hijack for after they reach the limit, not using it at the start. Clever abusers can change their MACs, though again most people don’t.

Covering your ass

The large number of complex terms of service suggest that people believe, or have been told, that it is essential they keep themselves covered in case a user of open Wifi does something bad, such as spamming or violating copyrights or even nastier stuff. They figure that if they made them agree to a terms-of-service that forbade this, this absolves them of any responsibility for the bad actions, and even, just maybe, offers a way to go after the unwanted guest.

Turns out that there is much less need to cover your ass in this situation, at least in the USA. You aren’t liable for coypright infringement by your guests if you did not encourage it. Thanks to the DMCA and CDA rules, you are probably not liable for a lot of other stuff these unwanted guests might do.

I am interested to hear reports from anybody of how they used the fact that Wifi guests had to agree to terms of service to protect themselves in an actual legal action. I have not heard of any, and I suspect there are few. It would be a great shame to confirm that everybody is breaking their networks in hope of a protection that’s actually meaningless.

It is true that you can get in real world trouble for what your unwanted guests do. If they violate copyrights, you might be the one getting the nasty letter from the copyright holder. The fact that you are not actually liable may not be much comfort when you are faced with taking the time and cost to point that out. Often these lawsuits come with offers to settle for less than the cost of consulting a lawyer on the matter. Naturally, those interested in violating copyrights are unlikely to be all that worried that they clicked on a contract that promised they wouldn’t. This is just a risk of an open network.

Likewise, if they send spam over your network, you may find yourself on spam-blocking blacklists who don’t care that it wasn’t you who did the spamming. Those vigilante groups run by their own rules. Again, the contract isn’t much protection. You may instead want to look to technical measures, including throttling the use of certain ports or bandwidth limits on guests. (It is better if you can throttle rather than cut off, since your guests probably do need to send e-Mail, just not thousands of them.)

Towards a protocol of open guest WIFI

How could we do this better? In part two I talk about how to have a secure open WIFI and the problems in doing that. Part three will talk about how to make it easy to connect to any of these networks automatically.

HTTP Status Codes

The router could return an HTTP error code (e.g. 401, 407, 419 or a newly defined one). This allows the browser to display a page and for other applications to recognize that it's not actually connected to the internet.

That's still broken

That still means a broken internet. And again, it’s a problem if I attempt to go to https://www.google.com — which is a frequent page for many of us — and what comes back is not authenticated with what I know to be the google certificate. Particularly if I am running tools to assure that certificates don’t suddenly change on me, to protect me from people attempting to MITM me like the NSA or various national governments that have been doing this.

For me, by far the most common thing I do after connecting to internet is fetch my e-mail. Which of course does not work, and so I have to then bring up a browser to see if they are trying to redirect my traffic to their click-to-agree page.

WiFi Login

When I was doing graduate work at George Mason Univ. a few years back, they had free WiFi, but you needed a student account to access it. I don't recall any legalese on the login, just username and password. The login was for 24 hours, so sometimes my connection cut off in the middle of a class if I logged on the previous day, and forgot to renew the session. This was not a bad model for commuter students, however it was annoying for residents. I told them to suck it up, because in my undergraduate days we used modems, and my roommates frequently picked up the line in the middle of my session. Oh, how did we ever survive?!

More recently I have started using my Kindle Fire in many remote locations. Hotels, airports, doctors offices, and my daughters dance studio, all have the model you described. When I connect to one of these networks the Kindle first alerts me that there is an additional login, and takes me to the page. My older work laptop does not seem to have the same intelligence, but I hardly use it from anyplace but home and work anyway. This may be the best solution to this problem. I doubt you are going to get most places to give up their "legal" security blanket (however worthless), and many places are still going to want to charge money, and I doubt they are thinking of the users convenience when they install a system.

auto detection

Yes, your device now has the ability to detect that it’s at a hijack gateway — by noticing it can’t get out and that web fetches are redirected — and gives you an alert that there is a login page. What this should tell you is how badly broken things are, that our devices have put in special support to detect this and try to handle it.

Hotels and municipal networks

1) A lot of hotels like give us a password to use when they give us our room access cards. I can understand why they do this. In areas with several local hotels, it is easy to use the wrong hotel's WiFi, so it makes sense to confirm with whom you are talking. (Of course, I stay at low end hotels, so we get free WiFi. The higher priced hotels charge for WiFi, so they have an added motivation for the redirection.)

2) Our town has a municipal network that provides everyone an hour a day of access. They also have access plans starting at $5 a month that provide more service, the idea being that the sales of low end plans will help subsidize the service. Here, a log in screen makes a lot of sense. If you just hop aboard, you might be surprised when your hour runs out, so it is best you are warned. If you actually have an account, you expect some kind of log in process.

In these instances

The hotel could use WPA2-Enterprise but admittedly this would not give it the chance to explain what’s going on. But it would be nice if they gave the savvy guest the option of using it, so that it doesn’t break things.

With the one hour of wifi, you could do the hijack at the end of the hour rather than the beginning, and break a lot less stuff.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

His name is Brad Templeton. You figure it out.
Please make up a name if you do not wish to give your real one.
The content of this field is kept private and will not be shown publicly.
Personal home pages only. Posts with biz home pages get deleted and search engines ignore all links
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

More information about formatting options