The red padlock (at a cafe)

The captive portal of a cafe simply rendered a red padlock on with a line through it. Essentially, it was apparently telling me I am being denied access arbitrarily without using any words. There was no other screen before that. Immediately after wifi handshaking Android’s built-in captive portal detection app just went straight to a padlock. I have never been in that cafe in my life and never use my device maliciously.

Showed the screen to the staff who said “works for me on my phone”, who then noticed the airplane on my status bar and said “oh, you got the little airplane, that’s the problem”. Shit; so then I had to explain that wi-fi works in airplane mode. It was just a distraction for them. I couldn’t really convince them that the problem isn’t anything I’m doing wrong. There is no tech support for this situation – like pretty much all captive portal scenarios. Being the customer of the customer is a very weak position to be in when the direct customer doesn’t really give a shit if it works or not.

So, has anyone seen this kind of behavior? I run into shitty broken captive portals often enough that I guess I really need to get a better understanding of them, and ways to bypass them.

TLS-encumbered captive portal (transit service)

A transit service offered wi-fi but the network forcibly redirected me to a captive portal that triggers this error:

net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.

It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:

  • I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests… maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place).

  • Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it.

I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5.

Bypass methods

I guess I need to study:

  • ICMP tunnel (slow, but IIUC it’s the least commonly blocked)
  • SSH tunnel
  • others?

Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found:

  • MultiVNC - VNC over SSH
  • AVNC - VNC over SSH
  • ConnectBot - Can all traffic be routed over this SSH tunnel, or just a shell session?
  • VX ConnectBot - same as connectBot but expanded

I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option.

My to-do list of things to tinker with so far:

Legal options

If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases.

And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.

update (phones bought last year already obsolete)

TLS 1.3 was not introduced until Android OS 10 (sept.2019). That was the release date of AOS 10. Older devices like AOS 9 would still be sold at that time and continuing at least into 2023. Shops do not pull their stock from the shelves when the end of support arrives. This means people buying new COTS Android devices just last year or even this year are already too out of date for the TLS 1.3 captive portal to function.

It’s seriously disgusting how many people expect consumers to upgrade this chronically fast.

  • coffeeClean@infosec.pubOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    7 months ago

    Whenever you accept the TOS, your device is somehow registered/authenticated against their servers. Such a session establishment of course should be secured through TLS, just like all web traffic in general.

    The MAC address and assigned IP address are both visible outside that TLS tunnel. What information are you protecting from what threat?

    Btw, the complaint of you not being able to do banking through your browser anymore while it does not support TLS 1.3 really made me laugh, thank you!

    You’re confusing different situations. The TLS 1.3 issue has nothing to do with the bank. Desktop computers are not trapped on old software. Androids are. The bank requires customers to:

    1. buy a new recent smartphone, repeatedly (because the bank’s app detects when it is running on an Android emulator and denies service)
    2. subscribe to mobile phone service (which also costs money and also requires supplying national ID to the mobile carrier to copy for their records which you then must trust them to secure)
    3. share their mobile phone number with a power abusing surveillance capitalist who promotes the oil industry (Google / Totaal)
    4. create a Google account and agree to their terms (which includes not sharing software that was fetched from the Playstore jail)
    5. share their IMEI# with Google
    6. share all their app versions with Google, thus keeping Google informed of known vulns for which they are vulnerable
    7. share with Google where they bank
    8. install proprietary non-free software and trust the security of non-reviewable code
    9. share the mobile phone number with the bank

    I am ethically opposed to every single one of those preconditions independently, not only because of sloppy infosec and reckless disclosure but being forced to support a surveillance advertiser and also the power imbalance implied by non-free software. But just from an infosec PoV, why would a reader of cybersecurity on infosec.pub agree to all that?

    I don’t think you realize just how big the risk is that you are putting yourself in with such old software.

    You don’t seem to realize Android phones are designed for obsolescence and desktop PCs are not. The elimination of web access ensures users will be accessing their bank accounts with older software. Why would you endorse that? Not sure you realize that using an Android emulator ensures the ability to constantly run bleeding edge updated software. But the bank won’t have it. You also overestimate the security of code you cannot see to satisfy your threat model. How do you know the bank itself does not have spyware in their app that’s contrary to your security posture? Of course they do. They want to KYC.