Captive portal
From Free net encyclopedia
The captive portal technique forces an HTTP client on a network to see a special web page (usually for authentication purposes) before surfing the Internet normally. This is done by intercepting all HTTP traffic, regardless of address, until the user is allowed to exit the portal. You will see captive portals in use at most Wi-Fi hotspots. It can be used to control wired access (e.g. apartment houses, business centers, "open" Ethernet jacks) as well.
Contents |
Software Captive Portals
Examples of captive portal software packages running on PC hardware are:
- WifiDog Captive Portal Suite (embedded Linux - OpenWRT, Linux)
- Milkeyway Italian Captive Portal Project (Linux)
- Gateway / Centralized central server solution
- FirstSpot (Windows)
- m0n0wall (embedded FreeBSD)
- NoCatAuth (Linux)
- OpenSplash (FreeBSD)
- wicap (OpenBSD)
- chillispot (Linux)
- Public IP (Linux), based on WifiDog Captive Portal
- PfSense (FreeBSD)
- AirMarshal (Linux)
- pointHotspot.com (Web-based Portal)
- sweetspot (OSI layer-3 packet mangler, Linux)
- Other wiki list of captive portals
Hardware Captive Portals
Examples of router hardware whose firmware includes a captive portal include:
- Cisco BBSM-Hotspot
- Cisco Site Selection Gateway (SSG) / Subscriber Edge Services (SESM)
- Nomadix Gateway
- Aptilo Access Gateway
Captive portals are gaining increasing use on free open wireless networks where instead of authenticating users, they often display a message from the provider along with the terms of use. Although the legal standing is still unclear (especially in the USA) common thinking is that by forcing users to click through a page that displays terms of use and explicitly releases the provider from any liability, any potential problems are mitigated. They also allow enforcement of payment structures.
Limitations
Most of these implementations merely require users to pass an SSL encrypted login page, after which their IP and MAC Address are allowed to pass through the gateway. This has been shown to be exploitable with a simple packet sniffer. Once the IP and MAC addresses of other connecting computers are found to be authenticated, any machine can spoof the MAC address and IP of the authenticated target, and be allowed a route through the gateway.
Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use most captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. There exists the option, however, of the platform vendor entering into a service contract with the operator of a large number of captive portal hotspots.