205 comments

[ 2.9 ms ] story [ 206 ms ] thread
I use captive.apple.com if a public network fails to load the login/getting-started page.
That's super useful, I never knew about that.
I used the same until I recently hit a network that allowed that site but was captive for everything else. No idea what would inspire that configuration.
Whyyyyy... ugh that’s so dumb. That is just someone shooting themselves in the foot for no reason, or maybe some ex employee did something silly on the way out.
iOS won't consider itself connected to a WiFi network until it can hit that domain and get the response it expects, but some networks want you to be connected even though they don't actually give you full internet access. For example, plane wifi networks where you can stream video to your device but would have to pay for actual internet. So those networks will allow the connection for that site and other captive detectors but intercept actual connection attempts.
Sorry, I understand all of that. This was not one of those situations. I could not get to any place on the network because they had a captive portal but iOS didn’t know to open it because they allowed captive.apple.com through. After navigating to neverssl.com I was properly redirected to the captive portal and able to agree to whatever guest WiFi terms were available.

That’s why I just use neverlssl.com now.

I think captive.apple.com also works for this use case.
I love this, so useful, thank you.
http://example.com also does this, albeit without the promise of never switching
In both Chrome and Firefox, when I type "example.com" into the URL bar, I go to https://example.com , probably because I've visited the https site before and they remember that. So I do not recommend example.com .
Indeed, "browser.urlbar.autoFill" option (enabled by default) would do that in Firefox.

There should be no forced https redirection if you fill in http:// prefix by hand though. At least for now, until example.com adds HSTS headers.

I don't think the IANA domains make use of HSTS or anything of the like.

    HTTP/2.0 304 Not Modified
    cache-control: max-age=604800
    date: Sat, 02 Nov 2019 22:22:19 GMT
    etag: "3147526947+gzip"
    expires: Sat, 09 Nov 2019 22:22:19 GMT
    last-modified: Thu, 17 Oct 2019 07:18:26 GMT
    server: ECS (sjc/4E71)
    vary: Accept-Encoding
If you type "example.com" into the URL, both Firefox and Chrome will try HTTPS first. If you want plain HTTP, you just need to ask for it: "http://example.com"
I don't think HTTPS is the default automatically. When I create a new Chrome profile, then type example.com into the url bar and hit enter, I go to http://example.com . Then when I type https://example.com twice (each time hitting enter) then type example.com and hit enter, I go to https://example.com . So I think it might be whichever is more common in your history.

Firefox behaves very similarly, except I don't have to visit https://example.com twice before it becomes the default, I just have to visit it once.

This could also happen because of an extension like HTTPS Everywhere, which requests the https by default when both are available.
HTTPS Everywhere uses built-in rules, not heuristics, to determine when to rewrite an HTTP request to HTTPS. There does not appear to be a rule for example.com, so HTTPS Everywhere does not cause a rewrite.
It also sends the "Upgrade-Insecure-Request" header, which can cause that switch to take place.
For Firefox, this may occur when the address bar autocompletes from history, pulling the https:// entry. As far as I can tell, it doesn’t have anything to do with prioritizing HTTPS, just whichever is more frequent in your history (if you visit the HTTP enough times it will switch to picking that for autocomplete). If you don’t use the autocomplete entry (for example, by tab-completing it but deleting the trailing slash), then it will use HTTP unless you actually typed https://.
The Firefox instance I'm using at the moment goes to the non-TLS version when I type "example.com" in the address bar.
And with a different relationship:

* neverssl might be bought out, or re-registered, at some time in the future.

* example.com is a IANA reserved domain [0], which whilst it doesn't guarantee they'll never deploy SSL, does mean nobody else can register it, ever (RFC 6761) [1].

[0] https://www.iana.org/domains/reserved

[1] https://tools.ietf.org/html/rfc6761

Has an interesting WHOIS record too. The "registrar" is "RESERVED-Internet Assigned Numbers Authority", and no admin/technical/billing contacts like in standard whois entries.
I think the only promise example.com has is that the domain will always exist.
I'm not sure that's even true. RFC 6761 says "IANA currently maintains a web server providing a web page explaining the purpose of example domains."

Saying "currently" implies it's not guaranteed to always be true. (Although it's more likely to stick around than a random domain registered by a hobbyist.)

"the domain will exist" does not mean "someone will run a web server there and respond to traffic", though.

Though I'm not exactly sure what it does mean. That it will have at least one DNS record?

This is very pedantic, but technically nothing requires an HTTP service to be hosted at example.com. It's only guaranteed to be reserved and never assigned to a real organization at the DNS level.
I've always used terrible.com

It's just your standard parked domain. I typed it in when I was frustrated one time trying to log into a public wifi. It worked and I didn't even understand why back then.

I use captive.apple.com regularly but just realized that https was the issue being worked around on WiFi. Learning something new.
What do you mean by "the issue being worked around"?

The issue is that https cannot be intercepted by such an access point, and is increasingly popular for all types of web use. "Being worked around" makes it sound like something different, perhaps even sinister.

He means that TLS on all domains breaks some use-cases and thus, in those cases, there needs to be some way of working around the situation presented.

You can argue the merits of this being a good thing or not. But it’s fair to call it a work around.

Consumer operating systems started detecting captive portals long ago, and at a time when HTTPS was much less common than it is today for casual usage. Post-Snowden, there has really been a multi-industry push to use HTTPS everywhere even for "boring" use cases where a naive person wouldn't assume snooping to have much consequence. But captive portal detection appeared from Microsoft, Apple, Google, etc. years before that push.

HTTPS absolutely should reject a captive portal trying to hijack it, that is the point of it.

But "work around HTTPS" remains a weird way to describe this. The captive portal is the culprit in need of a workaround, not https which is doing what it's supposed to be.

http://icanhazip.com is also good for this.
Redirected me to https, I have not visited that site before (probably).
It didn't for me (over ipv6, not sure if that makes a difference).
I miss the old purple page at purple.com which unintentionally served the same purpose. Comcast techs used to use it as a test for whether you were in their captive portal.
Probably avoid caching. Just taking a guess, but you do not want your DNS cached when the poorly-programmed router login page is trying to spoof DNS, and redirect you to their login portal.
Why not just alksjdhflkjahdskjfhalskjdhfas.com or something that definitely doesn't exist? Since there's no HSTS on domains that don't exist, it should allow the wifi network to redirect to http://myloginportal/whatever and do its thing so you can access the network.
you never know how poorly a restricted WiFi access point is implemented
Some captive portals do TCP redirection, but no DNS redirection.

And for good reason. Once user has finished jumping through whatever hoops captive portal want them to jump, a new connection to the same server is likely to be attempted, and having a fake DNS response cached somewhere in libresolv or browser in the client is not the least bit conductive to that.

Ah, makes sense. I don't think I've encountered one like that, but I can imagine they exist.
Of course some portals do use DNS and so you end up with your favorite site's home page getting a bunch of irrelevant arguments appended to it, resulting in an error page.
My favorite to use is http://perdu.com/

I don’t know where I found it, but it’s charming!

I’ve used http://www.fake.com for years just because it worked. If that London-based artificial plant company ever goes out of business, I don’t know what I’ll do! ;)
I think it's common in France. I've been using perdu.com for long for that purpose.
I often use this for awkward public WiFi hotspots. Short, easy to remember and keeps its promise ;)
Serves a completely different purpose but I also frequently use badssl.com for testing TLS configurations (for instance you can load it on a kiosk, gym screen, etc - if it loads successfully then your connection is not being verified and could be MITM-ed)
So, sites like this are useful. (It's certainly better than memorizing the URL that various hotels use for their wifi portals, which I have done before, sadly.) But is there anybody working on solving this problem transparently to the end user? It seems user-hostile to require people to remember a non-HTTPS URL, especially as more and more sites move.
Everyone seems to understand this but me... how does connecting to a non-ssl website disable ssl on other sites?
It doesn't, it gets you into the wifi network's login portal, from which you can log in and then ssl will start working.

[Edited to add] The problem is that websites that require ssl prevent you from getting into the login portals.

I have http://detectportal.firefox.com bookmarked on my phone for this exact reason.

Some wifi networks will display a login/payment page to you by mitm'ing your connection & replacing the page you tried to load. But of course this only works for HTTP pages.
Some WIFI networks require a login like airports or hotels. When you use https sites it wont redirect to the proper “wifi login” page as it should. This site being http should redirect you to that “wifi login” page
"This website is for when you try to open Facebook, Google, Amazon, etc on a wifi network, and nothing happens. Type "http://neverssl.com" into your browser's url bar, and you'll be able to log on."

I don't get it. How does browsing to http://neverssl.com help you to log in to other websites?

It gets you to the network's captive portal.
If the WiFi has a login portal, you might not get redirected to it when accessing an https site. If you go to this site, you’re more likely to get properly redirected.
It lets you access the portal to connect to wifi by allowing the router to MITM the connection due to the lack of SSL and bypassing caching with the random subdomain. After successfully connecting through whatever custom router software you'll be able to log in to those other websites.
(comment deleted)
On some public wifi networks, you need to load a captive portal page and hit a button (usually to accept terms and conditions) before network to route you to any actual sites. The network often enforces this by redirecting you to that page whenever you try to visit something else. However, this doesn't occur properly when accessing a page with HTTPS. The easiest way to to directly to to the captive portal is to try to go to a non-HTTPS site, but fewer and fewer sites provide this (for obvious securityv reasons). The purpose of this site is to provide an easy-to-remember domain that the owner guarantees will never use HTTPS so that users of such networks can type it in as a way to load the captive portal. I've used it a number of times when using wifi on Amtrak trains.
Thanks for the explanation - I've definitely encountered that situation. Do you know why it works that way?
Captive portals require intercepting and redirecting your HTTP request. You can't do that with HTTPS because it's encrypted. Most sites now automatically redirect to HTTPS and are cached that way by browsers so it's hard to find a HTTP-only site that will get redirected on these networks.
Websites can tell browsers to never connect to them via unsecured channels (hsts/hsts preload), in a secured channel the browser validates the server's encryption certificate is authorized to encrypt traffic for that domain, so the wifi network can not intercept it to serve up the captive porter.
You don't use a lot of hotel, airplane, airport, guest or otherwise captive portals do you? Most will gracefully redirect but a lot are painful. Add in things like HSTS (can't just go to Google), HTTPS Everywhere, etc and it's downright annoying to get to the portal.

NeverSSL is a huge frustration reducer, especially as I've been able to just tell less technical able co-workers to just go there.

One trick that often works at hotels is to enter the hotel's domain name, which typically has an entry in the wifi DNS. I don't know how that works related to SSL, I just know it often solves the problem.
Never had any issues typing http://google.com manually and having that get redirected to the capture portals. Obviously you have to specify the protocol otherwise modern browsers will try https first.
Here is another similar site i've been using for years: http://amionline.net/
Well now that text isn't very helpful, might be cached by any middlebox or endpoint. I expected at least a time like "Yes as of 2019-11-03T19:19:19Z" (I have a subdomain, http://time.lucb1e.com, that does I use for this)
Since everyone is posting alternatives, here is Firefox's way:

detectportal.firefox.com

Huh, I've had that problem before but recently found that if you visit a local (non-routable, I guess) address then it picks up the captive portal.

For me that means type "1", the browser fills the rest, hit enter: boom, captive portal.

YMMV, of course.

http://example.com is my captive portal triggering website go-to. IANA reserved and will be there when I need it forever.
They might not run a web service indefinitely, nor did anyone ever say they'll not redirect to https. It happens to work just like a random other 90s website might work.
The fact you need this is incredibly unintuitive to anyone without technical prowess.
Even with technical prowess - I'm a software developer and spent much of today designing a cloud load balancer architecture for a startup's global infrastructure - I had never realized that this issue had to do with SSL.

I usually just futz around with things like the local gateway IP or the business's domain name (e.g. hotel domain name) until it works.

Typing 1.1.1.1 (Cloudflare DNS) or 8.8.8.8 (Google DNS) into the address bar does the same job, is quicker, can be easily remembered, and is safer.
It's not an advertised function, so it might change. I just went to 1.1.1.1. It was HTTPS.
When I’m having trouble logging into a Wi-Fi network I just go to 128.1.1.1. Seems to work every time.
I always used my own IP until I got to a portal that didn't work with that. Now I use a subdomain of my site. Then one very smart captive portal "moved permanently"'d that and my browser cached it, as it should, and on the next WiFi it tried to load the old one's captive portal x_x. Not sure what the solution is for that, it would happen with neverssl or any of the alternative domains mentioned here as well. I guess you'd have to manually type a random subdomain of neverssl or so.
NeverSSL already does that for you.
Yeah but if that redirect gets overridden...