Hotspot Https

helper · January 2, 2020, 10:16am

Dear all ,

I cannot create a certificate to make the hotspot page secure and I used a lot of methods

Like
https://wiki.mikrotik.com/wiki/Manual:Hotspot_HTTPS_example

Plz Help for this

Sob · January 2, 2020, 5:18pm

If it should be trusted by random visitor, you can’t create it yourself, you need to get it from trusted CA (even free Let’s Encrypt is fine). But pay attention to notes in manual:

https://wiki.mikrotik.com/wiki/Manual:Hotspot_HTTPS_example#Trusted_Certificate_authority

helper · January 4, 2020, 7:31am

I have already taken all these steps

Sob · January 4, 2020, 12:18pm

But you know that you didn’t provide any useful info, right? Nobody knows what your “I used a lot of methods” means or what exactly doesn’t work and in what way.

helper · February 4, 2020, 11:32am

I have followed this explanation

https://www.youtube.com/watch?v=CAvDMtyOx5k

https://wiki.mikrotik.com/wiki/Manual:Hotspot_HTTPS_example

mkx · February 4, 2020, 12:53pm

And what exactly doesn’t work in what way?

Sob · February 4, 2020, 1:37pm

I skimmed very quickly through the video and I can tell you right away that it’s completely useless. Adding exceptions for untrusted certificates, installing own CA, … you can do that for fun on your own computer, and that’s it. Nobody in their right mind will ever do that when connecting to someone else’s hotspot, because it’s completely unsecure and wrong.

In short, if you want certificate for your hotspot page that will be trusted by clients, you can not create it yourself, it must be from trusted CA. And even then, there will be unavoidable errors about invalid certificates, when users try to open other https websites than your hotspot page.

tigro11 · February 6, 2020, 11:36pm

hello, can you find a solution to use https pages to log in?
I hope soon that someone will solve the problem of the https protocol since now we only use web pages in https

Sob · February 7, 2020, 12:10am

It has been repeated so many times…

Long term solution is hotspot advertising its presence and clients undestanding it and behaving accordingly. There’s proposed dhcp option for that. And nobody supports it. Problem is, if it should be useful, everybody must support it. Check again in ten years, maybe it will be better then.

Current solution is that client must actively detect presence of hotspot. It usually works. When it doesn’t work, it’s usually because hotspot admin get creative and whitelists domains that should not be whitelisted.

tigro11 · February 7, 2020, 11:50am

but then why activate the option to select https if it is not possible to use it?
https redirect can anyone use it for that function?

R1CH · February 7, 2020, 11:57am

It is up to the CLIENT DEVICE to detect the hotspot and redirect to the login page. Make sure all HTTP and DNS requests are redirecting to your hotspot, and that’s all you can do. Absolutely nothing else on your end can influence that.

Sob · February 7, 2020, 12:35pm

It has different parts:

Https for hotspot login page. I’m starting from the end, because this is the easy part. After http redirection, or after client device actively detected hotspot, user gets login page, let’s say hotspot.yourcompany.tld. This page can use http or https. Since user may be entering info which should be protected, it’s better to use https.

This part works without problems, you just need to get certificate valid for hotspot.yourcompany.tld from trusted CA. You can buy it from commercial CA or get it for free from Let’s Encrypt (it will require some extra work, because RouterOS doesn’t have built-in support for getting it).

Interception and redirection of http requests. This works fine, because http is readable and anyone on the way can change transmitted data. That’s what called MITM attack (main in the middle). Hotspot does exactly that.
Interception and redirection of https requests. This doesn’t work, because https is encrypted and nobody can change transmitted data. It’s good thing, because it protects you from attackers. But it also breaks hotspot’s redirection. There are two “solutions” for this, both bad:

3a) Hotspot redirects https connections same way as http. But because target webserver (i.e. hotspot) can’t have valid certificate for e.g. www.google.com, users will see certificate errors.

3b) Hotspot blocks https connections. On the upside, users don’t get certificate errors. But they will get failed connection errors.

One or the other, it’s not good. I think option B is slightly better, not because because it’s more helpful, but at least it doesn’t teach users bad habits (and ignoring certificate errors is very bad habit).

But again, don’t despair, because usually it works anyway. Browsers or operating systems send background http request to their test server which returns some predefined data. It’s unencrypted http, so hotspot will redirect it and change data, and it can be easily detected if it happened or not. If not, access to internet should be open. If it’s something different than expected, there’s probably hotspot and that page is shown to user.

tigro11 · February 7, 2020, 8:32pm

I tried to create an SSL certificate, it seems that it works, but in any case I keep the discussion monitored, we hope that the new version of routeboard 7 will bring some hotspot news

mkx · February 8, 2020, 10:51am

Which part of post #12 by @Sob is not clear? I thought tge pist makes it clear that it’s entirely up to admin (and wireless client) to deal with hotspot detection properly, nothing much is up to MT. Only one single thing: construction of HTTP redirection to HTTPS hotspot page if it exists … as hotspot detection only works reliably using plain HTTP it needs proper redirection so that client knows it’s going to be HTTPS connection which follows.

Sob · February 8, 2020, 3:23pm

I’ll probably start to ignore future posts about hotspot and https. No matter how much info is provided, in technical or simpler terms, explaining why MikroTik can’t do anything about it, and it’s not because they are not trying hard enough, it almost always ends up with either angry or disappointed “they are stupid or lazy because they don’t fix it” or optimistic “let’s hope they will fix it in future”. It’s pointless.

tigro11 · February 9, 2020, 4:40pm

it seems that from your posts, one who intends to use mikrotik for hotspots, abandon the project.

Sob · February 9, 2020, 5:09pm

It’s not just MikroTik thing, it’s how hotspots work in general. The idea of silently intercepting traffic and changing responses was flawed from the start. It did work when there was mostly http, but https ruined that. Or do you know some other non-MikroTik system that works better and miraculously redirects https without users seeing errors?

tigro11 · February 9, 2020, 7:19pm

http://www.hotspotsystem.com/hotspot-software
there is this site that offers a hotspot service to be integrated on your router.
only that I like to manage everything myself without using third-party software.
now I am testing a certificate that I created, I only do authentication on https, for now it seems to work without errors … we will see with time

Sob · February 9, 2020, 9:56pm

That’s not what I meant. I didn’t study the link in detail, but it looks like some centralized management, and it seems that on MikroTik devices, it still uses unmodified RouterOS. In other words, everything they do, you can do too. They won’t redirect https any better than you can.

tigro11 · February 10, 2020, 1:17pm

in fact, they are only alternative solutions that I would not like to adopt.
We will see if effective solutions are born in the future