There is a known problem when a user logs into a hotspot, and tries to go to a HTTPS site (google.com, etc) the browser will display an error and the router will not redirect to the login page.
I think this used to work a few years ago and changes to the OS either broke it or removed it on purpose.
I don’d understand the reason this does not work? Before a user authenticates they have no access to any internet traffic so there is no security issue, and if a request to an HTTPS site occurs before they are authenticated, why not just drop the HTTPS request, and redirect to the login page? Before authentication the router should be smart enough to handle this, and I think at one time it was.
This is a huge headache for us who operate Hotspots as so many people have their default page set to https://www.google.com/.
Is there a plan to deal with this?
Does anyone have a slick way to deal with this? I have looked at options about setting up a certificate, etc, but this should not be needed.
I love these routers and the OS is awesome, but this problem really burns.
I agree with you
I have the same problem in my hotspots. Lots of Android users have as a home page https://www.google.com.
The result is the login page does not appear.
You can’t deal with this. Not until there’s some universally accepted standard for hotspot detection.
You have to understand that what hotspot does is basically MITM attack. Browser does not know about hotspot existence. It just sends regular http(s) request to target server. If it’s http://google.com, hotspot can intercept it and send redirect to its login page. The important thing is that browser still has no clue about hotspot, it simply thinks that redirect came from target server. But if the target is https://google.com, browser will only accept connection to server with proper certificate and nothing else. There’s no way for hotspot to say “hey, I’m here, you need to login first”. It can still intercept the connection, but will have to do it using invalid cerfificate and browser will detect it as such.
I am a .net programmer and in ASP code I can redirect a HTTPS request from a browser to a HTTP site. So i don’t understand why mikrotik can’t do the same in their device.
Hi Sob,
I undertand the main idea about https and everything is encrypted, but as kimdobranski said, it is possible to capture the traffic to tcp/443 and to show a login page.
And, of course, it is the behaviour of a MitM attack. And it is not so easy.
You can if you own this https resource. The redirection to HTTP from HTTPS should come encrypted by ssl. Doesn’t it?
I think the оnly way to deal with https request trough a hotspot is to “fake” DNS response and ‘make’ a phony google, yahoo, bing… or any else requested https web servers. I think it’s pretty possible but needs a way to flush fake ssl connection and certificates on user device right after authorization on the hotspot (maybe it will work, who knows that browser things).
UPD: And of course modern browsers will warn user about the untrusted link (that phony google site) which leads to almost the same problem as in the beginning.
You can redirect https request (without errors/warnings) if you have valid (trusted by browser) certificate for requested hostname. But you can’t get such certificate for e.g. google.com (*1) if you are not Google.
The whole point of SSL is to prevent things like MITM. There’s no difference between these two scenarios:
You want to see error/warning in 2), but because it’s technically the same, you’ll see error/warning in 1) as well. There’s no way around it, you can fake DNS, you can set up fake servers, but you still won’t have valid certificate.
–
(*1) You can do it with your own computer(s) if you create custom CA, add it to browser as trusted and use it to sign certificate for google.com that you create yourself. But nobody else will trust it without installing your CA, and no sane person will ever do so. So it’s pointless.
Most likely it used to work because google did not redirect to https by default a few years back.
As mentioned, there is no solution to this since https is used.
If there was a solution it would be a major security hole to be able to trick the browser not to show the warning when you are in the middle manipulating the traffic (as a hotspot).
@Kola how would the fake DNS response would help?
If the user is trying to access an https resource, even with the false reply from the dns server, you would still need a proper certificate on the (fake google) server so that the browser doesn’t throw warnings.
Again, it would be a major security flaw to be able to trick browsers like that.
That’s the whole point of TLS/SSL on the web. To verify that you reached the ‘real google’ and of course to have encryption.
I share the same opinion as you about TLS/SSL authentication in https. I know all SSL theory and I have a SSL certificate in all my hotspots (hotspot profile auth method https). SSL certificate signed by Symantec.
And what I realised is my users know about they are in a hotspot service, and almost every user accept the SSL warning which appeear in their browsers.
I prefer a SSL warning in the web browser instead no navigation or an error 404 page.
Most modern smartphones do a http connection test and prompt for a hotspot login if it detects a redirect, but if the first thing your users try to do is open a https page, there is nothing you can do.
Not really. Certificate for your hotspot won’t help you much, because it will be valid only for your hotspot’s hostname, not for whatever external site user’s browser thinks is connecting to.
