ssl encrypted buttons hotspot

spire2z · February 9, 2010, 12:14pm

Has anyone figured out a way to use SSL encrypted links in the hotspot pages?

SurferTim · February 9, 2010, 12:56pm

No problem with ssl pages. If you want to let your clients access them before they login, you will need to put the domain names in “/ip hotspot walled-garden”. I use an earlier version (3.13) that requires the ip addresses entered in “/ip hotspot walled-garden ip” instead. This was just a version bug. If I upgraded, I probably would not need to do that.

spire2z · February 10, 2010, 12:27am

I mean at the actual login button for the hotspot login. I don’t want some information to be such as mac address revealed in the link if possible. I do it with a php page and open ssl on normal web servers so customers cant modify the http request with the links but I don’t know a way to run that on the router OS.

SurferTim · February 10, 2010, 10:57am

During the setup for the hotspot, one of the questions is about the security certificate. If you selected “none”, then the login page is plain text. If you want the login page SSL, then that needs to be done during the hotspot setup. I am not certain you can change that after the initial setup.

The instructions are in the “Hotspot How-To” near the bottom of this page in the docs:
http://www.mikrotik.com/testdocs/ros/2.9/ip/hotspot.php
The docs don’t mention how to start tho. In the CLI it is
/certificate create-certificate-request
And the wiki
http://wiki.mikrotik.com/wiki/SSL_Certificate_setup

spire2z · February 10, 2010, 3:07pm

Hi, I know how to use the SSL login page, but thats not what I mean!

A SSL link is different. It’s when the link within the page code is an encrypted block of text so the user has no idea where the link sends to and what it contains. An SSl page does not offer this function as the user of the browser can see the links and possibly modify them. SSl pages only encrypt between the browser and the server not the links contained in the page.

Thanks for trying to be helpfull though

Chupaka · February 10, 2010, 11:14pm

what is ‘SSL’ stands for in that case?..

normis · February 11, 2010, 8:13am

can you link to the description of this? I haven’t heard anything like it. Give an example in some real webpage?

spire2z · February 11, 2010, 11:57am

Yes:

http://www.stellarwebsolutions.com/en/articles/paypal_button_encryption_php.php

I used it on paypal to stop anyone modifying the links to the shop. One problem is that a user can change the price value link and submit a link to paypal and change the price. Also i’m using mac addresses as usernames for my billing and it would be nice that the customer didn’t ever know what it was. Basically if you look at the page source all you see is a block of text and no information.

SurferTim · February 11, 2010, 12:11pm

You will have challenges using that code on Mikrotik routers. No php.
That script only encrypts one input of the form sent to PayPal, but I see your goal. In a way, the hotspot uses this on the password if you use “login-by=http-chap”. It md5 encrypts the password with a challenge sent by the router so it is not sent clear text. I am not certain how you could implement your code on the MT routers. You might need to use a purchase page on an external server (I do for other reasons) to encypt the form input.

spire2z · February 11, 2010, 12:17pm

Yeah but maybe there is another way, everything else is there apart from php. And it would be a nice feature to fully lock down the hotspot.

SurferTim · February 11, 2010, 12:23pm

I think my hotspot routers are “fully locked down”. The security happens on the external server. I allow access to the server pages in “/ip hotspot walled-garden”. Do you see a security challenge with that?

ADD: And I presume you are not collecting $10 donations with PayPal. If you are selling internet access, how do you plan on activating the account? That is the reason I use an external RADIUS server with a custom php front end.

Maybe I have it wrong. Are you talking about the hotspot service, or User Manager?

spire2z · February 11, 2010, 6:33pm

Yup I use a radius server with mysql and have developed my own php code for the signup and crediting part externally via walled garden. And freeradius module to count data usage. When the payment is made the paypal IPN script updates the mysql database. It’s much the same as usermanager but simpler and works using gigs not time.

Are you saying it’s possible for the login page to be hosted on an external server somehow?

SurferTim · February 11, 2010, 7:10pm

You can host the login page externally, but I use a modified version of the default login page on the router, with a link to the initial purchase page (“click here to purchase time”). I change the background and the text, but all else I leave like it is. I have only the purchase pages and the call-back page on the external server, with the URL of my RADIUS server (EDIT: and the URLs/IPs of Authorize.Net’s secure purchase server) entered in the walled garden.

I use Authorize.net, so it does a call-back to my RADIUS server when the purchase is complete, as I think PayPal will do too. That activates the time purchased in my system. Once the purchase is complete, I have a link to both Google and Yahoo on the “Purchase Complete/Thank You” page, with instructions to click on one to login. That pulls up the hotspot login page.