Publication Date: 16 December 2021 We are aware of a new security vulnerability targeting the open source Log4j logging utility that was announced recently. The vulnerability allows hackers to execute malicious code on servers and client machines. ANTlabs products are not affected by this vulnerability as we do not use the Log4j logging utility. Please […]
The current ezxcess.antlabs.com SSL certificate on our gateways will expire on April 7, 2021. For HTTPS login pages that are served out with the ezxcess.antlabs.com SSL certificate, browsers will present certificate errors after April 7, 2021, if the SSL certificate expiry is not extended. Also, for deployments that integrate with the Accor FLINT-HTNG PMS, the […]
Last Updated: 15 Oct 2020Publication Date: 24 Sep 2020 What is Randomized MAC and what is it for? With the recent launch of IOS 14 and Android 10, a new feature is introduced which configures the phone to use a randomized MAC address when connecting to a WiFi network. The feature is enabled by default […]
Updated: 23 July 2020 We have added the walled garden HTTPS domains feature as the recommended approach to allow downstream devices to access the payment gateways before login. In doing so, we are effectively decommissioning the IP Address-based walled garden configuration. As such, it is advised to add the relevant HTTPS domains to the walled […]
Last Updated: Oct 15, 2020 – The Instagram WiFi login issue has been resolved with the recent ANTlabs Update #41 for both IG 4 and SG 4. Admins are advised to apply the latest update on their gateways to ensure a smoother login flow. After updating gateways to Update #41, using the Instagram login method […]
[UPDATED: 19 Jan 2021] WeChat login is now once again working as one of the ANTlabs social WiFi login methods. WeChat login requires the following update to be installed on these gateways: IG 4 Update #42 SG 4 Update #42 IG 4 S Series Update #4 SG 4 S Series Update #4 [Advisory Date: 20 […]
Publication Date: 7 July 2019
Last Updated: 27 August 2019
It has come to our attention that some users have been experiencing a delay in loading captive portals on Apple devices. The said delay sometimes takes up to a minute. This behavior has been observed on devices that are on iOS 12. It was also observed that there is no issue on other iOS devices that are on earlier versions, Android, OSX, and Windows devices.
According
to Apple forum discussions, Apple has been informed and has acknowledged the
issue. Although it has not been confirmed officially by Apple, sources say that
it has been partially fixed in iOS 12.4 Beta 3 and additional fixes are
expected in iOS 13. iOS 12.4 is expected to be out in a month, and iOS 13 in
the Fall.
We have released IG 4 Update #34 which includes improvement on how the gateway handles CaptiveNetworkPortal agent to help speed up the loading of captive portals. Please update your gateways to the latest patch.
Related Posts
On March 7, 2019, Google shut down legacy Google+ APIs. ANTlabs has used Google+ sign-in across its product families and we have migrated since then to Google sign-in. Some products may still carry the Google+ logo in login portals and admin user interfaces but rest assured, all ANTlabs products have already replaced it with Google […]
ANTlabs gateways have a unique feature that can redirect HTTPS web requests to the captive portal or landing page. This feature was very useful earlier in comparison to other competitors that can only redirect HTTP web requests, thus enhancing customer experience.
Recently, browsers like Google Chrome and Mozilla Firefox started to warn their users of a potential security risk when they detect that the requested domain name and the certificate offered to it doesn’t match. This warning page allows users to accept the risk and continue, after which the users will be redirected to the captive portal or landing page. However, with even stricter control by the browsers and some of the latest smartphones, this warning message has deterred users to login to the WiFi network.
This advisory explains the different issues related to the HTTPS and captive portal or landing page redirection and suggests several options and recommendations to overcome them. Note: ‘ANTlabs gateway’ could mean any series of SSG, SG, and IG gateway models. This advisory also assumes that the captive portal’s domain name uses the default ezxcess.antlabs.com domain name. For a custom domain name with a valid certificate matching the domain name, the warning messages or certificate errors may or may not appear depending upon the browsers and OS versions.
LAPTOP AND NOTEBOOK WITH WINDOWS 10 OPERATING SYSTEM
The following flow describes the user experience when connecting to the WiFi network using his Windows 10 OS on a Laptop or Notebook.
Microsoft Edge
Google Chrome
Mozilla Firefox
Internet Explorer
The following flow describes the user experience when connecting to the WiFi network using his Smartphones running on either latest Apple iOS or Android OS
HTTPS is designed to protect the users from man-in-the-middle and eavesdropping attacks. Web browsers have pre-installed certificate authorities in their software to trust HTTPS websites. Latest versions of Chrome, Firefox and Smartphone pseudo browsers changed the way to warn their users when they detect any abnormality in the way a HTTPS website should naturally work.
The following are the different types of issues that the browsers shall respond with for HTTPS captive portal or landing page:
WEBSITE DOMAIN NAME AND CERTIFICATE HOSTNAME MISMATCH
Whenever a web browser requests for a HTTPS website, the website will provide a valid certificate with the hostname of the certificate matching the exact domain name or sub-domains in case of wildcard certificates.
Before a client is authenticated or logged in to the WiFi network, ANTlabs gateway redirects the HTTPS request and provides it with its own certificate. When the browser detects that the requested HTTPS domain name and the received certificate hostname mismatches, it shows a warning page.
UNTRUSTED CERTIFICATE WARNING
The browser complains that a certificate is “Untrusted” for two reasons, as below:
HTTP STRICT TRANSPORT SECURITY (HSTS)
HTTP Strick Transport Security (HSTS) is a web security policy mechanism which allows web servers to declare that web browsers should only interact with it using a secure HTTPS mechanism.
When a web application issues HSTS Policy to the web browser, those web browsers that conform behave as follows:
To overcome the issues in modern web browsers, the following solutions are proposed:
USE GLOBAL TRUSTED ROOT CA SIGNED CERTIFICATE
It is advisable to purchase and use a certificate that is signed by a Global Trusted Root CA. This Root CA should be as part of the trusted list for major devices such as Apple, Android, Windows and operating systems. If there are intermediate CA certificates, those should also be added in the ANTlabs gateway.
WHITELIST HTTPS DOMAINS OF HTTP DOMAINS
It is recommended to whitelist or wall-garden the HTTP domains in the HTTPS domains as well. This shall ensure that those HTTP Web servers that are configured for HSTS will still be able to be accessed before login, and thereby will not show any warning messages.
STOP HTTPS REDIRECTION TO CAPTIVE PORTAL
In addition to the above prevention methods, the ANTlabs Gateway will also be configured to drop all HTTPS requests before user login. This will solve the security warning messages that the users are currently seeing in their browsers. Instead, users will see a default browser page that states that the connection to the website cannot be established. With the majority of the latest browsers automatically verify and redirect based on HTTP websites and pop-up the pseudo-browsers, this method shall enhance the user experience.
NOTE: Older operating systems that may use HTTPS requests to auto-popup pseudo browsers shall show a network connection error message in the pop-up browser
Most of the CSPs that provide Public WiFi is moving towards seamless authentication mechanisms that do not use the captive portal or landing pages. Various EAP methods such as EAP-SIM/AKA, EAP-PEAP, EAP-TTLS are being used to authenticate the users seamlessly. In some customers, the EAP methods are combined with mobile applications, thereby making it easier for users to onboard and authenticate. Apart from EAP methods, some customers are also implementing Mobile applications with WISPr 1.2 based authentication method. If for marketing purposes and customer engagement the captive portal or landing page is necessary, ANTlabs gateway’s unique feature allows to pop-up the page after the user has been authenticated using any of the above mechanisms.
Related Posts
Publication Date: 10th Jan 2018 Last Updated: 19th Jan 2018 Version 1.04: Interim Description On 3rd January 2018, 3 vulnerabilities were disclosed for Intel microprocessors that could allow an attacker that has local access to a server to read privileged information belonging to other processes or the operating system by installing and executing a malicious […]