ANTlabs gateways have a unique feature that can redirect HTTPS web requests to the captive portal or landing page. This feature was very useful earlier in comparison to other competitors that can only redirect HTTP web requests, thus enhancing customer experience.
Recently, browsers like Google Chrome and Mozilla Firefox started to warn their users of a potential security risk when they detect that the requested domain name and the certificate offered to it doesn’t match. This warning page allows users to accept the risk and continue, after which the users will be redirected to the captive portal or landing page. However, with even stricter control by the browsers and some of the latest smartphones, this warning message has deterred users to login to the WiFi network.
This advisory explains the different issues related to the HTTPS and captive portal or landing page redirection and suggests several options and recommendations to overcome them. Note: ‘ANTlabs gateway’ could mean any series of SSG, SG, and IG gateway models. This advisory also assumes that the captive portal’s domain name uses the default ezxcess.antlabs.com domain name. For a custom domain name with a valid certificate matching the domain name, the warning messages or certificate errors may or may not appear depending upon the browsers and OS versions.
LAPTOP AND NOTEBOOK WITH WINDOWS 10 OPERATING SYSTEM
The following flow describes the user experience when connecting to the WiFi network using his Windows 10 OS on a Laptop or Notebook.
Microsoft Edge
Google Chrome
Mozilla Firefox
Internet Explorer
The following flow describes the user experience when connecting to the WiFi network using his Smartphones running on either latest Apple iOS or Android OS
HTTPS is designed to protect the users from man-in-the-middle and eavesdropping attacks. Web browsers have pre-installed certificate authorities in their software to trust HTTPS websites. Latest versions of Chrome, Firefox and Smartphone pseudo browsers changed the way to warn their users when they detect any abnormality in the way a HTTPS website should naturally work.
The following are the different types of issues that the browsers shall respond with for HTTPS captive portal or landing page:
WEBSITE DOMAIN NAME AND CERTIFICATE HOSTNAME MISMATCH
Whenever a web browser requests for a HTTPS website, the website will provide a valid certificate with the hostname of the certificate matching the exact domain name or sub-domains in case of wildcard certificates.
Before a client is authenticated or logged in to the WiFi network, ANTlabs gateway redirects the HTTPS request and provides it with its own certificate. When the browser detects that the requested HTTPS domain name and the received certificate hostname mismatches, it shows a warning page.
UNTRUSTED CERTIFICATE WARNING
The browser complains that a certificate is “Untrusted” for two reasons, as below:
HTTP STRICT TRANSPORT SECURITY (HSTS)
HTTP Strick Transport Security (HSTS) is a web security policy mechanism which allows web servers to declare that web browsers should only interact with it using a secure HTTPS mechanism.
When a web application issues HSTS Policy to the web browser, those web browsers that conform behave as follows:
To overcome the issues in modern web browsers, the following solutions are proposed:
USE GLOBAL TRUSTED ROOT CA SIGNED CERTIFICATE
It is advisable to purchase and use a certificate that is signed by a Global Trusted Root CA. This Root CA should be as part of the trusted list for major devices such as Apple, Android, Windows and operating systems. If there are intermediate CA certificates, those should also be added in the ANTlabs gateway.
WHITELIST HTTPS DOMAINS OF HTTP DOMAINS
It is recommended to whitelist or wall-garden the HTTP domains in the HTTPS domains as well. This shall ensure that those HTTP Web servers that are configured for HSTS will still be able to be accessed before login, and thereby will not show any warning messages.
STOP HTTPS REDIRECTION TO CAPTIVE PORTAL
In addition to the above prevention methods, the ANTlabs Gateway will also be configured to drop all HTTPS requests before user login. This will solve the security warning messages that the users are currently seeing in their browsers. Instead, users will see a default browser page that states that the connection to the website cannot be established. With the majority of the latest browsers automatically verify and redirect based on HTTP websites and pop-up the pseudo-browsers, this method shall enhance the user experience.
NOTE: Older operating systems that may use HTTPS requests to auto-popup pseudo browsers shall show a network connection error message in the pop-up browser
Most of the CSPs that provide Public WiFi is moving towards seamless authentication mechanisms that do not use the captive portal or landing pages. Various EAP methods such as EAP-SIM/AKA, EAP-PEAP, EAP-TTLS are being used to authenticate the users seamlessly. In some customers, the EAP methods are combined with mobile applications, thereby making it easier for users to onboard and authenticate. Apart from EAP methods, some customers are also implementing Mobile applications with WISPr 1.2 based authentication method. If for marketing purposes and customer engagement the captive portal or landing page is necessary, ANTlabs gateway’s unique feature allows to pop-up the page after the user has been authenticated using any of the above mechanisms.
Related Posts
Publication Date: 10th Jan 2018 Last Updated: 19th Jan 2018 Version 1.04: Interim Description On 3rd January 2018, 3 vulnerabilities were disclosed for Intel microprocessors that could allow an attacker that has local access to a server to read privileged information belonging to other processes or the operating system by installing and executing a malicious […]
Publication Date: 17 November 2016 Description There is a PMS default setting on the Fidelio Opera system which specifies that the PMS will ignore DB sync request less than 60s. With this default setting configured, the Opera PMS will ignore all DB sync requests that it receives from our gateway within 60s of establishing connection. This […]
Publication Date: 06 Jul 2015 Description SQL Injection Vulnerability A vulnerability which allows user to perform queries on the underlying datastore via ppli URL parameter of the default login page main.ant; CVE-2015-2849 Cross-Site Scripting Vulnerability A reflected cross-site scripting vulnerability exists in the msg URL parameter of the admin login page index-login.ant; CVE-2015-2850 Impact A remote […]
Security Advisory Updated: 12 Jan 2022 Publication Date: 26 March 2015 Description An incorrect rsync configuration on certain models of our gateway products allows an external system to obtain unrestricted remote read/write file access. Impact A remote unauthenticated user with unrestricted access to the rsync port to affected gateway products may be allowed full read/write […]
We would like to proactively inform you about a zero-day vulnerability found with some of our InnGate HSIA gateways. We also would like to update you that a fix for the vulnerability is already available since 26 Mar 2015 and that we are actively working with our partners to patch your InnGate to secure it. […]
A buffer overflow vulnerability in the glibc gethostbyname() function was publicly announced on January 27, 2015. The issue is identified by CVE-2015-0235 and was given the name “Ghost.” The ANTlabs Engineering Team started investigating this issue immediately. This vulnerability is related to the various gethostbyname functions included in glibc and affect applications that call these functions. […]
The “Poodle” vulnerability, released on October 14th, 2014, is an attack on the SSL 3.0 protocol. It is a protocol flaw and every implementation of SSL 3.0 suffers from it. Note that we are talking about the old SSL 3.0, not TLS 1.0 or later. The TLS versions are not affected (neither is DTLS) by […]
Please be informed that ANTlabs products are not affected by “ShellShock” Bash Vulnerability. This is mainly because our products are appliance-based and do not use bash for console shell access. Administrators use ANTlabs’ own customised shell (that is not subject to the ShellShock Bash vulnerability) to access the command line interface. In addition, these products […]
Please be informed that our gateways do not suffer from the recently reported SSL vulnerability also known as Open SSL Heartbleed Bug. The SSL keys used in our products are not generated using the affected libraries. Thank you.