summaryrefslogtreecommitdiffstats
path: root/wiki/src/blueprint/detect_captive_portals.mdwn
blob: 9656fe3204d5a02af9994df126fe37d8ae9680ef (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
[[!tails_ticket 5785]]

For users that haven't read the documentation about the unsafe browser
and/or just don't understand when it's necessary, it would be good if
Tails does a reasonable job to try to detect whether a captive portal
seems to be in place and notify the user if so. The approaches could
range from simplistic to more sophisticated:

* If `wait_for_tor_consensus()` fails during time syncing. Note that
  this would happen if Tails is booted on a LAN without Internet
  connection.
* Use [ooni-probe](https://gitweb.torproject.org/ooni-probe.git)?
* Other approaches.

The method used likely has to be active, but it should preferably hook
into some common, innocent looking network connection in order to
avoid fingerprinting.

Tools
=====

Using WWW::Mechanize::Shell
---------------------------

For each kind of hotspot:

* list of possible ESSID
* optional: allocated IP address classes
* optional: network test script?
* optional: SSL certificate fingerprint?
* a WWW::Mechanize::Shell script

Main script in in /etc/NetworkManager/dispatcher.d.

Test current connection against known hotspots.

When connected to a known hotspot, starts WWW::Mechanize::Shell
script. Values are entered through a callback than will uses
Gtk2::Notify and some custom widgets. Known login/passwords should be
put in gnome-keyring with a browser like completion system (enter
first letters, pick login, password is prefilled). Maybe we could use
the same login/password database as Epiphany.

For hotspots that requires a periodic refresh, we can run another
WWW::Mechanize::Shell script in a loop. NetworkManager is meanwhile
monitored through DBUS to kill the loop if connection is lost. If loop
fails try once more through default script before displaying a
notification.

Existing hotspot connection applications
----------------------------------------

Looks like there is at least two Python apps doing this already:

* [autowifi](http://www.manatlan.com/page/autowifi)
* [autologin-applet](http://antoine.mairesse.free.fr/autologin-applet/)

Captive portal detection
------------------------

hellais and friends are working on
[ooni-probe](https://gitweb.torproject.org/ooni-probe.git) which may be
interesting, depending on how stealthy the probe is.

  - [RFC 7710](https://www.rfc-editor.org/rfc/rfc7710.txt),
    aka. *Captive-Portal Identification Using DHCP or Router Advertisements (RAs)*
  - [Subgraph OS's defector](https://github.com/subgraph/defector)
  - [Elementary OS' _Captive Portal Assistant_](https://launchpad.net/capnet-assist)
  - <https://help.gnome.org/misc/release-notes/3.14/>
  - <https://www.chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection>
  - <https://android.stackexchange.com/questions/82977/cyanogenmod-and-privacy>
  - <http://blog.superuser.com/2011/05/16/windows-7-network-awareness/>
  - <https://msdn.microsoft.com/en-us/library/windows/hardware/dn408681.aspx>

Beta testers
============

* San Bergmans <info@sbprojects.com>: FON network, KPN hotspots in the
  Netherlands