Page 1 of 1

Detect restricted network access

Posted: 2019-10-10, 04:34
by Konrad
Preferences > Advanced > General > Captive portals > Detect restricted network access

Can anybody explain this setting please?
What happens when Detect restricted network access is checked and unchecked?

The Help page says nothing about this.

Re: Detect restricted network access

Posted: 2019-10-10, 04:41
by moonbat
A captive portal is a form of public wifi network login page - when you connect to the network, it pops up the page first before you can do anything else. You can easily see this on an Android phone connecting to a free public network like at an airport or mall -it may ask you to authenticate with an SMS code before granting network access.

You may need to turn this on if you're using your laptop in such a setting, not otherwise.

Re: Detect restricted network access

Posted: 2019-10-10, 04:59
by F22 Simpilot
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.

Re: Detect restricted network access

Posted: 2019-10-10, 05:07
by moonbat
F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
Maybe it's a troubleshooting option in case the portal isn't getting detected.
Off-topic:
Seen similar issues on Android where the portal window doesn't open if you change the default browser from Chrome. I use this app called Wifi Web Login that can autofill the login fields on captive portals that you regularly use, like a guest wifi network at work.

Re: Detect restricted network access

Posted: 2019-10-10, 06:27
by Konrad
I got it. Thank you, moonbat!

Re: Detect restricted network access

Posted: 2019-10-10, 10:38
by Moonchild
F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.

I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.

Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.

Re: Detect restricted network access

Posted: 2019-10-10, 10:50
by New Tobin Paradigm
Also unlike Mozilla or Google, if the specific Pale Moon server being pinged is storing logs at all then it is only for debugging and abuse checking reasons for a short window of time and as such if there is no debugging or abuse instances no one sees them and they just get purged as they leave the time window.. This goes for all the servers under our control that the browser may connect to.

So the tangible privacy cost is next to zero but of course the wackos, people with stationary workstations, or just those unintrested in this fearure can keep it under their control in good Pale Moon fasion.

Re: Detect restricted network access

Posted: 2019-10-10, 10:59
by moonbat
So this captive portal detection works by the browser trying to reach a known server? I thought it was an OS feature, since I've only used it on Android.

Re: Detect restricted network access

Posted: 2019-10-10, 11:07
by New Tobin Paradigm
I believe so yeah. I also think there is a pref that contains the url as well so if you change it to your own server that gives the correct response you can use it without involving us.

Have to check though.

Re: Detect restricted network access

Posted: 2019-10-11, 05:10
by F22 Simpilot
Looks like the pref is: captivedetect.canonicalURL

Edit-

I have a DDDNS domain for my router WAN. Could I somehow use that? Or perhaps a well-known link from my own website? So like website.com/files/verify.txt ?

Re: Detect restricted network access

Posted: 2019-10-11, 05:11
by F22 Simpilot
Moonchild wrote:
2019-10-10, 10:38
F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.

I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.

Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.
Thanks for the explanation.

Now explain the wolf with a clever in its head. :lol:

Re: Detect restricted network access

Posted: 2019-10-11, 07:34
by Moonchild
Off-topic:
F22 Simpilot wrote:
2019-10-11, 05:11
Now explain the wolf with a clever in its head. :lol:
It's the kind of headache you give me!
But actually, 'tis for the season.

Re: Detect restricted network access

Posted: 2019-10-11, 14:22
by Isengrim
Moonchild wrote:
2019-10-11, 07:34
Off-topic:
It's the kind of headache you give me!
But actually, 'tis for the season.
Off-topic:
I figured the wolf just had an ax-ident. ;)