Detect restricted network access
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
-
- Fanatic
- Posts: 142
- Joined: 2018-11-17, 18:19
Detect restricted network access
Preferences > Advanced > General > Captive portals > Detect restricted network access
Can anybody explain this setting please?
What happens when Detect restricted network access is checked and unchecked?
The Help page says nothing about this.
Can anybody explain this setting please?
What happens when Detect restricted network access is checked and unchecked?
The Help page says nothing about this.
-
- Knows the dark side
- Posts: 4983
- Joined: 2015-12-09, 15:45
Re: Detect restricted network access
A captive portal is a form of public wifi network login page - when you connect to the network, it pops up the page first before you can do anything else. You can easily see this on an Android phone connecting to a free public network like at an airport or mall -it may ask you to authenticate with an SMS code before granting network access.
You may need to turn this on if you're using your laptop in such a setting, not otherwise.
You may need to turn this on if you're using your laptop in such a setting, not otherwise.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: Detect restricted network access
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
-
- Knows the dark side
- Posts: 4983
- Joined: 2015-12-09, 15:45
Re: Detect restricted network access
Maybe it's a troubleshooting option in case the portal isn't getting detected.F22 Simpilot wrote: ↑2019-10-10, 04:59I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
Off-topic:
Seen similar issues on Android where the portal window doesn't open if you change the default browser from Chrome. I use this app called Wifi Web Login that can autofill the login fields on captive portals that you regularly use, like a guest wifi network at work.
Seen similar issues on Android where the portal window doesn't open if you change the default browser from Chrome. I use this app called Wifi Web Login that can autofill the login fields on captive portals that you regularly use, like a guest wifi network at work.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
-
- Fanatic
- Posts: 142
- Joined: 2018-11-17, 18:19
Re: Detect restricted network access
I got it. Thank you, moonbat!
-
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Detect restricted network access
In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.F22 Simpilot wrote: ↑2019-10-10, 04:59I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.
I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.
Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Detect restricted network access
Also unlike Mozilla or Google, if the specific Pale Moon server being pinged is storing logs at all then it is only for debugging and abuse checking reasons for a short window of time and as such if there is no debugging or abuse instances no one sees them and they just get purged as they leave the time window.. This goes for all the servers under our control that the browser may connect to.
So the tangible privacy cost is next to zero but of course the wackos, people with stationary workstations, or just those unintrested in this fearure can keep it under their control in good Pale Moon fasion.
So the tangible privacy cost is next to zero but of course the wackos, people with stationary workstations, or just those unintrested in this fearure can keep it under their control in good Pale Moon fasion.
Last edited by New Tobin Paradigm on 2019-10-10, 11:02, edited 1 time in total.
-
- Knows the dark side
- Posts: 4983
- Joined: 2015-12-09, 15:45
Re: Detect restricted network access
So this captive portal detection works by the browser trying to reach a known server? I thought it was an OS feature, since I've only used it on Android.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: Detect restricted network access
I believe so yeah. I also think there is a pref that contains the url as well so if you change it to your own server that gives the correct response you can use it without involving us.
Have to check though.
Have to check though.
Re: Detect restricted network access
Looks like the pref is: captivedetect.canonicalURL
Edit-
I have a DDDNS domain for my router WAN. Could I somehow use that? Or perhaps a well-known link from my own website? So like website.com/files/verify.txt ?
Edit-
I have a DDDNS domain for my router WAN. Could I somehow use that? Or perhaps a well-known link from my own website? So like website.com/files/verify.txt ?
Last edited by John connor on 2019-10-11, 05:14, edited 1 time in total.
Re: Detect restricted network access
Thanks for the explanation.Moonchild wrote: ↑2019-10-10, 10:38In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.F22 Simpilot wrote: ↑2019-10-10, 04:59I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.
I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.
Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.
Now explain the wolf with a clever in its head.
-
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Detect restricted network access
Off-topic:
But actually, 'tis for the season.
It's the kind of headache you give me!
But actually, 'tis for the season.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Board Warrior
- Posts: 1325
- Joined: 2015-09-08, 22:54
- Location: 127.0.0.1
Re: Detect restricted network access
Off-topic:
I figured the wolf just had an ax-ident.
I figured the wolf just had an ax-ident.
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story