Detect restricted network access

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
User avatar
Konrad
Fanatic
Fanatic
Posts: 142
Joined: 2018-11-17, 18:19

Detect restricted network access

Unread post by Konrad » 2019-10-10, 04:34

Preferences > Advanced > General > Captive portals > Detect restricted network access

Can anybody explain this setting please?
What happens when Detect restricted network access is checked and unchecked?

The Help page says nothing about this.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: Detect restricted network access

Unread post by moonbat » 2019-10-10, 04:41

A captive portal is a form of public wifi network login page - when you connect to the network, it pops up the page first before you can do anything else. You can easily see this on an Android phone connecting to a free public network like at an airport or mall -it may ask you to authenticate with an SMS code before granting network access.

You may need to turn this on if you're using your laptop in such a setting, not otherwise.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

John connor

Re: Detect restricted network access

Unread post by John connor » 2019-10-10, 04:59

I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: Detect restricted network access

Unread post by moonbat » 2019-10-10, 05:07

F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
Maybe it's a troubleshooting option in case the portal isn't getting detected.
Off-topic:
Seen similar issues on Android where the portal window doesn't open if you change the default browser from Chrome. I use this app called Wifi Web Login that can autofill the login fields on captive portals that you regularly use, like a guest wifi network at work.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
Konrad
Fanatic
Fanatic
Posts: 142
Joined: 2018-11-17, 18:19

Re: Detect restricted network access

Unread post by Konrad » 2019-10-10, 06:27

I got it. Thank you, moonbat!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Detect restricted network access

Unread post by Moonchild » 2019-10-10, 10:38

F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.

I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.

Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

New Tobin Paradigm

Re: Detect restricted network access

Unread post by New Tobin Paradigm » 2019-10-10, 10:50

Also unlike Mozilla or Google, if the specific Pale Moon server being pinged is storing logs at all then it is only for debugging and abuse checking reasons for a short window of time and as such if there is no debugging or abuse instances no one sees them and they just get purged as they leave the time window.. This goes for all the servers under our control that the browser may connect to.

So the tangible privacy cost is next to zero but of course the wackos, people with stationary workstations, or just those unintrested in this fearure can keep it under their control in good Pale Moon fasion.
Last edited by New Tobin Paradigm on 2019-10-10, 11:02, edited 1 time in total.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: Detect restricted network access

Unread post by moonbat » 2019-10-10, 10:59

So this captive portal detection works by the browser trying to reach a known server? I thought it was an OS feature, since I've only used it on Android.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

New Tobin Paradigm

Re: Detect restricted network access

Unread post by New Tobin Paradigm » 2019-10-10, 11:07

I believe so yeah. I also think there is a pref that contains the url as well so if you change it to your own server that gives the correct response you can use it without involving us.

Have to check though.

John connor

Re: Detect restricted network access

Unread post by John connor » 2019-10-11, 05:10

Looks like the pref is: captivedetect.canonicalURL

Edit-

I have a DDDNS domain for my router WAN. Could I somehow use that? Or perhaps a well-known link from my own website? So like website.com/files/verify.txt ?
Last edited by John connor on 2019-10-11, 05:14, edited 1 time in total.

John connor

Re: Detect restricted network access

Unread post by John connor » 2019-10-11, 05:11

Moonchild wrote:
2019-10-10, 10:38
F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.

I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.

Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.
Thanks for the explanation.

Now explain the wolf with a clever in its head. :lol:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Detect restricted network access

Unread post by Moonchild » 2019-10-11, 07:34

Off-topic:
F22 Simpilot wrote:
2019-10-11, 05:11
Now explain the wolf with a clever in its head. :lol:
It's the kind of headache you give me!
But actually, 'tis for the season.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1325
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Detect restricted network access

Unread post by Isengrim » 2019-10-11, 14:22

Moonchild wrote:
2019-10-11, 07:34
Off-topic:
It's the kind of headache you give me!
But actually, 'tis for the season.
Off-topic:
I figured the wolf just had an ax-ident. ;)
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

Locked