Detect restricted network access

Users and developers helping users with technical Pale Moon issues (Windows and other non-Linux O.S.). Please direct questions about the Linux version to the appropriate Linux board.

Moderator: trava90

Forum rules
This board is for technical/usage questions and troubleshooting for the Pale Moon browser only. The main focus here is on Pale Moon on Windows. Please direct your questions for Linux, Android and Mac to the dedicated boards.
Technical issues and questions not related to the Pale Moon browser should be posted in "technical chat"
Please keep off-topic and general discussion out of this board, thank you!
Post Reply
User avatar
Konrad
Fanatic
Fanatic
Posts: 113
Joined: 2018-11-17, 18:19

Detect restricted network access

Post by Konrad » 2019-10-10, 04:34

Preferences > Advanced > General > Captive portals > Detect restricted network access

Can anybody explain this setting please?
What happens when Detect restricted network access is checked and unchecked?

The Help page says nothing about this.

User avatar
moonbat
Board Warrior
Board Warrior
Posts: 1076
Joined: 2015-12-09, 15:45
Location: Australia

Re: Detect restricted network access

Post by moonbat » 2019-10-10, 04:41

A captive portal is a form of public wifi network login page - when you connect to the network, it pops up the page first before you can do anything else. You can easily see this on an Android phone connecting to a free public network like at an airport or mall -it may ask you to authenticate with an SMS code before granting network access.

You may need to turn this on if you're using your laptop in such a setting, not otherwise.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.3 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
John connor
Board Warrior
Board Warrior
Posts: 1162
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Detect restricted network access

Post by John connor » 2019-10-10, 04:59

I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
moonbat
Board Warrior
Board Warrior
Posts: 1076
Joined: 2015-12-09, 15:45
Location: Australia

Re: Detect restricted network access

Post by moonbat » 2019-10-10, 05:07

F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
Maybe it's a troubleshooting option in case the portal isn't getting detected.
Off-topic:
Seen similar issues on Android where the portal window doesn't open if you change the default browser from Chrome. I use this app called Wifi Web Login that can autofill the login fields on captive portals that you regularly use, like a guest wifi network at work.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.3 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
Konrad
Fanatic
Fanatic
Posts: 113
Joined: 2018-11-17, 18:19

Re: Detect restricted network access

Post by Konrad » 2019-10-10, 06:27

I got it. Thank you, moonbat!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25790
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Detect restricted network access

Post by Moonchild » 2019-10-10, 10:38

F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.

I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.

Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6723
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Detect restricted network access

Post by New Tobin Paradigm » 2019-10-10, 10:50

Also unlike Mozilla or Google, if the specific Pale Moon server being pinged is storing logs at all then it is only for debugging and abuse checking reasons for a short window of time and as such if there is no debugging or abuse instances no one sees them and they just get purged as they leave the time window.. This goes for all the servers under our control that the browser may connect to.

So the tangible privacy cost is next to zero but of course the wackos, people with stationary workstations, or just those unintrested in this fearure can keep it under their control in good Pale Moon fasion.
Last edited by New Tobin Paradigm on 2019-10-10, 11:02, edited 1 time in total.
Image
- You should never hand someone a gun unless you're sure where they'll point it. -
https://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
moonbat
Board Warrior
Board Warrior
Posts: 1076
Joined: 2015-12-09, 15:45
Location: Australia

Re: Detect restricted network access

Post by moonbat » 2019-10-10, 10:59

So this captive portal detection works by the browser trying to reach a known server? I thought it was an OS feature, since I've only used it on Android.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.3 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6723
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Detect restricted network access

Post by New Tobin Paradigm » 2019-10-10, 11:07

I believe so yeah. I also think there is a pref that contains the url as well so if you change it to your own server that gives the correct response you can use it without involving us.

Have to check though.
Image
- You should never hand someone a gun unless you're sure where they'll point it. -
https://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
John connor
Board Warrior
Board Warrior
Posts: 1162
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Detect restricted network access

Post by John connor » 2019-10-11, 05:10

Looks like the pref is: captivedetect.canonicalURL

Edit-

I have a DDDNS domain for my router WAN. Could I somehow use that? Or perhaps a well-known link from my own website? So like website.com/files/verify.txt ?
Last edited by John connor on 2019-10-11, 05:14, edited 1 time in total.
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
John connor
Board Warrior
Board Warrior
Posts: 1162
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Detect restricted network access

Post by John connor » 2019-10-11, 05:11

Moonchild wrote:
2019-10-10, 10:38
F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.

I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.

Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.
Thanks for the explanation.

Now explain the wolf with a clever in its head. :lol:
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25790
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Detect restricted network access

Post by Moonchild » 2019-10-11, 07:34

Off-topic:
F22 Simpilot wrote:
2019-10-11, 05:11
Now explain the wolf with a clever in its head. :lol:
It's the kind of headache you give me!
But actually, 'tis for the season.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1060
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Detect restricted network access

Post by Isengrim » 2019-10-11, 14:22

Moonchild wrote:
2019-10-11, 07:34
Off-topic:
It's the kind of headache you give me!
But actually, 'tis for the season.
Off-topic:
I figured the wolf just had an ax-ident. ;)
Linux Mint 19.2 Cinnamon (64-bit), Windows 7 (64-bit), Windows 10 build 1803 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

Post Reply