Detect restricted network access

Users and developers helping users with technical Pale Moon issues (Windows and other non-Linux O.S.). Please direct questions about the Linux version to the appropriate Linux board.

Moderators: trava90, satrow

Forum rules
This board is for technical/usage questions and troubleshooting for the Pale Moon browser only. The main focus here is on Pale Moon on Windows. Please direct your questions for Linux, Android and Mac to the dedicated boards.
Technical issues and questions not related to the Pale Moon browser should be posted in "technical chat"
Please keep off-topic and general discussion out of this board, thank you!
User avatar
Konrad
Moon lover
Moon lover
Posts: 91
Joined: 2018-11-17, 18:19

Detect restricted network access

Unread post by Konrad » 2019-10-10, 04:34

Preferences > Advanced > General > Captive portals > Detect restricted network access

Can anybody explain this setting please?
What happens when Detect restricted network access is checked and unchecked?

The Help page says nothing about this.

User avatar
moonbat
Astronaut
Astronaut
Posts: 721
Joined: 2015-12-09, 15:45
Location: Australia

Re: Detect restricted network access

Unread post by moonbat » 2019-10-10, 04:41

A captive portal is a form of public wifi network login page - when you connect to the network, it pops up the page first before you can do anything else. You can easily see this on an Android phone connecting to a free public network like at an airport or mall -it may ask you to authenticate with an SMS code before granting network access.

You may need to turn this on if you're using your laptop in such a setting, not otherwise.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
F22 Simpilot
Lunatic
Lunatic
Posts: 429
Joined: 2019-01-06, 07:59
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Detect restricted network access

Unread post by F22 Simpilot » 2019-10-10, 04:59

I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
If you're that smart and act like a dork, then you're not that smart after all. :geek:

axlil://xagryje.vse/itwkphvv-322

User avatar
moonbat
Astronaut
Astronaut
Posts: 721
Joined: 2015-12-09, 15:45
Location: Australia

Re: Detect restricted network access

Unread post by moonbat » 2019-10-10, 05:07

F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
Maybe it's a troubleshooting option in case the portal isn't getting detected.
Off-topic:
Seen similar issues on Android where the portal window doesn't open if you change the default browser from Chrome. I use this app called Wifi Web Login that can autofill the login fields on captive portals that you regularly use, like a guest wifi network at work.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
Konrad
Moon lover
Moon lover
Posts: 91
Joined: 2018-11-17, 18:19

Re: Detect restricted network access

Unread post by Konrad » 2019-10-10, 06:27

I got it. Thank you, moonbat!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24817
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Detect restricted network access

Unread post by Moonchild » 2019-10-10, 10:38

F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.

I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.

Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6175
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Detect restricted network access

Unread post by New Tobin Paradigm » 2019-10-10, 10:50

Also unlike Mozilla or Google, if the specific Pale Moon server being pinged is storing logs at all then it is only for debugging and abuse checking reasons for a short window of time and as such if there is no debugging or abuse instances no one sees them and they just get purged as they leave the time window.. This goes for all the servers under our control that the browser may connect to.

So the tangible privacy cost is next to zero but of course the wackos, people with stationary workstations, or just those unintrested in this fearure can keep it under their control in good Pale Moon fasion.
Last edited by New Tobin Paradigm on 2019-10-10, 11:02, edited 1 time in total.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
moonbat
Astronaut
Astronaut
Posts: 721
Joined: 2015-12-09, 15:45
Location: Australia

Re: Detect restricted network access

Unread post by moonbat » 2019-10-10, 10:59

So this captive portal detection works by the browser trying to reach a known server? I thought it was an OS feature, since I've only used it on Android.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6175
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Detect restricted network access

Unread post by New Tobin Paradigm » 2019-10-10, 11:07

I believe so yeah. I also think there is a pref that contains the url as well so if you change it to your own server that gives the correct response you can use it without involving us.

Have to check though.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
F22 Simpilot
Lunatic
Lunatic
Posts: 429
Joined: 2019-01-06, 07:59
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Detect restricted network access

Unread post by F22 Simpilot » 2019-10-11, 05:10

Looks like the pref is: captivedetect.canonicalURL

Edit-

I have a DDDNS domain for my router WAN. Could I somehow use that? Or perhaps a well-known link from my own website? So like website.com/files/verify.txt ?
Last edited by F22 Simpilot on 2019-10-11, 05:14, edited 1 time in total.
If you're that smart and act like a dork, then you're not that smart after all. :geek:

axlil://xagryje.vse/itwkphvv-322

User avatar
F22 Simpilot
Lunatic
Lunatic
Posts: 429
Joined: 2019-01-06, 07:59
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Detect restricted network access

Unread post by F22 Simpilot » 2019-10-11, 05:11

Moonchild wrote:
2019-10-10, 10:38
F22 Simpilot wrote:
2019-10-10, 04:59
I want to chime in here and say I know that myself, but why would there be an option for something like that? I take it that it's a form of MiTM detection in case of a portal you're not privy to or what? I mean, before with FF or Chrome in my phone or a laptop I was just taken directly to the captive portal. No option needed.
In Chrome and Firefox, the option is not presented to the user. Why? because it's enabled by default -- meaning Google and Mozilla servers get pinged by every active browser regularly for this detection in the background. This can record every time you start your browser and for as long as it's running, even if you don't agree to telemetry recording otherwise.
There's an option in Pale Moon because that's an unnecessary and privacy-impacting feature for every browser user who is NOT on a restricted network with a captive portal. So, enable it when you're going to be roaming and using public hotspots and the like, and leave it disabled otherwise.

I think I speak for most Pale Moon users if I say that keeping this disabled by default is desirable.

Full transparency about this option:
When enabled, it will make a request to "detectportal.palemoon.org" for a well-known file, and if what is returned (plaintext) isn't what is expected by the browser, it means open internet access is restricted and the user should be forwarded to the captive portal.
This well-known file is aggressively cached by CloudFlare to restrict this detection to as local access as possible; after all, captive portals are localized and measuring if the originating server can be reached (which might be across the globe from your location) isn't necessary or desired. If you can reach the CF edge server, that's good enough to know if you have access.
Thanks for the explanation.

Now explain the wolf with a clever in its head. :lol:
If you're that smart and act like a dork, then you're not that smart after all. :geek:

axlil://xagryje.vse/itwkphvv-322

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24817
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Detect restricted network access

Unread post by Moonchild » 2019-10-11, 07:34

Off-topic:
F22 Simpilot wrote:
2019-10-11, 05:11
Now explain the wolf with a clever in its head. :lol:
It's the kind of headache you give me!
But actually, 'tis for the season.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Isengrim
Keeps coming back
Keeps coming back
Posts: 996
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Detect restricted network access

Unread post by Isengrim » 2019-10-11, 14:22

Moonchild wrote:
2019-10-11, 07:34
Off-topic:
It's the kind of headache you give me!
But actually, 'tis for the season.
Off-topic:
I figured the wolf just had an ax-ident. ;)
Linux Mint 19.2 Cinnamon (64-bit), Windows 7 (64-bit), Windows 10 build 1803 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

Post Reply