33

Captive Wi-Fi portals suck.

Often when I open a HTTP site in a browser (desktop Chrome or mobile Chrome), I get the captive portal, but with auto-completion and so quickly I connect again to Wi-Fi.

The problem is that after the captive portal redirects, I'll have also a HTTPS redirect and Chrome remembers the certificate and to use only HTTPS. So I cannot use the same site twice (in a session).

A well-known public HTTP only site will resolve this. Well-known sites usually work, causing less debugging of the Wi-Fi connection.

Matthias Braun
  • 1,162
  • 1
  • 17
  • 29
Giacomo Catenazzi
  • 886
  • 1
  • 7
  • 11
  • 1
    This question doesn’t only apply to Chrome. It applies to any browser respecting HTTP Strict Transport Security and affects many users in the modern world full of public portaled WiFi APs. – binki Aug 27 '18 at 18:48
  • 1
    Try using http://www.neverssl.com – Worthwelle Jul 02 '19 at 20:12

4 Answers4

51

A well-known public HTTP only site will resolve this

You can use http://neverssl.com:

What?

This website is for when you try to open Facebook, Google, Amazon, etc on a wifi network, and nothing happens. Type "http://neverssl.com" into your browser's url bar, and you'll be able to log on.

How?

neverssl.com will never use SSL (also known as TLS). No encryption, no strong authentication, no HSTS, no HTTP/2.0, just plain old unencrypted HTTP and forever stuck in the dark ages of internet security.

Why?

Normally, that's a bad idea. You should always use SSL and secure encryption when possible. In fact, it's such a bad idea that most websites are now using https by default.

And that's great, but it also means that if you're relying on poorly-behaved wifi networks, it can be hard to get online. Secure browsers and websites using https make it impossible for those wifi networks to send you to a login or payment page. Basically, those networks can't tap into your connection just like attackers can't. Modern browsers are so good that they can remember when a website supports encryption and even if you type in the website name, they'll use https.

And if the network never redirects you to this page, well as you can see, you're not missing much.

DavidPostill
  • 153,128
  • 77
  • 353
  • 394
  • 9
    Also: http://google.com/generate_204. It's recognized by chrome and is actually used to detect the captive portal in the first place. Works great. – GiantTree May 26 '17 at 14:20
  • 1
    …except in networks which spoof replies to known captive-portal detection mechanisms. Yes, apparently people do that. :( – u1686_grawity May 27 '17 at 18:09
  • 5
    A lot of times I use "captive.apple.com", which is what iOS looks for when it tries to detect a captive portal. I do this on my Linux-based laptop to get the captive portal login. – Virtually Nick Jan 23 '18 at 17:19
  • 4
    neverssl.com now redirects to https://innermajesticgrandyawn.neverssl.com/online ...so I guess they should change their name? – Matt Dec 02 '21 at 17:46
  • @Matt Neverssl now redirects to too many of such combinations to work around different set of issues. Updates here - http://neverssl.com/changes or here - https://web.archive.org/web/20211021035030/http://neverssl.com/changes for someone from future. This redirection is detailed under sub heading "Enhanced Cache-busting" – Pavan Kumar Dec 10 '21 at 10:20
6

These answers came from the comments and I believe they need a separate entry in the answers so they can be easily found.

http://google.com/generate_204

(from @GiantTree)

http://captive.apple.com/

(from Virtually Nick)

http://detectportal.firefox.com/success.txt

(added here because similarly used by a browser)

NeverSSL did not work in my ISP's captive portal but the one from Google did.

dave_thompson_085
  • 2,910
  • 1
  • 15
  • 18
Majal
  • 826
  • 2
  • 10
  • 19
2

This website is for testing ssl: https://badssl.com/

It includes several subdomains that intentionally will never have ssl enabled, such as:

For some reason, when I tried http://neverssl.com, I was forwarded to a different website with SSL enabled: https://wholesilveryoungsecret.neverssl.com/online/. So it seems that it currently can't serve its one intended purpose.

badssl.com seems more reliable now.

ADJenks
  • 237
  • 2
  • 4
  • I believe there's more to it. Perhaps some networks block or cache http://neverssl.com. Mine forwards to http://brightsilverlushplan.neverssl.com/online/ or http://majesticshiningtranscendentbirds.neverssl.com/online/ – h q Mar 02 '23 at 12:21
1

Old thread, but here's another one: http://httpforever.com/

CameronGo
  • 11
  • 1