An Issue of Trust: Wi-Fi Captive Portal Security

By Dr. Chris Spencer, Group Chief Information Security Officer, GlobalReach Technology


GlobalReach provides Wi-Fi authentication portals (or captive portals) for thousands of enterprise customers, as well as trains, train stations, airports, airlines, shops, shopping centres, offices, stadiums, outdoor venues, and more. A familiar user experience for most Wi-Fi users, the captive portal is the first webpage they see before they’re granted full network access. More than that, it enables secure service access and represents an exchange of trust between the service provider and the user.


As a co-leader of a recent Wireless Broadband Alliance captive portal onboarding guidelines whitepaper released last month, which looked at ways to make it easier to build captive portal solutions and offer a better experience for users, I wanted to expand on today’s captive portal security concerns and stress why rethinking and adapting captive portal journeys can benefit service providers and users.


Captive portals are used in the majority of wireless networks. They work by intercepting, impersonating, and altering the connection between a client and a web server. They put the user in full control as to whether they decide to proceed.  As such, the majority of public Wi-Fi is “open” and labeled “unsecure”. This article looks at the secure captive portal best practice for service providers.


HTTP vs. HTTPS risks

Secure captive portals should direct the user to the intended network and website, whereas malicious services intercept the user request and redirect them to a different destination. For example, it’s a red flag if an online banking customer (either via wireless or wired) is redirected to a different site without warning.  In these cases, Hypertext Transfer Protocol Secure (HTTPS) plays an important part in successful Wi-Fi authentication and mitigates against the risk of these ‘man-in-the-middle attacks.’


HTTPS is the secure version of HTTP, encrypting communication between the browser and the website. HTTPS is already often used to protect confidential online transactions like banking and shopping, clients’ registration information, or subscribers’ user credentials. When HTTPS is used to request a connection to a webpage, the website initially sends an SSL certificate to the browser which contains the public key needed to begin a secure session. The browser and the website then initiate the ‘SSL handshake’ to establish a uniquely secure connection.


Web browsers including Internet Explorer, Firefox, and Chrome will also display a padlock icon on the browser address bar when the domain is protected by SSL. This address bar turns green when an extended validation certificate is installed on a website to visually indicate that an HTTPS connection is in effect. If the HTTPS request is intercepted and redirected to a different destination, any modern browser or operating system will warn users who can choose whether to proceed.


Reasonable personal data exchange?

In 2021 well-designed captive portals have evolved to minimise friction between the user and their intended web destination. Good user journeys should involve the fewest possible steps before the customer is online, but in the rush to be connected, and just a few questions stand between the user and internet access, how can they be convinced that the captive portal is trustworthy?


Captive portals are an extension of the brand and a relationship channel between the organisation and its customers or employees. They should look and feel like the brand, the URL should be accurate, have a user journey in line with the brand experience and only ever capture details that are necessary to get online.


I give the example of an airport’s Wi-Fi service I once used that asked ten questions before I could get access. It was unnecessary and, had I gone ahead, would have involved the exchange of PII.  Advances in Wi-Fi analytics mean that enterprises can more accurately discover user patterns, visit frequency, dwell times, user device types, and languages used across an entire network or down to a single access point after users have authenticated. It’s wrong to ask users to trade their personal data in exchange for Wi-Fi and any captive portal that does raise another red flag.


Our team is involved in developing captive portal user journeys that remove friction between the brand and user, yet provide valuable anonymous analytics to many large organisations. 


If any information-sharing regarding the device and the user takes place, data privacy must be appropriately handled. Data privacy laws including GDPR (General Data Protection Regulation) and the 2020 CCPA (California Consumer Privacy Act) protect citizens wherever they are, and service providers should work with a captive portal provider that is familiar with the legal implications, like GlobalReach.


What are the options for my WLAN gateway?


  1. Apply HTTPS: It is designed to stop traffic interception and will always display a warning that traffic is being redirected. 
  2. Allow all HTTPS traffic by default for all un-authenticated devices: This is possible but raises some issues for accounted traffic. User traffic is not normally allocated to their account until they are authenticated. Therefore any traffic that devices generate over HTTPS will be unaccounted for. As more and more of the internet converts to HTTPS, there are fewer opportunities to intercept the user and return a captive portal.
  3. Drop all HTTPS traffic: The users’ device would not be able to access resources delivered over HTTPS. They would eventually see a “page can not be found” message in their browser and the request would simply time out.


Ultimately, the choice is a trade between usability, bandwidth cost, and an effective interception which will differ for various use cases. Our team of captive portal experts can help you make this choice.


The future

To address the open nature of captive portal services, the Wi-Fi Alliance encourages the industry to use a certification program for over-the-air encryption under the title of Enhanced Open (EO).


Enhanced Open allows for wireless encryption to be used on an open network (with no passwords or codes) just like today’s open networks but with air encryption, many vendors have implemented an option to enable this on the networks regular SSID, offering full backward compatibility for none EO client devices.


Additionally, one standard to keep a lookout for is the new standard RFC8592 Capport (Captive Portal Interaction). This defines the captive portal and the client device’s captivity status, this information is exchanged within an extension to the DHCP protocol. As this standard gets adopted it may become a better user experience.  It provides the captive portal location during the IP address assignment within an option packet, eliminating all of the guessing and probing that was previously needed for captive portal detection.


Contact GlobalReach to deliver secure capture portals for your services.