[lmz]

Yup. I thought this (captive portal detection) was common knowledge? Android also does this.

[CaveTech]

I believe NCSI probes are also purposefully HTTP because captive portals MITM all traffic to force authentication. If it was HTTPS the probe would fail with a certificate error. The whole point is that the url can be hijacked. This is not really a vulnerability, they have just independently discovered this feature.

[AstralStorm]

The certificate error is of itself diagnostic of a portal rather than a proxy. The reason to use HTTP, is that some portal systems just drop TLS connections until authenticated. (Which is the correct behavior, rather than MITM.)

Opening the browser automatically is a big bug, that should be easy to fix.

[jon-wood]

It's not a bug, it is quite literally the feature, and something that also happens on Android and iOS, and I believe even on recent releases of Gnome.