Hacker News new | ask | show | jobs
by jimeh 4224 days ago
I was recently in the same situation as the author of this post. And as far as I can figure the reason HTTPS is disabled, is that the BT Wifi hotspots require you to login with username/password on a custom page before you can access the internet. Most people's default thing to do is google something, which then redirects them to the BT Wifi login page, but this only works if Google is being served up via HTTP, otherwise BT wouldn't be able to hijack the request and redirect you to the login page.

Hence it's probably not got much to do with privacy, and more to do with usability.

If +90% of users just got HTTPS/SSL security warnings from their browsers instead of a BT Wifi login page, they wouldn't be able to use BT Wifi unless they're of the minority who know and understand how HTTP/HTTPS connections work.
2 comments
ianlevesque 4224 days ago
It's worth noting however that both recent Windows and Mac OSes at least detect captive portals automatically and show the login page themselves, making elaborate and insecure hacks like that unnecessary.
link
jimeh 4224 days ago
That is true, but everyone aren't running even recent-ish OSs. Also having relied on BT Wifi for about 2 weeks recently, I can definitely confirm that OSX's detection doesn't always work. About 80% of time, it's fine, the other 20% it's google for "asdf" and get redirected.

Also, BT Wifi tends to log you out every 20 minutes to 6 hours seemingly by random, forcing you login with your credentials again, and this need to re-login is something that OSX never detected.

link
andreasvc 4224 days ago
Isn't that a security hazard? The mechanism of these captive portals is literally a MITM attack, and I don't see how to distinguish a benevolent from a malevolent use of it.
link
justincormack 4223 days ago
There is an official http status code, but obviously no one uses it yet.
link
dingaling 4223 days ago
> otherwise BT wouldn't be able to hijack the request and redirect you to the login page.

They do capture and redirect SSL traffic on first connection, resulting in a security warning on Firefox. So it's not a technical limitation.

Prior to login, all DNS requests for the new MAC are spoofed to direct to the login service regardless of protocol.

link