Re: [Captive-portals] A view from a WiFi provider on captive portal requirements, challenges and improvements
"James Wood" <james.wood@purplewifi.com> Tue, 18 April 2017 15:21 UTC
Return-Path: <james.wood@purplewifi.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 546FA127867 for <captive-portals@ietfa.amsl.com>; Tue, 18 Apr 2017 08:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=purplewifi-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NldIMixZrWSS for <captive-portals@ietfa.amsl.com>; Tue, 18 Apr 2017 08:21:47 -0700 (PDT)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75395126E01 for <captive-portals@ietf.org>; Tue, 18 Apr 2017 08:21:47 -0700 (PDT)
Received: by mail-wr0-x231.google.com with SMTP id o21so105021556wrb.2 for <captive-portals@ietf.org>; Tue, 18 Apr 2017 08:21:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=purplewifi-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=czvtFeMpS60h4Pepv61aRYXJVTrwYXc5JVd7BVdySW8=; b=f8stcu7xxnILnIVMCDwYi3rAkaPoQFzbKym11adHJ1QazwbEI2B/EvBiDiJJQb6bz0 cG4eDVGI/igWdlL1LJI58VawgOaNDCJBCTftjQdmnrqwur7ZSaZdTCu49KDfc2cfOl92 6Do4vzKUsgCI51Z54/NSuItYRkyV6V6lCjOvOmiUUAQnZwY8+9P2KCuwImLzR+KsSRgn COPTy5DsRpz3w5ogyuCRU8MVBDLNmSU+/Idk/gmQJmQn7aaOzazJPn+XlWIoBWmSFigh 3vke5oTwxQnWYfKV+V2v9OtOK4Lz6eBWwukmS03n6OXBSZczORLvCm8fVlp5aN3glYmy lnJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=czvtFeMpS60h4Pepv61aRYXJVTrwYXc5JVd7BVdySW8=; b=PJ4rD9yYlU5foI9hgenhCijvfcGekL/54PnFWB/jLWZYMRmRddwUePbdE6kp9+CzV9 iA4zYR4ZVgYVRdG+kIgBN0aaiuNvi0OAPyT0ZyDK56K/r4q3wNa9hZONUjhFfCjqK04v f/fLBL7EHg2gGv8lUoV4Kx1EpCmzcDOF3sGF39JgYus9yH8RKsVyB5twGXcOlxoVldBg yf0SKKXAjrEtjfwvKp/YE5L5bMSTMzU6ED3/xdpOLSozLZC5G5Di5GXLV7iIr+CM4zll U1ZGUTGsPjrMiim18CGNgSSDmLqXIrnAn+CsGwUrE+YNj6mBHr6ebSlUqumdIQOqvKro Vufw==
X-Gm-Message-State: AN3rC/7D7MT1jPLeuhyVs3L/wfp62tZ+xu3Dkz5YlkcqmlvQIMMyPy2n tMh0KBlQJEp3mvSToAY=
X-Received: by 10.223.171.234 with SMTP id s97mr26388627wrc.167.1492528905573; Tue, 18 Apr 2017 08:21:45 -0700 (PDT)
Received: from PWJ ([88.97.18.78]) by smtp.googlemail.com with ESMTPSA id 59sm19177939wrl.48.2017.04.18.08.21.44 for <captive-portals@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Apr 2017 08:21:44 -0700 (PDT)
From: James Wood <james.wood@purplewifi.com>
To: captive-portals@ietf.org
Date: Tue, 18 Apr 2017 16:21:42 +0100
Message-ID: <026901d2b857$7c091040$741b30c0$@purplewifi.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdK4VwX87jLJleJdT9iyu7jBysxWVA==
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/_HCz3hPiqvR254rA57aQ47yw_iw>
Subject: Re: [Captive-portals] A view from a WiFi provider on captive portal requirements, challenges and improvements
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 15:21:49 -0000
Hi First of all, great progress appears to have been made with 7710 and capport/icmp-unreach. Good job! As a global WiFi provider I would like add our thoughts on the discussions to date along with my personal views of the problems/challenges we face with captive portals today. I'm hoping I can contribute to this WG by expressing views from the 'other side', and why captive portals are still important to WiFi operators. Most providers including ourselves require a portal to be displayed for a number of reasons. Many have already been covered but to confirm, some countries require (legally) to capture certain information (such as a valid mobile/cell number to validate it's a real person/device), or accept T&C's/Privacy policies in respect of the country the hostpot is located. Other reasons are for advertising, providing seamless logins (i.e. we know the MAC of the device so we can bypass the portal page and instead present a welcome back page). But, the real reason most providers insist on a user going through a portal is to understand who is using their free wifi. There has to be some payback to the operator/customer and data capture is this. They may not use the data to market, but just look at how many people connect and at what times of day etc, or they may send promotional emails to users who login etc. So, captive portals are great as a way to onboard and capture some details. That said, we face daily challenges with captive portals. To name a few: 1. Security. Nobody prefers to join an open network, but most end up doing because that's the way it is. The hype around Hotspot 2.0 came and went as that was never really deisgned to help captive portals but rather for seamless, non-interaction from the user. As a portal provider, we don't want that, we want to show a portal even if it's just a 'welcome back, you're now online' message. 2. More devices/browers/web servers are defaulting to checking/redirecting to a HTTPs URL. As you know, when in a captive portal/walled garden state, this will cause a problem because you can't intercept a HTTPs request (rightly so!) to a captive portal page without a browser/certificate warning. This breaks everything from the end user perspective. 3. Built-in OS captive popups provide limited browser functionality/cookies/etc. When trying to offer login options like Facebook, it can really affect the user experience when cookies are not permitted or other features disabled. The behaviour is also different per device. In Android 5.0+, the captive portal window immediately dissappears when the user is authenticated. This is a pain for us as we want to display a "you are now online" page, or redirect the user to a landing page with information etc. 4. Walled garden. It's a nightmare having to manage lists of domains/IP's across all the different vendors kit out there. For example to offer a social login through Facebook we need to allow certain domains like facebook.com, akamaihd.net and connect.facebook.net etc. This is all static lists inside an AP/controller, and would be a nightmare to update should Facebook change the URLs they send authentication requests throught etc. How about some way to dynamicly pass back a list of domains as part of the DHCP option or some other way to allow the operator to set the required domains at time of connection? Or, how about, as part of the capport API, we are able to send a list of domains back to the AP, so if someone chooses Facebook, we open the Facebook domains for that MAC for a few minutes to allow them to login. Other thoughts... I had a look at "draft-wkumari-capport-icmp-unreach-02". I note that it describes the example URL that could be returned as part of the captive portal URL: https://wifi.domain.com/portal?icmp_session=10&policy_class=100. However, what about the other traditional parameters that a captive portal redirect injects? As a minimum, we need the ap_mac, client_mac and login_url to which we post the login request back to (traditional captive portal login request). Without such parameters, we cannot identify the venue/ap/client and provide the relevant portal splash page and user specific options. I may have misunderstood this? Does anyone here see Hotspot 2.0 (release 2 or further in particular) and OSU as the answer? I don't think I do. It just doesn't seem to help us as a provider but instead tries to be around getting the user online as quickly and without any interaction. Providers are all for making it easy for users to on board, but they need to get something out of it to make it pay. I am more than willing to take any questions and offer as much insight as I can. Thanks James
- Re: [Captive-portals] A view from a WiFi provider… Dave Dolson
- Re: [Captive-portals] A view from a WiFi provider… David Bird
- Re: [Captive-portals] A view from a WiFi provider… James Wood
- Re: [Captive-portals] A view from a WiFi provider… Joel Jaeggli
- Re: [Captive-portals] A view from a WiFi provider… Erik Kline