-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathchanges.html
More file actions
177 lines (141 loc) · 7.95 KB
/
changes.html
File metadata and controls
177 lines (141 loc) · 7.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
<html>
<head>
<title>NeverSSL - improvements coming soon</title>
<style>
body {
font-family: Montserrat, helvetica, arial, sans-serif;
font-size: 16x;
color: #444444;
margin: 0;
}
h2 {
font-weight: 700;
font-size: 1.6em;
margin-top: 30px;
}
p {
line-height: 1.6em;
}
.container {
max-width: 650px;
margin: 20px auto 20px auto;
padding-left: 15px;
padding-right: 15px
}
.header {
background-color: #42C0FD;
color: #FFFFFF;
padding: 10px 0 10px 0;
font-size: 2.2em;
}
<!-- CSS from Mark Webster https://gist.github.com/markcwebster/9bdf30655cdd5279bad13993ac87c85d -->
</style>
</head>
<body>
<div class="header">
<div class="container">
<h1>NeverSSL</h1>
</div>
</div>
<div class="content">
<div class="container">
<h2>Beta version</h2>
<p>TLDR: neverssl.com is improving, but you'll barely notice the change except that it
should work in more cases. You can try the beta version right now by going to <a
href="http://neverssl.com/v2">http://neverssl.com/v2</a>.</p>
<h2>Improvements coming soon to NeverSSL</h2>
<p>NeverSSL.com started as a quick and simple fix for a personal nuisance;
getting online at the airport, on planes, in hotels, and at cafés
had been getting harder because broken "Wifi capture" networks don't work
well with HTTPS, and the web is finally moving to HTTPS by default.</p>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">After using wifi in 3 airports and 4 planes this weekend, I've created <a href="https://t.co/D2lIJuCQvr">https://t.co/D2lIJuCQvr</a> to make logging on a little bit easier.</p>— Colm MacCárthaigh (@colmmacc) <a href="https://twitter.com/colmmacc/status/790598606000533504?ref_src=twsrc%5Etfw">October 24, 2016</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
<p>It took about 30 minutes to set up neverssl.com, it's just a simple
website hosted on AWS (disclaimer: I work at AWS) and a stylesheet designed by
<a href="https://twitter.com/markcwebster">Mark Webster</a>. The landing
page is kept very small and simple, no ads, no animations, it just
gets you online.</p>
<p>In the time since NeverSSL launched, it's been featured by several news
sites, technical tip columns, and lots of word-of-mouth
recommendations. As a result, it's now grown to about 6 million hits per
day, and that's just the traffic that makes it through to the landing
page, presumably more traffic is being intercepted by the capture portals.
It's pretty rewarding to see 30 minutes of effort pay off by saving so
many people some time and frustration.</p>
<p>As with any unexpected success, it's important to double down. While
NeverSSL.com is simple, over the past 18 months I've encountered a few
edge cases where NeverSSL.com didn't work. If I can hit them on my own,
then they probably impact thousands of people, and some improvements are
due!</p>
<h2>What's changing?</h2>
<p>Firstly, what isn't changing is that NeverSSL.com will continue to be a
free, fast, and tiny website. Still no animations, or distractions.</p>
<p>I also want to keep neverssl.com ad free, but as it's now
costing me about $2,000 a year to host it, I may add an single fixed
unobtrusive logo and link, if I can find a suitable sponsor, to recoup the
hosting costs.</p>
<p>If you've got a better idea, feel free to let me know via the
next change: NeverSSL now has a <a href="https://twitter.com/NeverSSL/">twitter account</a>.
I'll also be embeding a link to the NeverSSL twitter account on
the new landing page. Hopefully this can serve as a useful feedback
channel, as it's been too hard for users to reach out and make
suggestions or complaints.</p>
<p>I'm also publishing the Git repo I use to manage NeverSSL, so
if you want a sneak preview of other changes I make, or you
want to submit improvements or issues, you can do both at
<a href="https://github.com/colmmacc/neverssl.com">https://github.com/colmmacc/neverssl.com</a>.
<h2>Enhanced Cache-busting</h2>
<p>Today NeverSSL.com has a single landing page, and while caching is
aggressively disabled for that page, users can still run into caching
problems that prevent them from getting online.</p>
<p>One problem is that when some browsers 'detect' that they
are not online, they fall back to a stale in-browser cache and simply
display the page without trying to make a request. This fails to
trigger the Wifi's captive portal.</p>
<p>Another problem is that some Wifi capture networks can be
over-zealous with spoofing DNS [<a href="#dnssec">*</a>]. These networks
typically rewrite DNS responses to resolve to the private IP address of the
capture portal, but they can use TTLs that are too big. If your device
tries to connect to a few networks in rapid succession, it can end up with
the bad DNS entries from a network it is no longer connected to, and leaves
you unable to get online.</p>
<p>To fix these problems, NeverSSL.com is moving to a two page model.
The first page will be very very small, it's just loading some javascript,
and it doesn't matter if your browser caches it. Actually it's good if
your browser caches it.</p>
<p>What this page will do is generate a url that looks like:</p>
<p><strong>http://lxzmwvtdsnrhkfbc.neverssl.com/online/</strong></p>
<p>and redirect your browser there. The part before the dot is random data,
and there are billions of trillions of possibilities. That makes each redirect
unique, and each DNS lookup uncacheable, so it gets through very broken DNS setups
I don't like that it makes the final browser url a bit ugly, but C'est La Vie.</p>
<h2>NeverSSL data aggregation</h2>
<p>Since broken captive networks are a real nuisance, another change I am
planning is to use neverssl.com to collate aggregated data on where
the most broken networks are.</p>
<p>To do this, I'm planning to add a small amount of state tracking (via
cookies) to the first landing page. I'm still experimenting, but I
hope that it will be possible to identify cases where the wifi capture
was triggered and to subsequently record these measurements to a logging
service.</p>
<p>My goal is to publish a monthly list of the most broken networks
to the <a href="https://nanog.org/list">NANOG mailing list</a>. I'm hopeful
that this data will assist network operators, consultants and others in
helping to convince network owners to fix their networks.</p>
<p>All IP address data will be anonymized to at least the /24 (for IPv4)
or /64 level (for IPv6).</p>
<a name="dnssec"/>
<h3>Gratuitous Footnote on DNSSEC</h3>
<p>Whenever I bring up DNS spoofing, people often wish that DNSSEC were
more widely deployed to prevent it. In fact, DNSSEC wouldn't help in this
case, or in almost any real world attack case. DNSSEC does nothing to
protect you from your DNS resolver (the wifi capture network, in this
case), or from other users on your network. Nor does it provide privacy, or
protection against domains being blocked. From someone who has both worked
on cryptography, and written DNS implementations: don't use DNSSEC, it's
silly.</p>
<p>- Colm MacCárthaigh</p>
<a href="https://twitter.com/neverssl?ref_src=twsrc%5Etfw" class="twitter-follow-button" data-size="large" data-show-count="false">Follow @neverssl</a><script async src="https:// platform.twitter.com/widgets.js" charset="utf-8"></script>
</div>
</div>
</body>
</html>