AAAAAAH HOW DOES THIS HAVE 1.3K RTs HTTPS ON WEBSITES DOESN'T SOLVE THE PROBLEM IF IT'S THE CAPTIVE PORTAL ITSELF INJECTING SCRIPTS AAAAAAAAAAAAAA
pic.twitter.com/HXpf3cow6u
Yeah, I do @musllibc, FOSS & infosec stuff. But now is not the time for a mostly-/only-tech Twitter feed.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Add this Tweet to your website by copying the code below. Learn more
Add this video to your website by copying the code below. Learn more
By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.
| Country | Code | For customers of |
|---|---|---|
| United States | 40404 | (any) |
| Canada | 21212 | (any) |
| United Kingdom | 86444 | Vodafone, Orange, 3, O2 |
| Brazil | 40404 | Nextel, TIM |
| Haiti | 40404 | Digicel, Voila |
| Ireland | 51210 | Vodafone, O2 |
| India | 53000 | Bharti Airtel, Videocon, Reliance |
| Indonesia | 89887 | AXIS, 3, Telkomsel, Indosat, XL Axiata |
| Italy | 4880804 | Wind |
| 3424486444 | Vodafone | |
| » See SMS short codes for other countries | ||
This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.
Hover over the profile pic and click the Following button to unfollow any account.
When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.
The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.
Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.
Get instant insight into what people are talking about now.
Follow more accounts to get instant updates about topics you care about.
See the latest conversations about any topic instantly.
Catch up instantly on the best stories happening as they unfold.
AAAAAAH HOW DOES THIS HAVE 1.3K RTs HTTPS ON WEBSITES DOESN'T SOLVE THE PROBLEM IF IT'S THE CAPTIVE PORTAL ITSELF INJECTING SCRIPTS AAAAAAAAAAAAAA
pic.twitter.com/HXpf3cow6u
Why not tag him and get a conversation? @troyhunt
Troy Hunt Retweeted Troy Hunt
Troy Hunt added,
Yes Troy, that's what you point everyone at. And it makes no sense
In a captive portal, no pages load until you auth/accept/whatever the portal page. If the captive portal is injecting scripts, https wouldn't have saved you
If all your tabs were https, as you suggest, they wouldn't load anything. Because you haven't yet authed to the captive portal. When you go to the captive portal to auth... Oh no, injected scripts
In other words, https solves a related problem, but not the problem of malicious scripts being added to the captive portal landing page, which was exactly the situation you linked to
Every HTTP tab will get nabbed by the captive portal. I should have been clearer in the first tweet, that’s on me.
To be fair, I think iOS and maybe modern Android mitigate this with a separate captive-portal browser, blocking net access to real browser until login/clickthru.
Exactly. iOS handles captive portals in a higher security browser context (JIT JS disabled etc). It'll still mine coins though ;)
It also precludes the normal browser (and all apps?) from attempting to make any requests until you're safely past the captive portal, right?
That's the way modern OSs *try* to do it, but IME there are so many unholy ways to implement captive portals that I think the success rate is < 100%
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.