How does hotel wi-fi work,and why does it need a browser to log in?

  • Thread starter Thread starter RayLopez99
  • Start date Start date
R

RayLopez99

how does hotel wi-fi work,and why does it need a browser to log in?

It's strange--just like the title says, hotel Wi-fi and a lot of private business wi-fi needs a browser to activate your internet connection, with a password, but when you flush the cache and close the browser, when you reopen the browser it often still works to give you internet. Somehow there's ahidden cookie that is not erased.

Anybody know how hotel or private wifi works? Some sort of a program that's become popular seems to me, as I don't recall this from years ago.

RL
 
how does hotel wi-fi work,and why does it need a browser to log in?

It's strange--just like the title says, hotel Wi-fi and a lot of private business wi-fi needs a browser to activate your internet connection, with a password, but when you flush the cache and close the browser, when you reopen the browser it often still works to give you internet. Somehow there's a hidden cookie that is not erased.

Anybody know how hotel or private wifi works? Some sort of a program that's become popular seems to me, as I don't recall this from years ago.

It's called a "hotspot" usually. The connection to the Wi-Fi itself is
free and open, but in order to get the Internet, they take to an
internal website that asks you for some identifying info. Once you
provide that, it then allows you to use their gateway to the Internet.
It does maintain a cookie, but the cookie is not on your computer but on
their computer, which identifies you by your computer's MAC address.

Yousuf Khan
 
Yousuf Khan said:
It's called a "hotspot" usually. The connection to the Wi-Fi itself is free and open, but in order to get the
Internet, they take to an internal website that asks you for some identifying info. Once you provide that, it then
allows you to use their gateway to the Internet. It does maintain a cookie, but the cookie is not on your computer but
on their computer, which identifies you by your computer's MAC address.

Yousuf Khan

And it also expires (at least at the Hampton Inn's I've stayed in) after one or two hours of inactivity.
As an added wall of protection, I bring a wireless router that I hook to their network. In the end, I'm still using
their WAN to get to the internet, but I basically have my own private LAN piggy-backing on them.
 
how does hotel wi-fi work,and why does it need a browser to log in?

All PCs require a browser to connect to the internet (whether
via telephone, coax cable or wirelessly.)
Anybody know how hotel or private wifi works? Some sort of a program
that's become popular seems to me, as I don't recall this from years ago.

WiFi is not just "some sort of a program:" it is an electronic pool of
radiation created by an electrical device with antenna (and run by its
own program.) The hardware varies according to whether users
are charged by time (like cable TV) or by the byte (like cell phones.)
 
It's called a "hotspot" usually. The connection to the Wi-Fi itself is
free and open, but in order to get the Internet, they take to an
internal website that asks you for some identifying info. Once you
provide that, it then allows you to use their gateway to the Internet.
It does maintain a cookie, but the cookie is not on your computer but on
their computer, which identifies you by your computer's MAC address.

Yousuf Khan


Yes, thanks, here is another reference to this, also called a "captive portal": http://en.wikipedia.org/wiki/Captive_portal

RL
 
All PCs require a browser to connect to the internet (whether
via telephone, coax cable or wirelessly.)
That's not true.

The login is separate. In the days of dialup with a terminal, their
server would ask for username and password, with PPP access such
information was usually buried in a file, though I suppose there are some
PPP programs that ask for the information.

But a browser has nothing to do with it. One doesn't need a browser for
newsgroups for ftp or IRC or chat, and you don't need one for logging in.

Michael
 
It's a Netgear WGR614V9. Very light and compact.

I do the same thing, only with an EnGenius ETR9330 travel router,
which is about the size of a deck of cards.

You absolutely cannot rely on hotel wifi - I think I have only a 30%
success rate with hotel wifi. But the wired RJ45 link to your room
always works.

There are only two caveats with hotel travel routers are: (1) they
need to be set up in access point mode, or else they interfere with
the hotel's router, and (2) the range is pretty small (only a few
rooms), so don't try to reuse your travel router as a home router.
 
Ting said:
I do the same thing, only with an EnGenius ETR9330 travel router,
which is about the size of a deck of cards.

You absolutely cannot rely on hotel wifi - I think I have only a 30%
success rate with hotel wifi. But the wired RJ45 link to your room
always works.

There are only two caveats with hotel travel routers are: (1) they
need to be set up in access point mode, or else they interfere with
the hotel's router, and (2) the range is pretty small (only a few
rooms), so don't try to reuse your travel router as a home router.

Damn, that's pretty sweet (and gets really good reviews on Amazon)! If I travelled more, I'd definitely think about
trading up to one.
 
how does hotel wi-fi work,and why does it need a browser to log in?

It's strange--just like the title says, hotel Wi-fi and a lot of private business wi-fi needs a browser to activate your internet connection, with apassword, but when you flush the cache and close the browser, when you reopen the browser it often still works to give you internet. Somehow there'sa hidden cookie that is not erased.

Anybody know how hotel or private wifi works? Some sort of a program that's become popular seems to me, as I don't recall this from years ago.

RL

how does hotel wi-fi work,and why does it need a browser to log in?

It's strange--just like the title says, hotel Wi-fi and a lot of private business wi-fi needs a browser to activate your internet connection, with apassword, but when you flush the cache and close the browser, when you reopen the browser it often still works to give you internet. Somehow there'sa hidden cookie that is not erased.

Anybody know how hotel or private wifi works? Some sort of a program that's become popular seems to me, as I don't recall this from years ago.

RL

Follow-up question: given that https (session layer transport security) isonly secure between nodes, can hotel employees read your bank log-on information if you use https on a captive portal in a hotel wifi network? I don't think so.

RL
 
In the last episode of
RayLopez99 said:
Follow-up question: given that https (session layer transport security)
is only secure between nodes, can hotel employees read your bank log-on
information if you use https on a captive portal in a hotel wifi network?
I don't think so.

The short answer is that you should be secure. HTTPS provides end to end
security for the entire TCP session.

However, this assumes that your SSL certificate trusts don't have any
untrusted or compromised certificates (in other words, assume foreign
and domestic gov'ts and significantly large spy organizations can feed
you a false-but-trusted SSL certificate, but a random hotel will not
have this capability).

Also be aware that you cannot ignore SSL warnings, doing so will leave
you open to a man-in-the-middle attack which can compromise your entire
session.
 
In the last episode of


The short answer is that you should be secure. HTTPS provides end to end
security for the entire TCP session.

However, this assumes that your SSL certificate trusts don't have any
untrusted or compromised certificates (in other words, assume foreign
and domestic gov'ts and significantly large spy organizations can feed
you a false-but-trusted SSL certificate, but a random hotel will not
have this capability).

Also be aware that you cannot ignore SSL warnings, doing so will leave
you open to a man-in-the-middle attack which can compromise your entire
session.

--

Hi-
You give the 'canonical' answer but it is not 100% true. See below.

We concluded https was secure "between nodes", meaning between transmissionpoints. So it prevents simple man in the middle attacks (most of the time, excluding traffic analysis, see the Wikipedia cite below). But since my encrypted messages go through the hotel's server, by definition it can be decrypted at the hotel server, in particular if the server has the HTTPS certificate and is using it rather than my certificate on my hard drive for decryption. (see below on "simple" https vs "mutual" https. I am assuming Iam using "simple" not "mutual" https in this hypothetical of this paragraph). Most people and most websites assume "simple", not "mutual", https.

RL

http://en.wikipedia.org/wiki/HTTPS

SSL comes in two options, simple and mutual.

The mutual version is more secure, but requires the user to install a personal certificate in their browser in order to authenticate themselves.

Whatever strategy is used (simple or mutual), the level of protection strongly depends on the correctness of the implementation of the web browser andthe server software and the actual cryptographic algorithms supported.

SSL does not prevent the entire site from being indexed using a web crawler, and in some cases the URI of the encrypted resource can be inferred by knowing only the intercepted request/response size.[11] This allows an attacker to have access to the plaintext (the publicly-available static content),and the encrypted text (the encrypted version of the static content), permitting a cryptographic attack.

Because SSL operates below HTTP and has no knowledge of higher-level protocols, SSL servers can only strictly present one certificate for a particularIP/port combination.[12] This means that, in most cases, it is not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists, which sends the hostname to the server before encrypting the connection, although many older browsers do not support this extension. Support for SNI is available since Firefox 2, Opera 8, Safari 2.1, Google Chrome 6, and Internet Explorer 7 on Windows Vista.[13][14][15]

From an architectural point of view:

An SSL/TLS connection is managed by the first front machine that initiates the SSL connection. If, for any reasons (routing, traffic optimization,etc.), this front machine is not the application server and it has to decipher data, solutions have to be found to propagate user authentication information or certificate to the application server, which needs to know who is going to be connected.
For SSL with mutual authentication, the SSL/TLS session is managed by the first server that initiates the connection. In situations where encryption has to be propagated along chained servers, session timeOut management becomes extremely tricky to implement.
With mutual SSL/TLS, security is maximal, but on the client-side, thereis no way to properly end the SSL connection and disconnect the user except by waiting for the SSL server session to expire or closing all related client applications.
For performance reasons, static content that is not specific to the user or transaction, and thus not private, is usually delivered through a non-crypted front server or separate server instance with no SSL. As a consequence, this content is usually not protected. Many browsers warn the user when a page has mixed encrypted and non-encrypted resources.

A sophisticated type of man-in-the-middle attack was presented at the Blackhat Conference 2009. This type of attack defeats the security provided by HTTPS by changing the https: link into an http: link, taking advantage of the fact that few Internet users actually type "https" into their browser interface: they get to a secure site by clicking on a link, and thus are fooled into thinking that they are using HTTPS when in fact they are using HTTP.The attacker then communicates in clear with the client.[16]

In May, 2010, a research paper[17] by researchers from Microsoft Research and Indiana University discovered that detailed sensitive user data can be inferred from side channels such as packet sizes. More specifically, the researchers found that an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPSprotection in several high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search.
 
Follow-up question: given that https (session layer transport security) is only secure between nodes, can hotel employees read your bank log-on information if you use https on a captive portal in a hotel wifi network? I don't think so.

No, the SSL certificate is between your computer and the end computer,
every other router in between can only pass it along unaltered, but they
can't do anything in between the change it. The Hotspot's gateway is
just yet another router once you've authenticated through it. The hotel
gateway just passes all of the data along without any modification or
even any understanding about what's inside.

Yousuf Khan
 
No, the SSL certificate is between your computer and the end computer,
every other router in between can only pass it along unaltered, but they
can't do anything in between the change it. The Hotspot's gateway is
just yet another router once you've authenticated through it. The hotel
gateway just passes all of the data along without any modification or
even any understanding about what's inside.

Yousuf Khan

THis is true for most HTTPS, but see below. Any insight appreciated.

RL

you demonstrated an understanding of how routine "man-in-the-middle" attacks work, but you failed to grasp the distinctions between "mutual" HTTPS and "simple" HTTPS, probably because you don't understand the differences.
 
RayLopez99 said:
Follow-up question: given that https (session layer transport
security) is only secure between nodes, can hotel employees read your
bank log-on information if you use https on a captive portal in a
hotel wifi network? I don't think so.

RL

Funny to see this question, after I just read a blog
(http://justinsomnia.org/2012/04/hotel-wifi-javascript-injection/)
discussing a different hotel practice involving javascript injection.
I'm not tech savvy like the blog's readers are, but it seems to boil
down to that
1. hotels are businesses,
2. wi-fi service is a revenue/cost center for hotel operations and a
required amentity for hotels to retain business,
3. hotel wi-fi may (or may not be farmed out) to 3rd party companies,
4. at least one eqpt mfr offers routers(?) that can inject javascript
on the fly at the router into the content you view in order to place
ads to increase the revenue (decrease cost) to the hotel

The comments section got into a short discussion about the
legality/ehtics of this. The comments IMO were very useful to read and
get a better understanding of the practice.

Long and short seemed to be that one should not expect hotel internet
services to be secure and that using VPN or SSH would give more
security. Such steps also seemed to be more effective if the end user
is more tech savvy.
 
Funny to see this question, after I just read a blog
(http://justinsomnia.org/2012/04/hotel-wifi-javascript-injection/)
discussing a different hotel practice involving javascript injection.
I'm not tech savvy like the blog's readers are, but it seems to boil
down to that
1. hotels are businesses,
2. wi-fi service is a revenue/cost center for hotel operations and a
required amentity for hotels to retain business,
3. hotel wi-fi may (or may not be farmed out) to 3rd party companies,
4. at least one eqpt mfr offers routers(?) that can inject javascript
on the fly at the router into the content you view in order to place
ads to increase the revenue (decrease cost) to the hotel

The comments section got into a short discussion about the
legality/ehtics of this. The comments IMO were very useful to read and
get a better understanding of the practice.

Long and short seemed to be that one should not expect hotel internet
services to be secure and that using VPN or SSH would give more
security. Such steps also seemed to be more effective if the end user
is more tech savvy.

Thanks, good article, excerpts below. It still does not answer the question of whether it's possible, akin to what the article you referenced wrote, whether it's possible to do this type of "man-in-the-middle" attack for HTTPS. But it suggests it is possible to spoof your HTTPS certificate (or notspoof it but have a proxy for it on the hotel server). That way the hotelcan read your HTTPS data. Why they would do that and risk lawsuits is another matter, and if it's a reputable hotel it's unlikely, but this hotel below was potentially reading unencrypted mail and it was reputable, a NYC Marriott.

RL

I found a utility that unpacks packed JavaScript, and it only took a quick skim of advnads20.js (over 1900 lines reformatted) to estimate that its primary purpose is ad injection/takeover. The good news is, this explains why all the embedded YouTube videos in Google Reader were showing up as empty black squares.

But the question remains, did the hotel’s wifi access point get hacked, or is something more nefarious at work? Is it possible that the hotel’s internet service provider is doing this on purpose? Could it be that the Courtyard Marriott in Times Square is actually aware of and condoning this typeof bad behavior?

In any case, who the heck do I report something like this to?

Update: I really wanted to give Marriott the benefit of the doubt, but it turns out I was wrong. There is something more nefarious at work. Thanks to Danny in the comments, I learned that the “rxg” I saw in the injected CSS and JavaScript is short for Revenue eXtraction Gateway, a wireless hotspot gateway product built by RG Nets, Inc., and available for sale from WlanMall.

RG Nets RXG-A8 Revenue eXtraction Gateway
RG Nets RXG-A8

In short, the Courtyard Marriott is using the RXG to inject JavaScript intothe HTML of every webpage its hotel customers view for the purpose of injecting ads (and in the meantime, breaking YouTube). Marriott’s wireless internet service provider is a third-party company called Hotel Internet Services, so it is possible, though unlikely, that Marriott doesn’t know what’s going on. But it’s crazy to me that I’m paying $368 a night for a hotel room, and this is how I get treated.

Update: I guess not all press is good press. Ronen Isaac (coincidentally ofWlan Mall) appears to have taken down the Vimeo video (I had previously embedded above) that I thought did such an excellent job describing how the Revenue eXtraction Gateway worked.

Sorry, “RGnets RXG Injection Advertising Demo” was deleted at 10:17:28 Fri Apr 6, 2012. We have no more information about it on our mainframe or elsewhere.

Good thing RG Nets still has the video up on their own site! And thanks to The Verge, there’s now a copy of the video up on YouTube that I can embedfor your viewing pleasure:

Update: Here’s a round-up of people talking about Hotel Wifi JavaScript Injection around the web:

Hacker News
MetaFilter
Digg
Reddit
TechCrunch (twice!)
The New York Times’ Bits Blog (twice!)
The Verge (twice!)
The Huffington Post’s Gadling Blog (twice!)
heise online
Boing Boing (though they didn’t link to my post!)

Update, April 9, 2012: I just received the following message from a representative of Marriott:

As soon as we learned of the situation, we launched an investigation into the matter. Preliminary findings revealed that, unbeknownst to the hotel, the Internet service provider (ISP) was utilizing functionality that allowed advertising to be pushed to the end user. The ISP has assured the hotelthat this functionality has now been disabled.

While this is a common marketing practice with many Internet service providers, Marriott does not condone this practice. At no time was data security ever at risk.”

Though I’d question the assertion that network-level JavaScript injectionis a “common marketing practice”, I’m glad they say it has been disabled. I’m currently back in San Francisco, so I have no way to confirm, but I’ll likely be back in NYC staying at the same hotel in a month.

Update: Something has bothered me about Marriott’s official response above. I completely get that Marriott is a large sprawling corporation, and it’s likely that the right hand often does not know what the left hand is doing. I get that. I’ve worked in much smaller organizations where that has been the case. I also get that their response is a typical, old school public relations gloss over the problem—without any satisfying transparencyas to how the problem came to be or any meaningful details about how it was ameliorated.

What bugs me about their response is that the device required to do this type of on-the-fly JavaScript injection of HTML is both rare and expensive. It requires specialized hardware (like the RG Nets’ RXG-A8) starting at a cost of $10,000. In other words, this hardware was procured precisely for the purpose of perpetrating this kind of attack. If Courtyard/Marriott/HotelInternet Services didn’t want that feature, then they probably could have requisitioned cheaper, less specialized, and more robust networking hardware.

Which means that the optimal solution to this snafu wasn’t simply that “we’ve disabled the functionality”—it has to be “we’ve removed/replaced the offensive hardware”. Nothing less is sufficient. Otherwise, what’s to stop someone from accidentally (or otherwise) re-enabling it later?
 
Back
Top