insecure on purpose



insecure on purpose

wifi portals

So, sometimes your only option for connecting to the internet is through some WiFi portal. It may be paid, in which case you need to connect and identify/pay, or it may be free, but usually they'll want you to click something to accept terms and conditions.

These portals usually work by hijacking your HTTP request, redirecting whatever original request you made to their portal. HTTPS is a problem for them, as the connections are encrypted, and the portal devices won't be able to obtain valid certificates for every possible domain you may want to visit to hijack the connection.


On Android / Google devices, they work around this by doing a simple ping to an endpoint with a HTTP 204 No Content response. If a portal is necessary, the request will get hijacked and the redirect can be served to the user in a browser. The /generate_204 page seems to be implemented on their frontend / edge infrastructure, any Google domain appear to work, though the following URLs seem to be canonical:

If you're me, you use iwd for wifi setup. It's simple (relatively) and dumb, so no automatic HTTP checks for me. is option to achieve the same: an HTTP page that can get hijacked. It's short, memorable and easy to use manually in a browser.

As a browser page responding with HTTP 200, it faces some challenges: DNS can be cached, the browser can cache the page, and browsers can remember the HTTPS setting of a page.

If it's uncached, just visiting the page should work. If it cached, it uses client side javascript to select a random subdomain and request that instead (which is unlikely to be cached).

Subdomain algorithm: 3 adjectives from a list of 32 + 1 noun from a list of 32. Total 32x31x30x32 = 952320 possible subdomains.