Feature #3388
closed
Add checkbox and logic to disable forwarding of HTTPS requests to captive portal
0%
Description
Candidate patch here:
https://github.com/derelict-pf/pfsense/commit/e98daec5960b7ecdd18bc461003df3a18d2adbe7
Updated by Ermal Luçi over 10 years ago
- Status changed from New to Rejected
Just do not configure https authentication!
Updated by Chris Linstruth over 10 years ago
I believe you are missing the point.
This enables administrators to utilize HTTPS CP authentication, which might be necessary to protect login credentials.
It also allows administrators to prevent throwing certificate errors at users in the event the initial site visited is an https site.
The initial forward and the HTTPS CP page are not mutually dependent.
We, as an industry, should do everything we can not to train our users to click through certificate errors.
Updated by Chris Linstruth over 10 years ago
You're still misunderstanding. If the initial connection by the user prior to CP authentication is to, say, https://www.google.com/, the ipfw forward rule creates a MITM. The browser expects a certificate from www.google.com but gets a cert from my-captive-portal.example.com instead and a certificate error is presented to the user. Doesn't matter if it's signed by a trusted root or not.
Updated by Chris Buechler over 10 years ago
that's reasonable, submit that as a pull request in github and we'll get it merged.