If it’s public anyway, what’s the harm in just letting people connect instead of forcing them to pray the website will work that day? Looking at you hotels. I always kind of assumed it was to gather some data to sell later, but I feel like they could get that anyway just from your activity on their network.
Comments
Many of those ‘landing pages’ are captive portals that force you to check a box or agree to terms of some sort. It helps to help protect them in the event something happens to your data or something happens to use while using their wifi.
Its a liability issue. By going to the landing page and click that box you agree to their term and services which say that they arent resposible for anything you do on their network.
And its shitty because they dont get money for it so there is no reason to put a lot of work into it.
Usually I assume it’s so they can make a bare-minimum effort of connecting users to hotel rooms.
If they just have a big wide-open wifi network then anybody can use it, which is both a security risk and “giving away free stuff.”
You definitely got part of it, in terms of data collection. These landing pages help to organize people’s data, and you may also be giving permissions for them to see things that they wouldn’t be able to see with just you connecting to the network.
But along with you giving them permissions, you are also agreeing to their terms of service. So if for instance, you got hacked while using their network, you can’t sue them for having low security on the public wifi, because the landing page let you know about that risk before you used it.
Also, they can try to upsell the better wifi by having a shitty landing page. A lot of times it’ll take 5 minutes to load and then be like “Click here to continue using free wifi, or pay $5.99 to get speeds comparable to your at-home wifi!”
In many instances, it’s so they can serve up Terms & Conditions. By hitting “continue” or “accept,” you agree to not engage in illegal acts on their network, etc.
EDIT: And after thinking about it for a while, it’s probably less about protecting them from illegal actions YOU might take on their network, but about protecting them from liability should you get hacked while connected to their network.
The landing page is called a captive portal. It doesn’t work for various reasons, some can be that you need a mobile network to get an SMS, or an email confirmation before you can continue, others are just poorly setup.
There’s no real reason, other than to collect user information, and to present a terms of service page.
The user information can be used to figure out who is inside the store at given points to help me understand their customers better.
You can 100% have a free public WiFi, with no captive portal, but other than the business feeling good, they get little from it.
“Captive Portals are used to ensure paying customers are utilizing the “free” internet, say at coffee shops. You get a tokens with a prescribed “code” to type in every three hours. The interface is usually painfully simple and dirt cheap. In my forthcoming novel, the coffee shop is “The Captive Portal”. lol
As others have said this is called a Captive Portal, and the main reason most don’t work well is because the internet security model wasn’t designed with them in mind, and they kind of violate some of the rules. The router is effectively doing a man in the middle attack which your browser isn’t happy about.
Modern operating systems and browsers will try to work around those issues to give a good experience to the user but the lack of standardization means it doesn’t always work well.
As for why they do it, it is primarily liability. If someone does something illegal using their public WiFi they can get in trouble, making you agree to their terms and conditions limits that liability.
Splash pages are often enforced by compliance regulations.
It’s not required, but it’s encouraged.
It’s for liability, the lawyers want users to sign a de-facto contract that says “I won’t do anything illegal with your internet”.
These days the guest wifi may also collects a lot of information, including your browsing habits. So you are signing to agree to that.
They want you to agree to their terms of use/service, which is a legal requirement
I wouldn’t use these networks except as an absolute last resort. Those things are prime targets for captive portal scam’s. (Put up a fake WiFi network looking like your hotel/coffee shop/whatever network. It asks you to login to say, gmail or whatever with a very official looking page. It can exactly clone google or whoever because you’re not actually on the internet, its still in the captive portal. You login. Now they have your account.)
Nothing in this world is given away for free…
Usually they make you go on a page because then you’ll have to sign up, and they’ll sell the info you provided them. And also they use this page to put a TOC that says that you agree/let them do this, in exchange for the wifi they are giving out “for free”
In addition to what others have said about liability, another reason is psychological.
Going through the portal makes you feel safer, because someone clearly took the time to set all this up and make it look professional, even making sure that the access points are flush with the ceiling, there are no visible wires, no makeshift mounting hardware, and it gets dusted regularly by housekeeping. Which implies that enough effort was put in to make at least some considerations for security. At the very least it’s enough to convince you that your activity (and everyone else’s) is being actively monitored. Which makes you feel warm & fuzzy enough to consider using it instead of your phone’s mobile hotspot.
Now compare that to the coffee shop accross the street where you can see a dusty old consumer grade wifi router that’s been zip tied to a drop ceiling among a colorful mess of wires that you can just connect to with no hassle. Clearly this set up was installed cheaply & quickly by a tech savvy teenager and the owner doesn’t care how it’s used or abused. Which suddenly reminds you of all the reasons why open wifi networks are scary & bad.
Having a portal gives the perception of “professional and secure” while no portal gives the perception of “sloppy and dodgy”, reguardless of how much actual security there may or may not be.
Another psychological aspect is the branding opportunity. It is one more place where the buisness can put their logo and make everyone look at it.
Nobody mentioned this, but the reason the landing page barely works is because it’s on an overloaded server thousands of miles away handling the entire chain of locations or even all the chains of locations managed by an IT company. If the landing page was on hardware in the building things would be much nicer.
I like the ones that require you to enter contact info. I quite enjoy typing the most foul shit I can come up with hoping that I’ll give a developer a chuckle one day when he’s doing database maintenance.
1-3 are definitely a big part of the answer. But since there are competent IT companies setting this up, I would expect that especially for large setups, 1-3 would be overcome by the consulting company saying “look, we’re doing this for many customers, here’s our legal team’s writeup for your legal team why you don’t need T&C’s, running and maintaining a captive portal is a cost and risk and sucks for your customers – if you insist we’ll do it, but we recommend that you don’t” – not in all cases, but at least in some cases. Yet I haven’t seen many large setups (think airports) that don’t have a captive portal.
A captive portal will generally keep devices from connecting automatically – phones that have seen the WiFi before, phones with apps to auto-connect to any open WiFi (I don’t think any major phone OS does it by default), and non-phone devices built to try any open network they find. They can also be configured to kick devices off after a certain time and either not let them back in at all or at least require the user to confirm again, i.e. it keeps devices from using the WiFi for background data.
If you’re considering how to set up a guest network: Don’t use a captive portal. Either make it open (ideally while allowing WPA3 opportunistic encryption) or put a password on the wall to keep most casual neighbors (think guests from the hotel next door) from leeching. But don’t add extra annoyance for both your guests and yourself – because you will have to deal with all the unnecessary extra infrastructure you introduced when it fails or gets hacked. A captive portal means running a web server, plus dynamically changing the firewall rules. That’s a lot of unnecessary complexity!
In addition to what others have said, the landing page is also intended to limit who is in the network.
Someone on a laptop or smartphone inside the facility can easily click agree and use the wifi. But it’s much harder for someone to continue using it for something like a Smart TV in an apartment since the Smart TV isn’t likely to have a functioning web browser. You can also force devices to reconnect every couple of hours/days/weeks.
I have guests over frequently at home, so I have a guest network with a landing page instead of a WiFi password. It’s convenient for me to make it easy for guests to connect while limiting what my neighbors can steal.
So they aren’t responsible for your piracy or illegal porn viewing habits on their network
Captive portals can be used to get all kinds of fun info on your public wifi users. Not even a vpn helps you there, as you need to be coming from the ip’s behind the portal.
Not saying all cp’s do that sort of thing, but plenty do.
Let’s look at the worst-case situation. You do something illegal online from a free public wifi. Who is responsible for that? In some countries saying negative things about the government, or state religion, view certain types of pornography, download pirated software or media.
The internet provider can ask you to leave, report your activities to law enforcement, or if law enforcement comes after the provider. Are they going to silently accept responsibility or point the finger at the user?
What if the network has a sniffer or other network monitor that is either authorized, or a malicious person has an unauthorized sniffer watching internet traffic, and they manage to pick off your bank account password, and steal money. Can you come after the provider?
Landing pages protect the provider even if they nobody actually reads it.
i haven’t seen it mentioned on here yet but a big reason is so that they can collect your e-mail address for marketing purposes.
When the public WiFi doesn’t pull up the landing page automatic I go to:
On apple devices – captive.apple.com
On windows – msftconnecttest.com
On Android/Linux – no idea
This acts as a portal to prevent people from sitting in the parking lot or across the street from the hotel and siphoning or breaching data.
It’s both corpo greed and yes it does have a safety benefit
But get yourself a little router and you can connect that to any hotel or public WiFi. Log in once and then have all your devices on a fast and secure network.
There digital landing pages are Created once and have no infrastructure maintainer save for once in a blue moon.
Another thing that I haven’t seen mentioned is that it forces the connection to close if a user doesn’t re-accept the terms. This is useful to prevent people from remembering the connection with their phones and then having it auto-connect every time they enter your business – that’ll suck up bandwidth and slow things down for other users. It’s basically a way to ensure that only actual humans who are trying to browse the web have a way to do so.
As someone who works in the hotel industry, I can tell you that it’s a major liability issue. Directing you to a landing page and making you accept our terms and conditions helps us as a business to cover our ass. People do all sorts of illegal things using public wifi. It’s more common than you might think. So it’s best to be proactive than reactive.
It is very likely that most places are using an off the shelf solution. The of the shelf solution provides a landing page as the point at which you inform the user of limitations and requirements.
This can range from collecting payment, to telling you there’s a one hour limit, or that it is limited to 1 megabit or that access to external sites is limited, etc.
They are not infrequently hacks. Many Wi-Fi hacking devices will imitate a Wi-Fi SSID, like let’s take Starbucks for example and broadcast the same SSID with a stronger signal. The unsuspecting client connects to that one and is presented with a perfectly cloned landing page. The victim attempts to enter their credentials and they are captured by the hacker who now has their access credentials. Don’t ask how I know this. It’s just something I’ve read. Don’t ever use public Wi-Fi If you do make sure it’s using at least WPA 3.
Network engineer here and since most people handled the low hanging fruit of the question figured I’d add a little from my side.
Ultimately it’s about security controls to protect my network from random people. Physically you are connecting to the same equipment that the business uses to do other more sensitive stuff. So there need to be steps taken to make sure you aren’t able to do anything I wouldn’t like. Could I do all that without a captive portal? Sure. However it’s way easier to manage if I make a central authority to put people where they belong. So that’s what we do. An actual employee that connects will have the things on their computer to have everything get connected as they should and everyone else gets sent into the “guest” area for further checks. Once there I can both give access to visitors if I want and give an option to employees to get connected if something went wrong with step 1. I can also do a lot of cool things like individually encrypt your traffic so the guy sitting next to you can’t just listen to all your traffic. You can also tie into other systems easily, like some hotels make you enter your name and room number to confirm you are a guest. I could go on but I’d get even further for an ELI explanation.
Slightly understanding all that then what happened is the same as always. Enterprise users like myself drove the needs of the systems but then it all got dumbed down for small business and consumer products. As you observed they don’t really need any of those fancy things for their public coffee house wifi but most systems just lead you down that road if you ask for a guest network. Then as others said those solutions are cheap and don’t have a department full of experts setting them up so they are pretty shit.
I can top that.
How about a public wi-fi that has you go through the rigmarole of going to the (barely working) landing page to agree to the T’s&C’s to then be told, after confirming, that this public wi-fi has no internet connection!!
To answer why some ‘barely work’.
Some are old, outdated, never patched or rebooted. Were setup incorrectly(not enough bandwidth allocation, saturated connection, DHCP reservation pool full, etc). Or a combination of all of that.
Type 8.8.8.8 into your browser gets the captive page to pop back up in a lot of cases – huge time saver
When I was younger, those stupid landing pages were the reason why I had troubles using my DS on public wifi.
Modern ones on current operating systems work fine. The problem is that places are running old ones that will randomly hijack any connection and that breaks with HSTS and current software.
Why spend on updating things that “work” and deliver no additional income.
Hell, plenty of places do not even have client isolation or if they do its only on the accesspoints so you can see everyone on all the other APs. Again, they dont care. Wifi works sometimes for some people? That all they need.
IT here. it’s liability/legal and compliance requirements usually
Why isnt this free pruduct better!?!?