2026 मध्ये HTTPS Captive Portals: HSTS आणि ब्राउझर हार्डनिंग जुन्या पद्धती कशा मोडीत काढत आहेत

PODCAST SCRIPT: HTTPS Captive Portals in 2026 — Why HSTS and Browser Hardening Are Breaking the Old Patterns Runtime target: ~10 minutes | Voice: UK English, senior consultant tone --- [INTRO — ~60 seconds] Welcome back. I'm going to cut straight to it today, because if you're running guest WiFi at scale — hotels, retail estates, stadiums, conference centres — you've probably already hit this problem, or you're about to. The classic captive portal pattern — the one where your network intercepts an HTTP request and redirects the user to a splash page — is breaking. Not gradually. It's breaking hard, and the browser vendors are the ones doing it. In the next ten minutes, I want to walk you through exactly what's changed, why it's changed, and what your realistic options are in 2026. This isn't theoretical. This is the conversation I'm having with network architects and IT directors every week right now. Let's get into it. --- [TECHNICAL DEEP-DIVE — ~5 minutes] So let's start with the mechanism. The legacy captive portal pattern works like this: a device connects to your open or PSK-protected WiFi network. It tries to load a web page. Your network controller intercepts that HTTP request — port 80 traffic — and issues a 302 redirect to your portal page. The user sees your splash screen, accepts terms, maybe logs in, and then you open the walled garden. Simple. It's worked for twenty-plus years. The problem is that pattern depends entirely on the device making an unencrypted HTTP request that you can intercept. And browsers are systematically eliminating those requests. Here's the timeline of what's happened. HSTS — HTTP Strict Transport Security — has been around since RFC 6797 in 2012. The mechanism is straightforward: a site sends a Strict-Transport-Security header, and the browser remembers it. For the duration of the max-age period, the browser will refuse to load that site over plain HTTP. It upgrades the connection to HTTPS automatically. If HTTPS isn't available, the connection fails — hard. No bypass, no redirect, just a certificate error. Now, HSTS on its own is manageable. The browser only enforces it after the first visit. But then came the HSTS preload list. Chrome maintains a hardcoded list of domains that are HTTPS-only, baked directly into the browser binary. Firefox, Safari, and Edge all consume the same list. As of 2026, that list covers well over 100,000 domains, including essentially every major consumer destination — Google, Facebook, Twitter, banking sites, government portals, the lot. What that means in practice is this: when your guest device connects to your network and tries to load gmail.com, or bbc.co.uk, or any preloaded domain, the browser doesn't even attempt an HTTP request. It goes straight to HTTPS. Your network controller never sees a plain HTTP request to intercept. The redirect never happens. The user just gets a certificate error, because your portal's self-signed certificate is not trusted for gmail.com. They see NET::ERR_CERT_AUTHORITY_INVALID and they're stuck. And it's getting worse. In October 2025, Google announced that Chrome 154 — shipping October 2026 — will enable "Always Use Secure Connections" by default for all users on public sites. Chrome 147, which shipped in April 2026, already enabled this for the one-billion-plus users who have Enhanced Safe Browsing turned on. Firefox has been moving in the same direction. Safari has had HTTPS-first behaviour on iOS for some time. The net effect: by the end of 2026, the majority of your guests' browsers will attempt HTTPS for every navigation, regardless of whether the domain is on the preload list. The HTTP intercept pattern is not just unreliable — it's dead. Now, there's a secondary problem that compounds this. Even when the OS-level Captive Network Assistant — the CNA — fires up its mini-browser to handle the portal, that mini-browser has its own HSTS enforcement. On iOS, the CNA uses a sandboxed WebKit instance. On Android, it uses a Chrome Custom Tab. Both enforce HSTS. Both will fail to load your portal if you're trying to serve it via a hostname that has an HSTS policy. The correct technical response here is to serve your portal from a dedicated hostname that has never had an HSTS header and is not on the preload list — something like portal.yourvenue.com — with a valid, CA-signed TLS certificate. That's table stakes now. But even that doesn't fully solve the detection problem, because the device still needs to discover that it's behind a captive portal in the first place. That's where RFC 8910 and RFC 8908 come in. RFC 8910 defines a DHCP option — option 114 — and an IPv6 Router Advertisement option that tells the client device the URL of the captive portal API endpoint. RFC 8908 defines that API: a simple JSON endpoint that the OS queries to determine whether internet access is restricted, and if so, where the portal is. Modern operating systems — iOS 14 and later, Android 11 and later, Windows 11 — all support this. When you implement CAPPORT correctly, the device knows it's behind a portal before it ever tries to load a web page. The OS fires up the CNA with the correct portal URL directly. No HTTP intercept required. That's the first modern alternative: DNS and DHCP signalling via CAPPORT, with a properly-signed portal served from a dedicated hostname. The second alternative is Passpoint, based on IEEE 802.11u and the Wi-Fi Alliance's Hotspot 2.0 specification. Passpoint takes a fundamentally different approach. Instead of intercepting traffic, the access point advertises its identity and authentication requirements via ANQP — Access Network Query Protocol — before the device even associates. The device checks whether it has valid credentials for this network. If it does, it authenticates via 802.1X and WPA2 or WPA3 Enterprise, and gets full network access immediately. No portal, no redirect, no browser involvement at all. Passpoint is the right answer for a specific set of deployments: multi-site operators, enterprise environments, healthcare, transport hubs, anywhere you have repeat users who benefit from zero-touch connectivity. Purple's SecurePass product line is built around this model, and for the right deployment profile it eliminates the captive portal problem entirely. The third option, which sits between the two, is OWE — Opportunistic Wireless Encryption. OWE is defined in RFC 8110 and provides per-client encryption on open networks without requiring credentials. It doesn't replace the portal, but it removes the open-network security exposure that makes regulators nervous, particularly under GDPR and PCI DSS. --- [IMPLEMENTATION RECOMMENDATIONS & PITFALLS — ~2 minutes] Right, so what should you actually do? Let me give you the practical framework. If you're running a captive portal today and it's working, your immediate priority is to implement CAPPORT. That means configuring DHCP option 114 on your controller to point to your portal API endpoint, implementing the RFC 8908 JSON API on your portal server, and ensuring your portal is served from a dedicated hostname with a valid CA-signed certificate. This will restore reliable portal detection on modern devices and eliminate the certificate error problem. Do not — I repeat, do not — attempt to serve your portal from a hostname that appears on the HSTS preload list. And do not use a self-signed certificate. Both of these are instant failure modes. The second thing to address is your walled garden configuration. Your DHCP server, your DNS resolver, and your portal hostname all need to be accessible before authentication. That includes the OS detection probe URLs: captive.apple.com for Apple devices, connectivitycheck.gstatic.com for Android, and msftconnecttest.com for Windows. If any of these are blocked pre-auth, the CNA won't fire and your users will be stuck. For new deployments, particularly in hospitality and multi-site retail, I'd strongly recommend evaluating a hybrid architecture: a Passpoint SSID for repeat visitors and a CAPPORT-compliant portal SSID for first-time guests, with the portal offering Passpoint profile installation as part of the onboarding flow. This gives you the marketing touchpoint for new visitors while delivering zero-friction connectivity for returning ones. The pitfall I see most often is operators who've invested in portal customisation and data collection treating Passpoint as a threat to their marketing stack. It isn't. Purple's platform, for example, supports progressive onboarding where the initial portal interaction captures consent and profile data, and then provisions a Passpoint credential for future visits. You get the first-party data on the first visit and the seamless experience on every subsequent one. --- [RAPID-FIRE Q&A — ~1 minute] Quick-fire questions I get asked constantly: "Can I just use a self-signed cert for my portal?" No. Modern browsers and CNA implementations will reject it. You need a CA-signed certificate. "Does CAPPORT work on all devices?" iOS 14+, Android 11+, Windows 11 — yes. Older devices fall back to legacy detection behaviour. Plan for both. "Is Passpoint GDPR-compliant?" Yes, when implemented correctly. The credential provisioning step is where you capture consent. Purple handles this as part of the SecurePass onboarding flow. "What about PCI DSS scope?" If your guest network carries any cardholder data, you need network segmentation regardless of portal type. Passpoint's WPA3-Enterprise encryption significantly reduces your attack surface and simplifies scope arguments with QSAs. --- [SUMMARY & NEXT STEPS — ~1 minute] To wrap up: the HTTP intercept pattern is broken by HSTS preloading and Chrome's move to HTTPS-first by default. The fix for existing deployments is CAPPORT — RFC 8910 plus RFC 8908 — with a properly-signed portal on a dedicated hostname. For new deployments or major refreshes, evaluate Passpoint, particularly if you have repeat-visitor traffic or compliance requirements that benefit from WPA3-Enterprise encryption. The browser vendors have made their position clear. The question isn't whether to adapt — it's how fast. If you want to dig into the specifics for your deployment, the Purple team can walk you through a CAPPORT readiness assessment and a Passpoint feasibility analysis. Links in the show notes. Thanks for listening. See you next time. --- END OF SCRIPT