Man-in-the-middle or captive portal? How each browser and OS knows

When a user comes across a captive portal, how do browsers and operating systems identify it is not a security threat? Here’s how browsers and OSs identify captive portals and report that intermediate state to users.

How Browsers and OSs Identify Captive Portals


When chrome finds a problem with a security certificate, it will generate a request in the background to a public HTTP (nonsecure) URL served by Google (usually http://<subdomain> If this request gets an HTTP 204 response, it assumes the connection is OK, and the only possibility is a man-in-the-middle attack. Otherwise, if it gets any response distinct from 204 (usually a captive portal responds with a 3xx redirect), it assumes a captive portal is in place, avoiding successful connection to the original site. Upon that detection, it will open a new tab with the redirect destination and warn the user that a captive portal exists, and it may require authenticating to allow Internet access.

Correct visualization of a captive computer on google chrome
Correct visualization of a captive computer on Google chrome

The principle is the same as the Chrome browser, but instead it is embedded on the operating system. It tries to reach the URL, and if it fails, it shows the operating system alert to the user, showing that the network may need authentication. If the user touches the alert, it opens the redirect target to a new browser tab, getting the user to the message.

An android device behind a Captive Portal
An android device behind a Captive Portal
Internet Explorer / Windows

IE does not have the portal detection capability. Instead, Microsoft goes another route: it is implemented directly on the operating system network tools. Upon connecting to a network, Windows will try to download the file and will expect an HTTP 200 response, and a specific text content. After that, it will try to resolve URL’s domain via DNS, and it should be If it is not, it interprets that there are problems with the Internet connection. If it is correct, it will show a dialog bubble on the system bar, indicating that “It is possible that more information is required in order to connect to this network”. The user will get to the captive portal page upon clicking the bubble.

Windows PC behind a Captive Portal (source
Windows PC behind a Captive Portal
Mozilla Firefox
Sadly, Firefox does not implement any kind of captive portal detection. So if the user is trying to reach a secure HTTPS site, it will fail to cite the certificate validation error. Two possibilities arise from this case:
  • If the operating system is Windows, the OS captive portal detection will kick in.
  • If the OS is not windows, at some point the user will hit a non-secure website and reach the captive portal.
Apple iOS

Similar to the Android detection algorithm, but instead it checks against, expecting a response with the word “Success” in the body. Upon detection, it will open a browser pointing to the redirection URL, to let the user see the message or login onto a network.

When iOS detects a captive portal on the network, opens a browser to the redirect URL
When iOS detects a captive portal on the network, it opens a browser to the redirect URL


Contemporary security needs make transparent implementation of captive portals challenging. Thankfully, web browser and OS developers realize the importance of reporting the existence of this intermediate status between being connected to the Internet or not, this way reducing failure cases to a minimum.

You may also like

Impact of IoT on the Telecom Industry

Impact of IoT on the Telecom Industry


7 Best Practices for Managing Security Operations on AWS

OSS Cloud Platforms

How OSS Cloud Platforms Ensure Security