Most active commenters
  • bombcar(3)

←back to thread

A New Future for Icanhazip

(major.io)
980 points nkcmr | 27 comments | 06 Jun 21 19:21 UTC | HN request time: 1.252s | source | bottom
Show context
Ayesh ◴[06 Jun 21 20:01 UTC] No.27415818[source]
I was using icanhazip to check if my Tor circuit was complete, and probably made 50-100 requests per week. The site was getting slow, and I thought it is just a random site that the author didn't really care too much.

I dropped my jaw when I read it was getting 30B req/day.

Thank you for running this site for so long, and thank you for keeping it up for free, and deciding to not monetize it.

replies(1): >>27416146 #
1. tyingq ◴[06 Jun 21 20:43 UTC] No.27416146[source]
I got a lot of mileage out of neverssl.com before somebody fixed the process to log into various "guest wifi" setups...ones that would intercept/redirect any http request.

I'm somewhat curious what fixed things, as I've not had to use neverssl.com for some time.

replies(4): >>27416335 #>>27417005 #>>27417246 #>>27417473 #
2. lolinder ◴[06 Jun 21 21:07 UTC] No.27416335[source]
From what I can tell, most operating systems will now ping their own version of neverssl as you connect to a network to find out whether they need to show you a login prompt. It looks like they basically just check to see if they get the content they expect from a domain they own, and if not they serve you that page so you can see whatever it is your network injected. (You can usually see the OS domain in the address bar.)
replies(4): >>27416480 #>>27416671 #>>27416782 #>>27420145 #
3. toxik ◴[06 Jun 21 21:24 UTC] No.27416480[source]
captive.apple.com is what Apple uses
replies(4): >>27416489 #>>27416781 #>>27417275 #>>27445295 #
4. lolinder ◴[06 Jun 21 21:26 UTC] No.27416489{3}[source]
Thanks. I was reaching for an example but don't have a guest WiFi nearby to test.
5. tyingq ◴[06 Jun 21 21:50 UTC] No.27416671[source]
Ah, that's interesting. I remember it being very broken for a long time...especially for "normal" users that wouldn't understand why navigating to an https site wouldn't work in that captive wifi situation.
6. bombcar ◴[06 Jun 21 22:03 UTC] No.27416781{3}[source]
Apple has at least ten or more of these I’ve seen - on badly configured networks you sometimes see it in the address bar - because cached responses could destroy the utility.
replies(1): >>27417167 #
7. walrus01 ◴[06 Jun 21 22:03 UTC] No.27416782[source]
Yes, google, apple and Microsoft all maintain their own httpd with tiny stub content on it which specifically is not tls.
replies(1): >>27417317 #
8. nerdponx ◴[06 Jun 21 22:40 UTC] No.27417005[source]
I set up my own version of both neverssl and icanhazip, with nothing but Nginx on a cheap VPS. I already had the server up for other purposes, and I feel better knowing that I'm not mooching off of other people's effort (and money).
replies(1): >>27417211 #
9. fouc ◴[06 Jun 21 23:02 UTC] No.27417167{4}[source]
can you name one or two? I've never seen anything else besides captive.apple.com
replies(1): >>27418101 #
10. Ayesh ◴[06 Jun 21 23:08 UTC] No.27417211[source]
Neverssl has done some pretty nifty work to avoid caching. It redirects you to a random subdomain over plain HTTP just to make sure the browser has a cold cache. Maintaining a domain, the redirects, and making sure to _not_ accidentally obtain a certificate is a burden I wouldn't want to do, although it is not that difficult to do.

I was reading from neverssl maintainer that they get a _lot_ of traffic, questionable ones more than it is not. Its DNS runs on AWS IIRC, and we all know Route53 isn't the cheapest.

replies(3): >>27417308 #>>27417388 #>>27417898 #
11. Tijdreiziger ◴[06 Jun 21 23:14 UTC] No.27417246[source]
Ha, I could've used this ~a year ago when I moved into my current rental apartment. Fiber optic internet is included in the rent (in the form of an RJ45 jack in my wall), but there's a captive portal requiring you to enter your contract ID, which resulted in having to scour my memory and bookmarks for a non-HTTPS site.
12. Tijdreiziger ◴[06 Jun 21 23:18 UTC] No.27417275{3}[source]
Google's is http://connectivitycheck.gstatic.com/, and Microsoft's is http://www.msftncsi.com/ncsi.txt
replies(2): >>27417682 #>>27418656 #
13. GormanFletcher ◴[06 Jun 21 23:23 UTC] No.27417308{3}[source]
Having lived through the debut of Firesheep, which prompted the industry to get serious about using TLS, its an amusing triumph of cybersecurity that today a site has to be careful to not accidentally get issued a certificate. Back in 2010, when certificates cost substantial sums and needed some expertise to apply for and install, I wouldn't have guessed we'd ever get to this point.
14. stevage ◴[06 Jun 21 23:25 UTC] No.27417317{3}[source]
So interesting! Thanks for sharing.
15. nerdponx ◴[06 Jun 21 23:35 UTC] No.27417388{3}[source]
Interesting, I haven't encountered either of these issues, but I serve about 1 request a month (to myself) and have Certbot running automatically.
16. DominikPeters ◴[06 Jun 21 23:49 UTC] No.27417473[source]
My go-to for this is example.com
17. redler ◴[07 Jun 21 00:29 UTC] No.27417682{4}[source]
Leave it to Microsoft to use cryptic abbreviations and character limits even in URLs…
replies(1): >>27417821 #
18. pitterpatter ◴[07 Jun 21 00:49 UTC] No.27417821{5}[source]
Alternatively there's http://www.msftconnecttest.com/ncsi.txt
19. EE84M3i ◴[07 Jun 21 01:04 UTC] No.27417898{3}[source]
IIRC the neverssl maintainer _works_ at AWS.
20. gregsadetsky ◴[07 Jun 21 01:40 UTC] No.27418101{5}[source]
I found https://community.ui.com/questions/Apple-iPhone-iOS-portals-... which lists some of these domains (www.itools.info, www.thinkdifferent.us, etc.), and this answer on StackOverflow -- https://stackoverflow.com/a/22277933/ -- which reverses a list of domains that all point to the same IP
replies(1): >>27418122 #
21. bombcar ◴[07 Jun 21 01:45 UTC] No.27418122{6}[source]
I’ve seen some of these but I swear I’ve seen others like portalcheck or something - but always to an Apple-like domain.
replies(1): >>27422162 #
22. surround ◴[07 Jun 21 03:15 UTC] No.27418656{4}[source]
Firefox uses http://detectportal.firefox.com/success.txt
replies(1): >>27421576 #
23. stephen_g ◴[07 Jun 21 07:57 UTC] No.27420145[source]
Annoyingly, I've seen some networks that try to "fix" problems by letting that go through even when not logged in. I'm pretty sure it had been fixed last time I flew, but Qantas in-flight WiFi used to be one example I'd seen. You'd connect, and then nothing would happen and no SSL connections would work. You'd either need a non-HTTPs site to get the redirect, or go to 'wifi.qantas.com' to accept the terms and conditions before you could browse. I was trying to work out why my iPhone and Mac weren't popping up that page as soon as I connected, and bizarrely captive.apple.com came up with 'Success' instead of redirecting, which means they must have misguidedly put in an explicit rule to let that through, completely breaking the feature!
replies(1): >>27429342 #
24. kd913 ◴[07 Jun 21 12:07 UTC] No.27421576{5}[source]
I was always wondering given that firefox has that detectportal.firefox.com why they also put requests into example.com/example.org?
25. bombcar ◴[07 Jun 21 13:14 UTC] No.27422162{7}[source]
Now I realize that the "subdomain" can change - it's been like portal.icloud.us or similar.
26. monocularvision ◴[08 Jun 21 00:47 UTC] No.27429342{3}[source]
This exact thing happened to me on an American Airlines flight one time. It seemed to get fixed later.
replies(1): >>27430791 #
27. stephen_g ◴[08 Jun 21 05:00 UTC] No.27430791{4}[source]
The Qantas system runs on ViaSat's platform and satellite network, I don't know what American uses but perhaps it's based on the same system.