BasicInternet:White List

From its-wiki.no

Revision as of 07:47, 14 March 2018 by Felix.Sukums (Talk | contribs)

Jump to: navigation, search

White list of apps

Our goal is to provide free access to information through the InfoInternet standard. The InfoInternet standard includes text and pictures, in addition to local videos. An example of a browser supporting the standard is Opera Mini, providing server-side compression of web pages into text and pictures. As long as we don't have a tool for analysing apps and web pages, we need to use white listing of Web pages.

White listed Web pages/Apps

  • google.com - needed for accept of Android devices
    • play.google.com %for app download such as Opera Mini
  • apple.com - needed for accept of iOS, macOS devices
  • http://captive.apple.com/hotspot-detect.html
    • includes: itunes.apple.com/pl/app  % App-store for download of Opera Mini
  • its-wiki.no % home wiki of DigI and other sites
  • wikipedia.org

Required hosts for Google play, Youtube and Facebook

Besides, authentication of vouchers works properly and I could login by using test voucher. The error is the result of HTTPS certificate so we require more information about which websites results in this certificate error? "ERR_CERT_COMMON_NAME_INVALID".

Google play uses different host in order to works properly. Following are required hosts:

  • *google.com
  • *googlecontent.com -> to load google play properly
  • *gvt1.com -> to download applications

The same happens for Youtube and Facebook service and they uses different hosts in order to work properly. Following are required hosts for Facebook:

  • *facebook.com
  • *fbcdn.net -> to load required contents and videos

Following are required hosts for Youtube:

  • *youtube.com
  • *googlevideo.com -> to play video

How to identify a hot-spot

From Iñaki: Mac Os tries to open the url which is configured in the following file "Library/Preferences/SystemConfiguration/CaptiveNetworkSupport/Settings.plist". Which is "http://captive.apple.com/hotspot-detect.html". Not sure if this url has changed together with the Mac Os version. In the same way, I heard that Mac Os tries that url but with a randomized section...not sure.

What I would do is to implement that web page in the Mikrotik, put it in the walled garden and set the address in the DNS. So that is the Mikrotik which provides the web page instead of apple. Regarding iPhone, Android 7 and so on... the problem is that each OS version (not maybe in each version) they change the way to evaluate if they are under a captive portal and whether they have Internet connection or not. Thus, we would have to analyze using a network traffic analyzer (Wireshark) which web pages or addresses does each OS version check.

SDG and public information

  • BasicInternet.no,
  • BasicInternet.org
  • sustainabledevelopment.un.org % SDG 2030

Health related sites

  • ministry of health in TZ
  • global health media % and all other links on digi.futurecompetence.net

other projects with health info

thanks for Felix Sukums:
Please find details of Safe Delivery App and its implementation (RCT) in Ethiopia. May be we can develop app (s) for the target disease e.g. HIV/TB screening, or other diseases for health workers or self-screening app plus education materials for the rural communities. In most cases this requires already approved/existing guidelines to be converted into an app or digital health promotion materials http://www.maternity.dk/about-the-app/what-is-the-app/

We can also learn/use their experience on the RCT here http://www.maternity.dk/case/randomized-controlled-trial-in-ethiopia/


Vicious worm
Helena Ngowi was part of the team having developed the app for Android.


% please add what you find appropriate

Hot-Spot Pages

  • HotSpot is a way to authorize users to access the network. (It does not provide traffic encryption!)
  • In order to login, users can use web browser (HTTP/HTTPS) without installing any additional software.
  • HotSpot systems provide authentication within local network (local users access the Internet) as well as to authorize access from outside network to access local resources (without authentication using Walled Garden).
  • Once HotSpot is enabled on an interface, the system sets up automatically everything (adds dynamic destination NAT rules). These rules are required to redirect all web (HTTP/HTTPS) request from any unauthorized users to the HotSpot proxy.
  • Commonly when we open any HTTP page, it will bring up the HotSpot servlet login page. (It is recommended to use DNS names to open web pages that also reqires DNS configuration).
  • DNS configuration should be setup on the HotSpot gateway.
  • If we do not require authorization for some services, we use Walled Garden. When a service listed in walled garden is requested by a not logged-in user, then the HotSpot gateway does not intercept that. For HTTP, it redirects to the requested destination.
  • If a user is logged-in, then Walled garden have no effect for them.
  • HTTP request for walled garden entries uses the embedded proxy server. (It means that all the parameters configured for the proxy server will be effective for the Walled Garden).

There are 6 different authentication methods are currently available. One method at a time can be used simultaneously.

  • HTTP PAP – Simplest method, uses HotSpot login page to get the authentication (username and password) in plain text.
  • HTTP CHAP – Standard method, uses CHAP MD5 hash challenge in login page
  • HTTPS – same as HTTP PAP but uses SSL encrypted transmissions.
  • HTTP cookie – cookies are stored and re-use for login
  • MAC address – Uses MAC addresses for authentication
  • Trial – Users are allowed to service for free for specific time.

How to identify DNS Address in Hot-Spot:

There are several ways to identify the correct DNS address or dependent server address for a particular website/service/app. But the following method is more effective and easy.

In order to check which websites are required to added into walled garden, follow these steps:

1) Go to MikroTik router, IP -> DNS -> Cache -> Click Flush DNS Cache. (It will clear the previous DNS cache and once we will open new website/app, it will fill the DNS cache) 2) Now keep it open, the DNS Cache window, and open any website or application on mobile (that is connected to hotspot), it will show some of the DNS (Web) address. 3) Now find the relevant DNS address and add it into the Walled Garden ( IP -> Hotspot -> Walled Garden -> click + (add new Walled Garden Entry) -> Select Server -> Enter Des. Host (type the DNS address that was shown in DNS cache) -> Click OK.

Example: In order to allow WhatsApp to work on walled garden, we need to check which websites are required to added into walled garden. For that follow the steps:

1) Go to MikroTik router, IP -> DNS -> Cache -> Click Flush DNS Cache.
2) Now keep the DNS Cache window open and open WhatsApp on mobile, it will show some of the DNS (Web) address.
3) Most likely the web address (*whatsapp.net) that is related to WhatsApp service is common so add it into walled garden.
4) Once this address is added to walled garden, WhatsApp will start working.
5) We can see from the above figure that the rue *whatsapp.net is hit 2 times, that shows that it is working.