Logging into Captive Portals‎

From Whonix



Many publicly accessible Internet connections found at cafes, libraries, airports, hotels, universities and other locations require its users to register and login in order to get access to the Internet. This means newly connected users of the (free or paid) Wi-Fi or wired network have their browser redirected to a "captive portal" landing or login page, which requires either authentication, payment, acceptance of end-user license agreements, acceptable use policy, survey completion or other credentials before broader access to network resources is granted. [1] [2]

Figure: Sample Captive Portal [3]


Privacy Concerns[edit]

In general, captive portals pose a number of privacy concerns. Depending on the portal in question, it may be necessary to enter personal information such as an email or social media account, account number (when in a library), hotel room number, or other identifying details. [4] Recent research on Wi-Fi hotspots has revealed: [5]

  • Social login providers may share several privacy-sensitive fields - for example LinkedIn shares the full name, email address profile picture, current location and full employment history.
  • The vast majority of hotspots utilize tracking technologies in their captive portals and landing pages - multiple third-party tracking domains and persistent third-party HTTP cookies are common.
  • Personal and unique device information is sometimes shared with third-party domains (even without HTTPS).
  • A majority expose the user's device MAC address.
  • Sometimes personally sensitive information is leaked via HTTP, including full name, email address, phone number, address, postal code, date of birth and age.
  • Some hotspots explicitly link MAC address to collected personal information, allowing long-term user tracking.

This research confirms that while VPNs and the adoption of HTTPS on most websites mostly secures users' personal information from malicious hotspot providers, device/user tracking is still a serious privacy threat.

Logging into Captive Portals[edit]

When using VMs[edit]

It is not possible to access captive portals inside Whonix-Workstation ™. Therefore, in Non-Qubes-Whonix ™ it is necessary to use the browser on the host operating system for this purpose, since it has unrestricted network access. In Qubes-Whonix, a separate dedicated VM must be used such as a Debian or Fedora AppVM.

It must be stressed that this configuration is not anonymous, so it must be used carefully.

When using Physical Isolation[edit]

There is no unsafe browser installed by default on Whonix-Gateway ™ (see below for instructions). As a workaround a third machine can be used which has access to clearnet, or the hardware which runs Whonix-Gateway ™ can be booted with another operating system (from USB), which is not torified.

Security Recommendations[edit]

  • While this browser can be used without any restrictions, it is strongly recommended to only use it for the purpose stated above, that is to access and login on captive portals.
  • Do not run this browser at the same time as the normal, anonymous Tor Browser. Otherwise, it is easy to mistake one browser for the other, which could have catastrophic consequences for anonymity.
  • It is suggested to run this browser from a dedicated VM and lock it down with NoScript and isolation programs like FireJail (Linux only).

Unsafe Browser[edit]


Ambox warning pn.svg.png This procedure is discouraged!

These steps must be completed while you still have an Internet connection. It cannot be done later on when an Internet connection is required, since no unsafe browser is installed by default.

The following instructions are applied on Whonix-Gateway ™.

1. Configure user home of user clearnet to /home/clearnet as it is not set by Whonix ™ default.

sudo usermod -m -d /home/clearnet clearnet

2. Create folder /home/clearnet.

sudo mkdir -p /home/clearnet

3. Set owner of folder /home/clearnet to be user clearnet.

sudo chown -R clearnet:clearnet /home/clearnet

4. Install a browser.

Install firefox-esr.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the firefox-esr package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends firefox-esr

The procedure of installing firefox-esr is complete.


1. Start bash as user clearnet. [6]

sudo --set-home -u clearnet bash

2. Change directory into user clearnet home folder.

cd ~

3. Start the browser.



To remove the unsafe browser, apply the following instructions.

1. Purge firefox-esr.

sudo apt-get purge firefox-esr

2. Autoremove.

sudo apt-get autoremove

3. Optional: Delete the Firefox data directory.

rm -r /home/user/clearnet/.mozilla/firefox


Whonix ™ Logging in to captive portals wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix ™ Logging in to captive portals wiki page Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.


  1. [archive]
  2. Captive portals are sometimes used for access to enterprise or residential wired networks, such as business centers, apartments or hotel rooms.
  3. [archive]
  4. [archive]
  5. [archive]
  6. The sudo --set-home parameter is important to prevent file permission issues since a GUI application is to be started under a different user account. Similar to GUI Applications with Root Rights. Quote sudo man page:

    -H, --set-home
    Request that the security policy set the HOME environment variable to the home directory specified by the target user's password database entry. Depending on the policy, this may be the default behavior.

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Logging in to captive portals&body= link= in to captive portals link= in to captive portals link= in to captive portals%20 in to captive portals

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.