Logging into Captive Portals‎

From Whonix



Many publicly accessible Internet connections found at cafes, libraries, airports, hotels, universities and other locations require its users to register and login in order to get access to the Internet. This means newly connected users of the (free or paid) Wi-Fi or wired network have their browser redirected to a "captive portal" landing or login page, which requires either authentication, payment, acceptance of end-user license agreements, acceptable use policy, survey completion or other credentials before broader access to network resources is granted. [1] [2]

Figure: Sample Captive Portal [3]


Privacy Concerns[edit]

In general, captive portals pose a number of privacy concerns. Depending on the portal in question, it may be necessary to enter personal information such as an email or social media account, account number (when in a library), hotel room number, or other identifying details. [4] Recent research on Wi-Fi hotspots has revealed: [5]

  • Social login providers may share several privacy-sensitive fields - for example LinkedIn shares the full name, email address profile picture, current location and full employment history.
  • The vast majority of hotspots utilize tracking technologies in their captive portals and landing pages - multiple third-party tracking domains and persistent third-party HTTP cookies are common.
  • Personal and unique device information is sometimes shared with third-party domains (even without HTTPS).
  • A majority expose the user's device MAC address.
  • Sometimes personally sensitive information is leaked via HTTP, including full name, email address, phone number, address, postal code, date of birth and age.
  • Some hotspots explicitly link MAC address to collected personal information, allowing long-term user tracking.

This research confirms that while VPNs and the adoption of HTTPS on most websites mostly secures users' personal information from malicious hotspot providers, device/user tracking is still a serious privacy threat.

Logging into Captive Portals[edit]

When using VMs[edit]

It is not possible to access captive portals inside Whonix-Workstation ™. Therefore, in Non-Qubes-Whonix ™ it is necessary to use the browser on the host operating system for this purpose, since it has unrestricted network access. In Qubes-Whonix, a separate dedicated VM must be used such as a Debian or Fedora AppVM.

It must be stressed that this configuration is not anonymous, so it must be used carefully.

When using Physical Isolation[edit]

There is no unsafe browser installed by default on Whonix-Gateway ™ (see below for instructions). As a workaround a third machine can be used which has access to clearnet, or the hardware which runs Whonix-Gateway ™ can be booted with another operating system (from USB), which is not torified.

Security Recommendations[edit]

  • While this browser can be used without any restrictions, it is strongly recommended to only use it for the purpose stated above, that is to access and login on captive portals.
  • Do not run this browser at the same time as the normal, anonymous Tor Browser. Otherwise, it is easy to mistake one browser for the other, which could have catastrophic consequences for anonymity.
  • It is suggested to run this browser from a dedicated VM and lock it down with NoScript and isolation programs like FireJail (Linux only).

Unsafe Browser[edit]


Ambox warning pn.svg.png This procedure is discouraged!

These steps must be completed while you still have an Internet connection. It cannot be done later on when an Internet connection is required, since no unsafe browser is installed by default.

The following instructions are applied on Whonix-Gateway ™.

1. Configure user home of user clearnet to /home/clearnet as it is not set by Whonix default.

sudo usermod -m -d /home/clearnet clearnet

2. Create folder /home/clearnet.

sudo mkdir -p /home/clearnet

3. Set owner of folder /home/clearnet to be user clearnet.

sudo chown -R clearnet:clearnet /home/clearnet

4. Install a browser.

Install firefox-esr.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the firefox-esr package.

sudo apt-get install firefox-esr

The procedure of installing firefox-esr is complete.


1. Start bash as user clearnet. [6]

sudo --set-home -u clearnet bash

2. Change directory into user clearnet home folder.

cd ~

3. Start the browser.



To remove the unsafe browser, apply the following instructions.

1. Purge firefox-esr.

sudo apt-get purge firefox-esr

2. Autoremove.

sudo apt-get autoremove

3. Optional: Delete the Firefox data directory.

rm -r /home/user/clearnet/.mozilla/firefox


Whonix ™ Logging in to captive portals wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix ™ Logging in to captive portals wiki page Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.


  1. [archive]
  2. Captive portals are sometimes used for access to enterprise or residential wired networks, such as business centers, apartments or hotel rooms.
  3. [archive]
  4. [archive]
  5. [archive]
  6. The sudo --set-home parameter is important to prevent file permission issues since a GUI application is to be started under a different user account. Similar to GUI Applications with Root Rights. Quote sudo man page:

    -H, --set-home
    Request that the security policy set the HOME environment variable to the home directory specified by the target user's password database entry. Depending on the policy, this may be the default behavior.

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Please consider a recurring donation [archive]!

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.