Asshole Design (web edition)

A bathroom remodeling service who sells bathrooms on the order of $5k—15k has a contact page that requires a CAPTCHA. It’s as if customer dignity has been tossed out and merchants no longer see the need to respect the traditional role of serving their customer. So I have to wonder, are customers who are willing to spend 4—5 figures on a custom bathroom really willing to solve a CAPTCHA and effectively become subservient to the business they are patronizing?

I’m like, if you’re going to trouble me because you can’t be bothered to do your own spam filting, maybe you don’t really need my business.

A software package was released as a tarball, but if it’s not listed in the releases (which gives the size) you’re stuffed if you need to know the size before downloading because curl -LI $url gives content-length: 0.

cross-posted from: https://infosec.pub/post/11021006

…
TLS-encumbered captive portal (transit service)

A transit service offered wi-fi but the network forcibly redirected me to a captive portal that triggers this error:

net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I tried a couple browsers and tried rewriting the https:// scheme as http:// but SSL redirect was forced consistently. The error apparently implies my phone’s browser can’t do TLS 1.3.

It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions:

• I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place).

• Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it.

I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5.

Bypass methods

I guess I need to study:

• ICMP tunnel (slow, but IIUC it’s the least commonly blocked)
• SSH tunnel
• others?

Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found:

• MultiVNC - VNC over SSH
• AVNC - VNC over SSH
• ConnectBot - Can all traffic be routed over this SSH tunnel, or just a shell session?
• VX ConnectBot - same as connectBot but expanded

I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option.

My to-do list of things to tinker with so far:

• Captive Portal Controller
• ~~CaptivePortalLogin~~ (AOS 6+, and no Izzy archives on this)
• Hotspot Login

Legal options

If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases.

And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.

I ran this command to see if the PDF menu was small enough for my capped internet connection:

$ torsocks curl -LI 'https://cafevanbommel.nl/wp-content/uploads/2023/11/Van-Bommel-Menukaart-November-2023-FOOD.pdf'
HTTP/2 200 
date: Tue, 09 Apr 2024 16:01:40 GMT
content-length: 1480
cache-control: no-cache, no-store, must-revalidate, max-age=0
cache-control: no-store, max-age=0
server: imunify360-webshield/1.21

PDF was only 1k, so of course I have no objections. Fetched it using wget, and it was just ASCII text in the form of HTML-wrapped javascript. WTF?

<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="robots" content="noindex, nofollow">
    <title>One moment, please...</title>
    <style>
    body {
        background: #F6F7F8;
        color: #303131;
        font-family: sans-serif;
        margin-top: 45vh;
        text-align: center;
    }   
    </style>
    </head>
<body>
    <h1>Please wait while your request is being verified...</h1>
    <form id="wsidchk-form" style="display:none;" action="/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f" method="GET">
    <input type="hidden" id="wsidchk" name="wsidchk"/>
    </form>
    <script>
    (function(){
        var west=+((+!+[])+(+!+[]+!![]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!![]+[])+(+!+[])+(+!+[]+!![]+[])+(+!+[]+!![]+!!
[]+!![])+(+!+[]+!![]+!![]+!![]+!![]+[])),  
            east=+((+!+[]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!![]+!![]+!![]+!![]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!!
[]+!![]+!![]+!![]+!![]+!![]+[])+(+!+[])+(+!+[]+!![]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])),
            x=function(){try{return !!window.addEventListener;}catch(e){return !!0;} },
            y=function(y,z){x() ? document.addEventListener('DOMContentLoaded',y,z) : document.attachEvent('onreadystatechange',y);};
        y(function(){
            document.getElementById('wsidchk').value = west + east;
            document.getElementById('wsidchk-form').submit();
        }, false);
    })();
    </script>
</body>
</html>

To troubleshoot, I loaded the same link in a GUI browser. PDF.js fetched a proper PDF that turned out to be 1.6mb. Fuck this shit. It’s not as bad as some restaurants (~20mb menus loaded with pics), but still, it could have sucked my credit dry because the asshole web dev pulled this shit. The content-length header exists for a reason.

I wonder to what extent the restaurant’s web admin is just naive about what’s happening, considering the “imunify360” in the header, which suggest some shitty MitM might have done this without the Wordpress user really knowing.

But what’s driving the protectionism? I should be able to, for example, have a scraper bot harvest all the PDF restaurant menus before visiting a region. They should want my business.

cross-posted from: https://sopuli.xyz/post/10725880

I simply wanted to submit a bug report. This is so fucked up. The process so far:

① solved a CAPTCHA just to reach a reg. form (I have image loading disabled but the graphical CAPTCHA puzzle displayed anyway (wtf Firefox?)
② disposable email address rejected (so Bitbucket can protect themselves from spam but other people cannot? #hypocrisy)
③ tried a forwarding acct instead of disposable (accepted)
③ another CAPTCHA, this time Google reCAPTCHA. I never solve these because it violates so many digital right principles and I boycott Google. But made an exception for this experiment. The puzzle was empty because I disable images (can’t afford the bandwidth). Exceptionally, I enable images and solve the piece of shit. Could not work out if a furry cylindrical blob sitting on a sofa was a “hat”, but managed to solve enough puzzles.
④ got the green checkmark ✓
⑤ clicked “sign up”
⑥ “We are having trouble verifying reCAPTCHA for this request. Please try again. If the problem persists, try another browser/device or reach out to Atlassian Support.”

Are you fucking kidding me?! Google probably profited from my CAPTCHA work before showing me the door. Should be illegal. Really folks, a backlash of some kind is needed. I have my vision and couldn’t get registered (from Tor). Imagine a blind Tor user.. or even a blind clearnet user going through this shit. I don’t think the first CAPTCHA to reach the form even had an audio option.

Shame on #Bitbucket!

⑦ attempted to e-mail the code author:

status=bounced (host $authors_own_mx_svr said: 550-host $my_ip is listed at combined.mail.abusix.zone (127.0.0.11); 550 see https://lookup.abusix.com/search?q=$my_ip (in reply to RCPT TO command))

#A11y #enshitification

Calling out #Startpage for this sneaky malicious timing tactic:

1. show results below invisible sponsored links
2. inject sponsored links at the top and expand them ~⅓—½ of the screen height
3. users trying to click on one of the first few non-sponsored links clicks on a sponsored link which quickly expands at a moment when it’s too late for users to stop themselves from clicking. People cannot re-adjust their mouse position fast enough.

I get burnt on that more often than not.

Suppose I want to share a link that works well in a text browser like lynx, or in a GUI browser with domain-specific javascript enabled and the rest disabled, and images disabled.

How do you do that? There is no format specification for this. The best you can do is write a paragraph telling users how to visit the link.

So the question is, why don’t we create a superset of the URL specification to include variables that deshitifies the page being visited and includes warnings for various anti-features?

First attempt to load this shitty Cloudflare page resulted in a forced cookie popup with no “reject all” option. There are ~50+ or so switches to click off spanning two tabs (one hidden way at the bottom in fine print for “vendors”). Fuck that.

Usually when I encounter this particular variety of shit I switch to “torsocks lynx '$URL'”. In this case, it gave a 403 claiming “enable javascript and cookies to continue” to Lynx.

Then I loaded the archive version in Firefox with js and animations both disabled, and finally the text was reachable. But then an animation at the bottom played anyway. So I had to disable still images to stop the animation (guessing the ad is an animated GIF).

What a disasterous display of web enshitification. Feel free to comment on how one might handle this in a more effortless way without agreeing to the cookies.

(asshole design candidate: #homebarista)