Hospital WiFi Security

[JetsetBkk]

I tried to connect to the free WiFi in a private hospital in Phuket town:

 

 

 

So I hit "Continue"...

 

 

Then hit "Advanced"...

 

 

...and scrolled the message...

 

 

 

Any thoughts? Should I send these images to the hospital WiFi people?

I'm sure I've used their WiFi in the past without this problem.

Maybe my mobile's security (BitDefender) has been updated and now detects stuff like this.

 

[johng]

Any thoughts? Should I send these images to the hospital WiFi people?

 

You can try but I doubt they'll be very interested.

Looks like some kind of "captive portal" setup its free to use ,so for non sensitive stuff ..ie dont do your online banking or stock trading via this freebee portal.

 

 

 

 

[Guest]

Tell them to change their login IP address. https://1.1.1.1/ is not a private address space, like 10.x.x.x and 192.168.x.x etc. are. 

 

That's like using 8.8.8.8 as internal network address. 

 

 

[JetsetBkk]

Thanks for your comments. I don't know why I didn't think of this before... "Google is your friend"  :)

So I Googled around and got this:

 

 

So maybe it's not such a big deal after all.

 

Maybe.

 

If I don't get the message next time I'm there, it may be that they've reset their clock.

I'll take a copy of the messages and give it to someone who looks like they might know someone who knows something about their system - hard to find, I know - but you gotta try.

 

[Guest]

The SSL certificate validity time is normally compared between the client (browser) and the certificate itself. I haven't tested myself, but I doubt wrong time on the server would matter.

 

This error is the result of faulty IP range used on the hospital's network. Chrome knows that 1.1.1.1 requires using https with correct SSL cert, and therefore gives the warning.

 

Here is the correct SSL cert for 1.1.1.1. It belongs to Cloudflare.

 

 

 

[JetsetBkk]

On Tuesday, June 19, 2018 at 9:05 PM, oilinki said:

The SSL certificate validity time is normally compared between the client (browser) and the certificate itself. I haven't tested myself, but I doubt wrong time on the server would matter.

 

This error is the result of faulty IP range used on the hospital's network. Chrome knows that 1.1.1.1 requires using https with correct SSL cert, and therefore gives the warning.

 

Here is the correct SSL cert for 1.1.1.1. It belongs to Cloudflare.

 

 

 

 

Sorry, didn't see the notification for your post - which is very interesting. So you are saying that there is only one SSL certificate for 1.1.1.1 which is a public address and shouldn't be used in a private network?

 

The reason I came back to this topic is because I went back to the hospital today and asked some of the "pretties" if they could access the hospital WiFi. They all thought I was crazy until one brave girl said she couldn't - she showed me her phone and the image looked similar to my first image above, except it was written in Thai. I should've taken a photo of her phone showing the image

 

So it looks like some phones/software are strict about 1.1.1.1 and some aren't. My phone runs BitDefender so maybe I can try turning it off when I'm there next time.

 

[Guest]

3 minutes ago, JetsetBkk said:

 

Sorry, didn't see the notification for your post - which is very interesting. So you are saying that there is only one SSL certificate for 1.1.1.1 which is a public address and shouldn't be used in a private network?

 

The reason I came back to this topic is because I went back to the hospital today and asked some of the "pretties" if they could access the hospital WiFi. They all thought I was crazy until one brave girl said she couldn't - she showed me her phone and the image looked similar to my first image above, except it was written in Thai. I should've taken a photo of her phone showing the image

 

So it looks like some phones/software are strict about 1.1.1.1 and some aren't. My phone runs BitDefender so maybe I can try turning it off when I'm there next time.

 

 

1.1.1.1 is a special case as it became routable address just very recently. There was a deal between APNIC and Cloudflare for it to be used as Cloudflare public DNS server. 

 

The reason why it became a publicly routed address was that APNIC (which takes care of the IP-addresses in APAC area, knew that there are many services which have used 1.1.1.1 for their own purposes. It's not allowed, but many do so.

 

I suppose why it works for some and not for others, depends how new their phones operating system and browsers are. Older OS's might not block the wrong certification, while newer ones block.

 

They bloc, because otherwise it would be easy to create a scam DNS server with 1.1.1.1 or Googles 8.8.8.8 address and redirect the traffic to pitching sites... for example when accessing Internet banking websites. 

 

Tell the hospital to change the 1.1.1.1 address to for example 10.1.1.1 and the problem should be gone. If you got the pretties phone number, you can send it to me, preferably along with photos. 

 

[JetsetBkk]

23 hours ago, oilinki said:

 

1.1.1.1 is a special case as it became routable address just very recently. There was a deal between APNIC and Cloudflare for it to be used as Cloudflare public DNS server. 

 

The reason why it became a publicly routed address was that APNIC (which takes care of the IP-addresses in APAC area, knew that there are many services which have used 1.1.1.1 for their own purposes. It's not allowed, but many do so.

 

I suppose why it works for some and not for others, depends how new their phones operating system and browsers are. Older OS's might not block the wrong certification, while newer ones block.

 

They bloc, because otherwise it would be easy to create a scam DNS server with 1.1.1.1 or Googles 8.8.8.8 address and redirect the traffic to pitching sites... for example when accessing Internet banking websites. 

 

Tell the hospital to change the 1.1.1.1 address to for example 10.1.1.1 and the problem should be gone. If you got the pretties phone number, you can send it to me, preferably along with photos. 

 

Unfortunately, not only did I NOT get the pretty's phone number, she wasn't there today when I again tried to get them to sort out the problem.

 

But the good news is that even though none of the less-than-pretty helpers had the same problem on their mobiles and tablets, I did manage to get their "IT Support" guy to come down. He wanted to play with my phone but I said I'd rather he not change anything, so he asked me to run Chrome and go to 1.1.1.1.

 

I tried and it wouldn't connect. Then he got his phone out and tapped the "Connect to Bkk-Phuket Free WiFi" notification and he got the same "Your connection is not private" screen as I did! ?

 

So I left him trying to figure out what was wrong. I did tell him that 1.1.1.1 was not a private address but I don't think he understood me. Hopefully he will take this up with the company who support their WiFi network.

 

[Guest]

Well, next time you visit them, tell them to be prepared to pay hefty bill once the expert on his white horse riders to their hospital. 

[JetsetBkk]

They appear to have fixed the problem as I could connect OK last week.

 

But I'm sure I saw a reference to 1.1.1.1 while I was connecting. Next time I'll try to take a screen shot.