Why is there no better protocol support for WiFi captive portals?

Question

I'm curious why we still rely on hacky techniques like requesting captive.apple.com and waiting for interception, rather than having proper protocol-level support built into WPA. Why can't the WPA protocol simply announce that authentication requires a captive portal?This seems like every public hotspot I connect to it's flakey and will sometimes report it's connected when it still requires captive portal auth. Or even when it does work it's a 15 second delay before the captive screen pops-up. Shouldn't this have been solved properly by now.Does anyone have insight into the technical or historical reasons this remains so messy? If the wireless protocol could announce to the client thru some standard, that they have to complete auth via HTTP I feel the clients could implement much better experience.

westurner · Accepted Answer

Related issue: secured DNS must downgrade/fallback to unsecured DNS because of captive portal DNS redirection (because captive portals block access to DNS until the user logs in, and the user can't log into the captive portal without DNS redirection that is prevented by DoH, DoT, and DoQ).
Impact: if you set up someone's computer to use secured DNS only, and their device doesn't have per-SSID connection profiles, then they can't use captive portal hotspot Wi-Fi without knowing how to disable secured DNS.
"Do not downgrade to unsecured DNS unless it's an explicitly authorized captive portal"
IIRC there's a new-ish way to configure DNS-over-HTTPS over DHCP like there is for normal DNS.

tony-allan · Answer

A great way to manage bandwidth by delivering a really subpar user experience.