Some captive Wifi portals require the ability to 301/302 redirect a user to an authentication / terms of service page before permitting access to the Internet.
This is at odds with SSL, which can't be cleanly intercepted by the typical coffee shop offering wifi services to customers. In this case users might get a SSL error when connecting to https://Facebook.com and the certificate is privately issued. Clearly a security no-no.
So now with Wifi + HTTPS, the connection will fail. Smart users can navigate to the "http://" version of the site to "trigger" the redirect, but that is no longer reliable with HSTS, and certificate pinning, since the portal redirect can't be sent.
With growing popularity of HSTS and pinning, many of the websites a user "guesses" will result in a browser error, and no redirection to the local authentication point.
Question
- What is the ideal mitigation for this? Which specific best practices?
- Should I consider no SSL on the naked/root, and www domain to perform redirections?
- Should I have an entirely different TLD for HSTS?
I'm asking so I can make case-by-case usability vs security tradeoffs.