The advantage of example.com is that its still served over HTTP, which is very helpful if you are trying to force a redirect for wifi login or 'out of quota' on a phone plan.
The difference being, example.com is run by IANA [0] and guaranteed by them, whereas neverssl is just a kind-hearted soul, and may one day resolve to something else.
> 2. Application software SHOULD NOT recognize example names as special and SHOULD use example names as they would other domain names.
> 3. Name resolution APIs and libraries SHOULD NOT recognize example names as special and SHOULD NOT treat them differently. Name resolution APIs SHOULD send queries for example names to their configured caching DNS server(s).
> 6. DNS server operators SHOULD be aware that example names are reserved for use in documentation.
You are guaranteed to be able to try and resolve the domain, which should generally be enough for the crappy man-in-the-middle systems to work.
However, example.com should never suddenly start serving you a cryptominer, etc. Which is the larger concern.
> You are guaranteed to be able to try and resolve the domain, which should generally be enough for the crappy man-in-the-middle systems to work.
I have never seen any captive portal work at DNS level though (and that by itself sounds problematic). They works at HTTP level. So if one day example.com start using HSTS then it will also be a problem, in addition to nowadays browser defaulting to HTTPS so you have to type http://example.com yourself.
neverssl.com guarantees all of that, at least as long as it's there.
> neverssl.com guarantees all of that, at least as long as it's there.
It didn't work for me when I tried to use it in the airport (DCA). I tried to get to the captive portal through Firefox and Vivaldi. It took a couple restart of my browser to managed to get to the captive portal. It is not guaranteed that it will work as in my case.
Some of the captive portals I've run into do work at the DNS level, possibly tied to some other firewalling to prevent traffic leakage, I can't remember.
Those were pretty problematic, for all the reasons you're thinking... Better to use a hostname you're not hoping to actually use.
The other difference being that neverssl.com does a bit more as it immediately redirects you to a unique subdomain, ensuring that any caching that your browser is trying is subverted.
Sure, it might go away one day. Until it does, it’s the best solution to this problem.
I’ve had WiFi captive portals that somehow don’t redirect neverssl.com but do for other http/80 domains. Truly bewildering - I don’t understand how it could happen by mistake, nor why anyone would do that on purpose.
http://captive.apple.com was my go to just because I'd see it flash in the url bar before redirecting when connecting to airplane wifi. I like the subdomain, it's an apt description of the state your in before passing through the login/payment flow for these kinds of networks.
Neat tools as until I learned of the existence of these ssl-less sites to prompt captive portals I use to try to connect to various sites until it showed up.
Why is it that popular browsers do not allow users to manually disable the behaviour that necessitates this apparently common workaround.^1 Is this another example of "tech" company paternalism.
This is a great reminder that when working with test data for stuff like email delivery, always use example.com (or a few other similar TLDs) and not stuff like "test.com" or "acme.com" or "dummyuser.com". I see this all the time by devs and they don't understand the risk and why example.com was put into the standards.
Never heard of the .example TLD, so thanks for that. However, an issue I see with it is that it doesn’t look like a domain name. Things that end in ‘.com’ are synonymous with domain names, regardless of how accurate that assumption really is. I think people are just starting to get familiar with these new alternative TLD names, but I can easily see business people not understanding ‘myco.example’, while they would understand ’example.com’.
I have a .com domain with 'test' in the name. I was mildly DNS spammed because Microsoft admins would create that thing with test in the name. I'd get 10-20 DNS packets a day. I moved it to an external DNS provider just to give my logs a break.
Well, you also have to run the Kubernetes cluster, ELK stack, Postgres, Redis, Kafka, Prometheus, Grafana and Jaeger to monitor the application and scale elastically between 0 and 20 packets.
I have an integration test domain. It's just another domain, so far as my systems are concerned, but it's another domain I own and sign up as a customer for all my services. Rather: I sign it up as a customer on my staging instance, which is a real, public facing instance, that gets no advertising.
It's a real domain with functioning... whatever I need to test. Email, DNS, Identity servers, etc.
I forgot I had it installed on my phone, but clicking the link opened, to my surprise, the Simply Piano app. Why you'd associate your app with that domain for legitimate purposes is a bit of a mystery to me.
This shouldn't be possible on Android. Google requires apps capturing http/s deeplinks verify ownership of the URI.[1] They can accept any other schema declared in their manifest otherwise. Example code would seem most plausible, but I can't see how it would work.
For a while my Amazon Alexa gadget was hitting three domains several times an hour, example.com/net/org. I looked with tcpdump and verified it was following every lookup with an HTTP get.
I only left the Alexa on for a week while I was recovering from eye surgery, but it made those the top three most frequently queried domains for that whole month on my pi-hole charts.
Presumably it was some connectivity test, but all three of those domains were hosted at the same IP at the time. Which would defeat the point of using three domains, if the goal was to reduce the possibility of one outage causing a false negative on the test.
The web logs on example.com must be a treasure trove of interesting traffic, and also a security risk in some ways, depending on who has been testing with it.
