SSL certificate error at captive login

Q: why would my browser prompt for SSL certificate errors while trying to login to mbox captive portal?

A: The purpose of mbox captive portal is to redirect unauthenticated users to a login page where the venue owners can display their branding/marketing information and enforce users to login and/or accept certain terms of services etc, before granting complete access.

Therefore, for a new/unauthenticated user, when he/she starts initial web browsing, mbox intercepts the browsing requests and redirects user browser to venue owner's login page URL. (see complete workflow here.)

If the initial browsing request is an HTTP based URL/website, this redirection happens without any abnormal impacts, and upon user successful login (and/or just simple accepting terms of service), mbox will redirect users back to their originally browsed URL (or venue owners new targeted marketing URLs).

However, if the initial browsing request is an HTTPS-based URL, because the browser's designed security is to expect a valid certificate from the browsed website and mbox captive portal can't give that during redirection process, the browser will display a warning; for example, if user initiates to https://www.facebook.com, the browser expects to see facebook certificate, but mbox directs the browser to another URL (login page URL) without giving the expected facebook certificate, then browser will flash out a cert error warning (eg. below example). In this case, it's really how it works and It is safe to click on "proceed to xxx" to go to next login page.

Many modern devices (smart phones, and newer windows) will auto detect existence of captive portals in upstream network connection, by initiating an HTTP request to trigger the login page automatically. For example, iPhone works this way by default, so do the newer Android phones.

For some extremely cases, if users initiate an HTTPS browsing requests to google sites using chrome browser, eg. https://www.google.com, or sites enabled with HSTS (HTTP Strict Transport Security), which instructs browser to only allow access if the connection is secure and all certificates match perfectly, users will not be able to proceed further. The workaround is to type a valid HTTP URL in browser address bar to trigger the login page.