Show HN: Print a WiFi Login Card

I think something like that might be feasible in the future with things like web bundles[1] and content security policy[2]. In theory you could have a site loaded as a bundle and a CSP that blocks everything not loaded through the bundle, effectively cutting off all network access.

You'd probably also need some sort of Feature-Policy[3] that prohibits access to any form of persistent storage so sites can't just save data until the next non-CSP-protected page load and transmit it then.

[1]: https://wicg.github.io/webpackage/draft-yasskin-wpack-bundle...

[2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[3]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Fe...

This a great idea but it would be difficult to implement. Sure, it would be easy to catch (and block) HTTP requests other than OPTIONS and GET.

But even a GET request can be used to send data. Just pack the data you want to send in the query string and voila.

I wonder if this could be a browser extension

That would me amazing

What if it didn't send anything to the server. Today. But stored it in local storage. And sends it next week when you come back.

You’re my new hero. Did you use graphing paper? Have you hashed by hand as well? http://www.righto.com/2014/09/mining-bitcoin-with-pencil-and...

> hate printers with the same passion as me

A remedy exists, it costs around 100€, is sold by Brother and is called "wifi-enabled laser printer". Your life will be free off printing woes onwards.

I'm more curious about why you hate printers.

Thank you so much for the inspiration! I had a very relaxing time drawing my own as well, just now.

It is interesting how many ideas come to oneself when drawing and filling the grid. By the end I had all sorts of weird MC Escher style insanity.

I think the risk model for this sort of thing is still... complicated, even though the site as it stands is safe and does not transmit credentials.

After first gaining popularity, the domain could later pass to someone with malicious intent quite easily, eg:

1. Tech people like HN verify the site as credible and approve of it

2. The site gains popularity and goes viral / receives significant use

3. The original author abandons the site because of costs, or simple boredom

4. A malicious actor acquires the domain and begins recording users credentials alongside IP addresses.

Conceivably, an enormous amount could be captured before the malicious recording became exposed, and (importantly) most of those whose credentials were compromised would have no straightforward path by which they could be alerted.

Other scenarios: site is malicious to begin with but set up to not transmit credentials during its first ~28 days.

Mirrors of this site with credential capture added, (hard to claim that's a flaw of this site itself, just a flaw with "this type of site being normalized").

DevTools -> network -> Change the throttling to "offline"

Yep, I kind of wish browser permissions let you gate access to the network just like they do the camera, mic, location, etc. (Though, network permission would probably need to be enabled by default to not break the Web.)

Also another nitpick:

> View the source code

It would be really nice if the source code in the browser (no, not the Github repo; how do I know the web server served the same thing as the Github repo?) were displayed in a human-readable format with proper tabbing, comments if applicable, and not an obfuscated, minified form.

In fact if your goal isn't specifically obfuscation, it's not necessary to minify JS in general. Web servers do a good job gzipping stuff.

Perhaps https://github.com/ray-lothian/Block-Site/ could be adapted to your needs.

I do too. Even the web extension APIs don’t seem to comprehend this. It’s super disappointing and it’s holding back extension development and enabling a massive malware problem.

uMatrix kind of does this. Once you forbid everything, requests will get filtered out.

I'm not sure if this affects service workers though.

Airplane mode?

Same for apps.

And it's crazy you can't disable phone service on iPhone.

Also, if you worried about someone accessing your network then you probably need to isolate your devices from seeing each other.

TBH other than pwning my router or misusing my IP address in some way I don't see much problem having my devices on public net. All of them run firewall and are up to date. Most traffic is HTTPS and I'm not sure if you can MITM with just Wifi password lol.

My Pixel 4a can also generate a QR by opening a particular network in the settings app and pressing «share».

I'm pretty sure most phone can do that today. I know most Android can.

My Honor Nova5t running Android 10 also did this, when I clicked on connected wifi's name.

What? That’s awesome I had no idea that came built in! Pretty cool!

Samsung Galaxy Ultra 21 can do this too.

If you want some interactivity (bash):

    read -rp "SSID: " ssid
    read -rsp "Password: " pass
    echo -e "\n"
    qrencode -t utf8 "WIFI:T:WPA;S:$ssid;P:$pass;;"
    echo "SSID: $ssid"

    #!/usr/bin/env bash
    out="${1:-wifi-card.pdf}"
    read -rp "SSID: " ssid
    read -rsp "Password: " pass
    echo -e "\nGenerating PDF..."
    {
    cat << EOF
    <table>
    <tr>
    <td><img src="data:image/png;base64,$(qrencode -o - -t png "WIFI:T:WPA;S:$ssid;P:$pass;;" | base64)"></td>
    <td><span>SSID: $ssid</span><br><span>Password: $pass</span></td>
    </tr>
    </table>
    <p>
    <img width=16 height=16 src="https://raw.githubusercontent.com/iamcal/emoji-data/master/img-apple-64/1f4f8.png">
    <img width=16 height=16 src="https://raw.githubusercontent.com/iamcal/emoji-data/master/img-apple-64/1f4f1.png">
    Point your phone's camera at the QR Code to connect automatically.
    </p>
    EOF
    } | pandoc --pdf-engine=xelatex -f html -t pdf -o "$out"
    echo "$out"

Since OP intended to learn a bunch of technologies while developing this project I'd be amused to see a version of this based on qrencode complied to WASM.

I wouldn’t ask if it wasn’t the top comment, on the current #1 front page story, but

Can someone please explain this command, and why it is presumably given as a criticism of this submission?

A decade old SO adage comes o mind:

"This should be the accepted answer."

For WPA3

  WIFI:S:SSID;T:WPA3;P:PASSWORD;;

For users of NetworkManager:

  nmcli device wifi show-password

    Write-Host "?"

Did you type this in from memory?!

>zsh: command not found: qrencode

Can't you also screenshoot it on your phone?

Please don’t trim whitespace, I ended up on a network recently which had a space on the end of the SSID

Thanks for the tip, added in https://github.com/bndw/wifi-card/commit/1924298335692eebc79...

Cool! I was just thinking about this!

I’m such a huge fan of that functionality. It doesn’t always work perfectly (i.e. pick up someone nearby trying to join the network quickly), but when it does, it’s such an awesome example of tech making our lives better in such a simple but helpful way.

I wish there was a way to force sharing. It’s very hard to get it to trigger.

The QR code seems to have the same amount of friction as the share password. It's something a guest can do asynchronously without needed someone else to do something.

Also, I like the use of guest SSIDs. My guest SSID is just like my main SSID but with L2 filtering for all traffic not going to the gateway. Guests can use my fast internet, but just not interact with my LAN or other guests. I also don't enforce WPA3 only on my guest network for legacy support.

Answering as the author who also understands the fundamentals of all of the technologies involved and questions much of what goes on in the minds of today's web developers and designers--

I use Make as the standard way to interact with every repo I own. This allows me to type `make build` instead of `$some-language-specific-command-I-forget-in-2-weeks`.

I use Docker for distributing every app I build. If the app is a website I also use the nginx base image. Docker images make packaging and distribution a breeze IMO.

Regarding yarn, npx, react, and jest: I'm similarly disillusioned by the churn but I also like to remain knowledgeable as the industry evolves. React was something I hadn't touched before, so I decided to pick a simple project to give it whirl ;)

People love to constantly say "Want to learn to code? Make projects! projects! projects!" and then when someone makes a project as a means to learn a particular technology, now people turn up their nose and say "ew, why did you use this?"

Anyway, this project provides exactly what I needed. Thanks to OP for sharing! Slick and simple

A lot of developers only know the new, needlessly complicated ways of doing things. I have met professional software engineers who have never heard of shared web hosting, for example.

It's also surprisingly possible to learn enough about programming to get a job without understanding basic computing concepts. I've met professional software engineers, with multiple years of experience and promotions under their belt, who did not know the difference between hard drives and RAM in a server context. I've literally code-reviewed attempts to deploy a database server with 1 TB of RAM in order to store 1 TB of data.

If I had done this project it would probably use node.js + gulp + sass + pug + browserify + babel + bootstrap ... or maybe Webpack instead of gulp and browserify (depends on the project).

Why? Because I have a website template that solves many things for me, like:

- I see no reason not to use SASS or the latest ES even though I know how to. Or pug, for that matter... which I like. I also have a SASS template with some utilities and a particular code organization.

- Using an ES bundler allows you to throw in libraries from npm. I would not write the QR code myself, for instance.

- Automatically watches sources and recompiles.

- Adds hashes to asset filenames in order to cache-bust changes in CSS/JS/images (critical when using a CDN).

- Has placeholders for things I'll probably need, like the metadata for building previews in social networks.

- Is prepared for dealing with i18n, if the need arises.

- Future-proofing, since 80% of projects you think are small end up becoming larger. This is a single-page site, but if I wanted to publish this in Europe it'd already need two extra pages for the Privacy Policy + Impressum... so the single page site suddenly needs to worry about navigation.

- It's prepared for quickly deploying to AWS or Github Pages. It could be quickly tweaked for working on Cloudflare Pages or other hosting/CI environments that do the compilation for you.

And most importantly...

... my stack does not negatively affect the end result. All the extra baggage is just part of the development environment. If you want to skip my tools, they're quite easy to bypass and replace for any other transpiler... or you can just ignore my sources, reindent my compiled files and work on them directly.

PS: Back in the 90s I drew complex table layouts on graph paper, typed them down with vi, and ftped them to the hosting. I'm well aware of the alternatives. My current workflow + templates + helpers are based on the need to efficiently juggle A LOT of completely different projects every year as a freelance developer.

I often choose simple, useful projects for learning new technology… i can’t learn something new if I am not using it for something useful, but I also don’t want to try to learn something new WHILE also solving a challenging problem… so something simple like this is a great sweet spot to learn new tech.

Developer experience? Learning project? For fun?

If the maintainer is comfortable using that technology, let it be. No need to rain fire on it.

This app seems its using create react app, so agreed the app might come with a few extra things that you might not need. However, there are a few reasons I might choose CRA over static HTMl. Don’t get me wrong, HTML is great, but the developer experience can be primative.

Here is why I like using CRA for some projects:

1. Live reload. This comes for free with CRA. Makes dev work easy.

2. As easy as installing a component and getting started. And they logically fit in the code flow. Native import libraries, you have to write the JavaScript and point em to your divs and dom and initialize em.

3. Let’s say in the future, I want to reuse the code logic in a different app, I can just take the js and element as one unified component and move it across.

Tbh, for an app like this, after doing a production build (npm run build), I don’t think it’d make a radical difference in performance with raw html or react. Might just be dev preference, and ease of use.

Docker with nginx because that’s your delivery pipeline. It’s much more common to have a place to run an OCI container than a directory to upload static HTML. CDNs operate on this model but there aren’t many turnkey “on-prem” solutions. The tooling to run a container and get it hooked into your web tier with routes is actually the easier path these days.

Edit: More

The reason for this model is that it makes everything the same and your caching tier is the great equalizer. Everything is a backend for your caching SSL terminating reverse proxy. And your static site will live in the cache for ages so once your cache is warm there’s no real performance hit.

I can't speak for the poster, but sometimes the fun is in using tools you know.

I don't know VanillaJS that well, so I took a stab at the same concept:

https://q726kbxun.github.io/qrcodes/

Not nearly as pretty, since I know even less about making pages pretty, but still, a fun little stab at making such a site.

The same reason I take a massive V8 engine attached to a massive truck bed one mile over to my friend’s place to watch England lose at the Euros. Turns out that sometimes, even when tool X isn’t the best at the job, it’s way better for me to use what’s at hand.

This is what a lot of people have trouble understanding: sometimes the best tool for the job is the tool you’re best in.

Evidence? No one has made this static website you’re talking about. It doesn’t exist. This one does. The imperfect app that exists beats the perfect app that is vapor.

It’s the Rube Goldberg style of software development? Didn’t you hear? It’s super popular with the kids!

Made a simple page here https://news.ycombinator.com/item?id=27805746 to see how this would look

Probably to learn those various technologies. Not only did they use a bunch of new tech, they made something other people can use in the process. Better than making a bunch of throwaway code.

To be slightly snarky, because the author wants to record your WiFi and Password.

That it was a learning project, ok. I guess.

What motivates you to use a feature rich browser on an OS with graphical user interface running on on-premise hardware including your own internet line and all those peripherals if you could just use CLI from a good old VT100 hooked up to your nearest mainframe to HTTP POST a comment on HN?

Yeah, probably because nowadays you just do it like that.

Do you mean they use the NFC tag or manually enter the username / password, or just that no one uses any of it?

I have a QR code for guests and Wi-Fi too. Unfortunately it doesn't seem to work as expected on iphones but works fine on Android. Wouldn't think a QR code was platform specific.

My first though was "Why would I ever enter my wifi credentials into a web form?", but perhaps there are people who would...

No better than obfuscated JavaScript to give trust to the average HN reader.

This app also does this locally in the browser.

RIP password managers.

I like to use make as it's available everywhere. I use Makefiles with podman to create images, containers, pods, start, stop them and display logs. With the alias 'm' for make I can execute complex actions with very few keystrokes. Also variables in Makefiles make it easy to updates labels, volumes, etc. But I would not use make for very complex projects.

You might enjoy The Language Agnostic, All-Purpose, Incredible, Makefile https://blog.mindlessness.life/2019/11/17/the-language-agnos...

Make is tremendously useful for running jobs with (static) dependencies. I used to run make for managing Docker instances until docker-compose became a thing.

Thank you for the kind words!

It’s definitely built into iOS, just point the camera app at it and it’ll tell you what the domain behind the qr is, then just touch to follow the link.

Something like wifi will have a custom prompt that says “Connect to WiFi network MyNetwork.”

The default Android camera app will read them for you (and display the URL before you tap to open it in a browser) by either pointing the default camera at a QR code or manually scanning it with the "Lens" camera mode.

The Android wifi menu (where you select from nearby networks to join) also has a QR icon that lets you scan to immediately join a network (next to "Add network"). I'd imagine you'd also join if you scanned it from the camera app, too.

Most phone cameras nowadays have a built in qr-code reader.

The source code is here, so run it yourself.

https://github.com/bndw/wifi-card

Running it on Firefox with web inspector opened, I saw no network traffic at all after the page loaded, so it wasn't sending the network name or password anywhere off my device.

Are there any tools to run an untrusted client side web application isolated from the internet?

The QR code it generates can be scanned by a phone to connect to a WiFi network without typing anything

The native photo app supports QR codes on my Google Pixel phone.

Once it sees a QR code then it shows some text that you can touch to open the link.

Seems to be using the same format as https://qifi.org/, which lists supported devices, but of course due to the lack of native QR on most Android devices it's per-app rather than per-phone.

If I remember correctly from playing with this stuff a few years ago, there’s a simple text format for WiFi SSIDs and passwords that’s recognized by both iOS and Android, among others.

It works on my stock android photo app.

It is open source, you can simply CTRL+F and replace those if your case requires. Or you can create a dropdown somewhere with those variables to replace the placeholder texts etc.

  a QR generator which will magically connect me to the WiFi with my password embedded in the QR somehow.

This is for public encrypted guest WiFi networks, to make guests lives more comfortable... you can scan this with your phone to automatically connect without needing to type the password which can come handy if the password is at least somewhat secure.

Usually it's printed in the same places where you would actually print your plaintext Wi-Fi password, if you're already doing that, for example in restaurants (e.g. QR code inside a menu card that's only given to actual customers), offices (QR code inside meeting room for actual guests), airbnbs (QR code on a fridge inside your house), hotels (QR code inside the room with a router))

I’m guessing the whole point behind the “standard” is to allow quick and easy access to protected networks. It’s an alternative / compliment to verbally telling someone the passphrase, or having it printed in clear text on a paper.

Think of hotels / offices with guest networks. I use it for my wifi, my home network is not secretive enough to not let friends / family join it when at my place.

Wifi passwords aren’t supposed to be secure. Really they’re only to keep people off the network that you want to keep, well, off the network. The current method of connecting someone to wifi is usually just telling them the password. If the guest has a computer on the network (or a mac signed into the same apple ID as an apple device on the network), it’s trivial to figure out a network password that was entered for you.

If you’re wanting a _really_ secure network, WPA2 isn’t the way to go. You’d want to credential every user using 802.1X or WPA2 Enterprise.

It depends on the qr-code scanner you have on your phone. The one on my android shows a button 'connect to this network'.

In regards to security, you are completely correct. But this is to be used in cases where one would put a paper with the password on the wall, think of coffee shops. Saves some typing. Or you can put a card on your coffee table to help out your house guests.

Because it is now trivially to let other people connect to your wifi.

Suppose you have a long password for your WiFi and want an easier way for friends to connect to your network without having to type a complex password.

Is your threat model really so severe that it includes someone driving to your house and connecting to your wifi network? Of all passwords, a wifi password is one you should _never_ reuse.

You could also inspect the source, it’s open source, or network requests.

opening in incognito tab with internet disconnected to make sure it works offline and that nothing gets sent after you close the incognito tab should be safe & secure but yeah you can also google the proper qr code format and make it yourself using qrencode in terminal or something like that...

but for semi-public WiFis like the ones in restaurants, hotels, ... it's a survivable risk

I don't, that's why having access to the source code is cool.

Depending on how remote your farm is and how strong is the WiFi signal outside your premises (from a nearby public road, ..).

Average case you are in the middle of bumfuck nowhere with a huge private property surrounding your WiFi and nothing's gonna happen.

Worse case some script kiddie attacks your vulnerable router (if using default password) or a smart gadget (if you have some and it's a couple of years old) to join a botnet and get your IP address on a blacklist limiting your internet usability (blacklisted IPs may not be able to send e-mails, may get captchas on major websites like Google, ...)

Worst case someone driving around noticing you have an open WiFi may drop a battery/solar powered raspberry pi with a 4G modem nearby your WiFi and use your WiFi as an untraceable VPN/proxy to perform some illegal stuff (e.g. upload child pornography or perform some serious hacking) and getting you in trouble with the law.

That's a bit more elaborate, but with WPA enterprise, a radius server and a web-ui this should be pretty doable