OT: Need a Campaign to Secure WIFI Sites
Vara La Fey
varalafey at gmail.com
Thu Mar 23 16:12:12 MST 2017
Even if spyware isn't the intent, it's still the result. And when
someone keeps pushing for a bad result, they eventually give you little
choice but to suspect bad intent. I don't /want /to suspect that. But
neither he nor Brien really address my concerns about intrusiveness and
abuse. They just keep asserting "safety" benefits of semi-forcing their
chosen content onto other people. And it's none of their business, and
it's just wrong.
If someone wanted to set up a true educational system, instead of
spyware and intrusive propaganda, that would be a worthwhile campaign.
On 3/23/2017 3:36 PM, Bob Elzer wrote:
>
> I don't think Victor was trying to create spyware, he was just trying
> to come up with a way to stop identity theft.
>
> But unfortunately that is a task not easily solved, too many
> restrictions and people wont use it, and if it takes away privacy they
> won't use it . If its complicated, guess what, they won't use it.
>
> While most users know about the dangers of the internet, there are far
> too many that don't know what to do about it.
>
> People still get sunburn because they don't use sunscreen, and that
> isn't complicated.
>
> Education is the answer, but some still won't understand and others
> will still say its too complicated. Its a catch 22.
>
>
> On Mar 23, 2017 2:51 PM, "Vara La Fey" <varalafey at gmail.com
> <mailto:varalafey at gmail.com>> wrote:
>
> First you were talking about open hotspots. Then you were talking
> about https. Now you are talking about ssl.
>
> But all the while you're still just talking about monitoring and
> restricting the activity of 3rd parties on 4th party systems. And
> it seems really important to you for some reason.
>
> Please, waste time and effort and money patenting your /spyware
> /chaperone system that monitors web activity with the intent of
> /creating consequences /for activity which you - or your intended
> customer - opines is "invalid". I doubt very many people will buy
> into it because there is no upside for them. Even when they alter
> it to fit their own agenda, they just anger their customers who
> can click OK for EULAs and enter logins, but cannot bypass your 3
> Minute Hate.
>
> If it can detect an "invalid" certificate, then by changing a
> couple code lines (if even), it can detect anything else about an
> attempted site visit. Of course this ability is ancient now, but
> less evil implementations of it merely censor by blocking, which
> is bad enough. Yours is "educational" - and it's interesting that
> /you /put the quotes around that word yourself - for the purpose
> of taking up other people's time with propaganda.
>
> If it became common, it would become a mandatory advertising
> medium anytime anyone clicked on a competitor's site, or a site
> with bad reviews for your customer. If it became law, it would
> become a mandatory propaganda delivery system anytime anyone
> clicked on a site containing any kind of dissenting viewpoint.
>
> Are you hoping to create one of those conditions? If so, which?
>
> Because this sure looks like more than just wanting to manipulate
> lesser people into a system designed to reinforce your wishful
> feelings of superiority. There has to be a more compelling reason
> that you're this overly concerned about what 3rd parties do on 4th
> party systems.
>
> Which, btw, brings up the fact that your system is not equivalent
> to EULAs or logins or pay systems, because the connection provider
> has the right to set conditions for using their connection. Your
> spyware idea is to harass people who are using /other people's/
> connections.
>
> I'm not an expert on web connection technology per se, but it
> seems that Tor would nicely wire around all SSL issues after the
> initial connection to the now-restricted hotspot. You certainly
> make a great case for using it, even if just on general principle.
> So what would you do about that?
>
> I don't think your grandmother wants you monitoring her activity.
> I don't think /anyone /wants you monitoring their activity. But
> you seem to want to do it anyway. And no one but me is saying boo
> to you. :-(
>
> As to the trivia: I personally have never had trouble from
> visiting a site with an "invalid certificate" of any kind, because
> that stuff simply isn't 100% maintained. Obviously I am careful
> where I go and what I click and download anyway. I do not so
> easily ignore "known malware site" warnings, and if in doubt about
> a site I reflexively check the web address. MyBank.Phishing.com
> <http://MyBank.Phishing.com> and Phishing.com/MyBank do not get
> clicks from me. But that's all beside the point.
>
>
> On 3/20/2017 9:57 PM, Brien Dieterle wrote:
>> On Mar 20, 2017 3:36 PM, "Vara La Fey" <varalafey at gmail.com
>> <mailto:varalafey at gmail.com>> wrote:
>>
>> OMG!!
>>
>> First of all, you'd be mis-educating them if telling them
>> that certificate "validity" has any real meaning. (But now
>> you're talking about http.)
>>
>> I mean validity as in trusted roots that have been shipped with
>> your OS or browser. Surely you don't mean these are meaningless.
>> AFAIK they are very reliable as long as you never accept bogus
>> certs. If you accept bogus certs "all the time", I really hope
>> you know what you're doing. Pretty much any important site should
>> have working SSL.
>>
>> There is a reason why all the browsers freak out when you get a
>> bad cert, but users still click "add exception". My captive
>> education portal would give real consequence to this with the 3
>> minute power point slideshow and mandatory quiz. I wonder if
>> this is already patented. . .
>>
>> Second, why do you think you have any right to put speed
>> bumps in the way of people who are doing nothing to you?
>>
>> Plenty of businesses do this already for captive portals and
>> forcing users to log in, pay, or accept an EULA. They are
>> already tampering with your SSL connection in order to redirect
>> you to the portal. I'm just suggesting to use this technology for
>> "educational" purposes.
>>
>> Third, if your grandmother needs internet "safety" education,
>> just educate her, or refuse to keep fixing the problems she
>> encounters in her ignorance - if she really is all that
>> ignorant. I hope you wouldn't install a browser re-direct
>> without her consent, because then you'd be just any other
>> malware propagator with just any other self-righteous
>> rationalization.
>>
>> Well, I'm lazy. I'd much rather have an ongoing passive
>> education program for anyone that uses that router. Maybe only 1
>> in 1000 requests trigger the "test", or once a month per mac
>> address maybe. If grandma fails the test I can get an email so I
>> can call her up and gently chastise her. "Grandmaaaa, did you
>> accept a bogus SSL certificate again? Hmmm?"
>>
>> As far as consent goes, I'm only talking about routers you own or
>> have permission to modify. That should go without saying.
>>
>> Fourth, if /you /need educational "speed bumps" on /your
>> /router, /you /are free to have them. One of the great things
>> about freedom - from government or from meddling busybodies -
>> is that /you /get to be free too.
>>
>> My post is in the context of businesses or individuals that
>> provide Internet to the public. Presumably businesses and
>> individuals have the freedom to do this kind of SSL interception,
>> since they've already been doing it for years without any
>> repercussions. Personally I'm disturbed that businesses will try
>> to get me to accept their SSL cert for their Wi-Fi portal, but I
>> know the technology leaves little choice. One trick is to ignore
>> the cert and try again with a non SSL address.
>>
>> It is pretty ironic that the first thing these captive portals
>> ask users to do is blindly accept a bogus SSL cert. It is really
>> just a sad state of affairs that we are literally training people
>> to accept bad SSL certificates.
>>
>> For years my Firefox has had an option to "always use HTTPS",
>> and I'm sure all other modern browsers do as well. Plus,
>> Mozilla.org has a free plugin - I think it's from EFF.org -
>> called "HTTPS Everywhere". It's all very easy to use, and
>> will be almost entirely transparent to Grandma.
>>
>> This won't do anything to protect you/grandma from bogus ssl
>> certs. Imagine connecting to a bad AP at Starbucks that is
>> proxying all your SSL connections. Your only defense is trusted
>> roots and knowing not to accept bogus SSL certs. If only we had
>> a captive router-based SSL education program... ;)
>>
>>
>>
>> On 3/20/2017 3:14 PM, Brien Dieterle wrote:
>>> A system like I described would just be an "educational
>>> tool" to encourage people to use HTTPS (properly). It
>>> wouldn't stop you from accepting bogus certificates-- just a
>>> speed bump. Now that I've thought about it I'd really like
>>> to install something like this on my grandparent's router. .
>>> . heck, my own router. . .
>>>
>>> On Mon, Mar 20, 2017 at 2:50 PM, Vara La Fey
>>> <varalafey at gmail.com <mailto:varalafey at gmail.com>> wrote:
>>>
>>> Oh HELL no!! What kind of hall-monitor nanny mentality
>>> do you want people to adopt??
>>>
>>> I accept "bogus" certificates all the time because the
>>> whole idea of certificates is crap in the first place -
>>> they are NOT maintained - and years ago I got tired of
>>> that procedure warning me about "invalid" certificates
>>> for sites that were perfectly valid.
>>>
>>> I've never had a problem. Of course I'm also careful
>>> where I go, certificate or not.
>>>
>>> - Vara
>>>
>>>
>>> On 3/20/2017 2:12 PM, Brien Dieterle wrote:
>>>> Maybe every commercial router should do SSL
>>>> interception by default. If a user accepts a bogus
>>>> certificate they are taken to a page that thoroughly
>>>> scolds them and informs them about the huge mistake
>>>> they made, forces them to read a few slides and take a
>>>> quiz on network safety before allowing them on the
>>>> Internet. Maybe do the same for non-ssl HTTP traffic,
>>>> etc.. .
>>>>
>>>> On Mon, Mar 20, 2017 at 1:55 PM, Matt Graham
>>>> <mhgraham at crow202.org <mailto:mhgraham at crow202.org>> wrote:
>>>>
>>>> On Mon, Mar 20, 2017 at 12:29 PM, Victor Odhner
>>>> <vodhner at cox.net <mailto:vodhner at cox.net>> wrote:
>>>>
>>>> I’m really annoyed that so many companies
>>>> offer open WIFI when it would be
>>>> so easy to secure those hot spots.
>>>> Restaurants, hotels, and the waiting
>>>> rooms of auto dealerships are almost 100% open.
>>>>
>>>> [snip]
>>>> On 2017-03-20 13:20, Stephen Partington wrote:
>>>>
>>>> This is usually done as a means to be easy for
>>>> their customers.
>>>>
>>>>
>>>> Pretty much this. Convenience is more valuable than
>>>> security in most people's minds.
>>>>
>>>> they’d be happy to do the right thing if we
>>>> could explain it to the right people.
>>>>
>>>>
>>>> I'm not sure this would happen. Setting up
>>>> passwords and then distributing those passwords has
>>>> a non-zero cost and offers zero visible benefits
>>>> for most of the people who are using the wireless
>>>> networks.[0] And as another poster said, what about
>>>> football/baseball stadiums? Distributing passwords
>>>> to tens of thousands of people is sort of
>>>> difficult. "Just watching the game" is not an
>>>> option; people want to FaceTweet pictures of
>>>> themselves at the game.
>>>>
>>>> OTOH, the last time I looked at the access points
>>>> visible from my living room, almost all of them had
>>>> some sort of access control enabled. Maybe there's
>>>> a social convention forming that "my access point"
>>>> ~= "my back yard" and "open access point" ~= "a
>>>> public park"?
>>>>
>>>> [0] Having a more educated user population would
>>>> make the benefits more visible, but it's very
>>>> difficult to make people care about these things.
>>>>
>>>> --
>>>> Crow202 Blog: http://crow202.org/wordpress
>>>> There is no Darkness in Eternity
>>>> But only Light too dim for us to see.
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list -
>>>> PLUG-discuss at lists.phxlinux.org
>>>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>>> To subscribe, unsubscribe, or to change your mail
>>>> settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list -PLUG-discuss at lists.phxlinux.org
>>>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -
>>> PLUG-discuss at lists.phxlinux.org
>>> <mailto:PLUG-discuss at lists.phxlinux.org> To subscribe,
>>> unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -PLUG-discuss at lists.phxlinux.org
>>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> <mailto:PLUG-discuss at lists.phxlinux.org> To subscribe,
>> unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -PLUG-discuss at lists.phxlinux.org
>> <mailto:PLUG-discuss at lists.phxlinux.org>
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
> --------------------------------------------------- PLUG-discuss
> mailing list - PLUG-discuss at lists.phxlinux.org
> <mailto:PLUG-discuss at lists.phxlinux.org> To subscribe,
> unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20170323/9b49d526/attachment.html>
More information about the PLUG-discuss
mailing list