<div dir="auto"><div><div class="gmail_extra"><div class="gmail_quote">On Mar 20, 2017 3:36 PM, "Vara La Fey" <<a href="mailto:varalafey@gmail.com">varalafey@gmail.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>OMG!!</p>
<p>First of all, you'd be mis-educating them if telling them that
certificate "validity" has any real meaning. (But now you're
talking about http.)<br></p></div></blockquote></div></div></div><div dir="auto">I mean validity as in trusted roots that have been shipped with your OS or browser. Surely you don't mean these are meaningless. AFAIK they are very reliable as long as you never accept bogus certs. If you accept bogus certs "all the time", I really hope you know what you're doing. Pretty much any important site should have working SSL.</div><div dir="auto"><br></div><div dir="auto">There is a reason why all the browsers freak out when you get a bad cert, but users still click "add exception". My captive education portal would give real consequence to this with the 3 minute power point slideshow and mandatory quiz. I wonder if this is already patented. . .</div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><p>
</p>
<p>Second, why do you think you have any right to put speed bumps in
the way of people who are doing nothing to you? <br></p></div></blockquote></div></div></div><div dir="auto">Plenty of businesses do this already for captive portals and forcing users to log in, pay, or accept an EULA. They are already tampering with your SSL connection in order to redirect you to the portal. I'm just suggesting to use this technology for "educational" purposes.</div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><p>
</p>
<p>Third, if your grandmother needs internet "safety" education,
just educate her, or refuse to keep fixing the problems she
encounters in her ignorance - if she really is all that ignorant.
I hope you wouldn't install a browser re-direct without her
consent, because then you'd be just any other malware propagator
with just any other self-righteous rationalization.<br></p></div></blockquote></div></div></div><div dir="auto">Well, I'm lazy. I'd much rather have an ongoing passive education program for anyone that uses that router. Maybe only 1 in 1000 requests trigger the "test", or once a month per mac address maybe. If grandma fails the test I can get an email so I can call her up and gently chastise her. "Grandmaaaa, did you accept a bogus SSL certificate again? Hmmm?"</div><div dir="auto"><br></div><div dir="auto">As far as consent goes, I'm only talking about routers you own or have permission to modify. That should go without saying.</div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><p>
</p>
<p>Fourth, if <i>you </i>need educational "speed bumps" on <i>your
</i>router, <i>you </i>are free to have them. One of the great
things about freedom - from government or from meddling busybodies
- is that <i>you </i>get to be free too.</p></div></blockquote></div></div></div><div dir="auto">My post is in the context of businesses or individuals that provide Internet to the public. Presumably businesses and individuals have the freedom to do this kind of SSL interception, since they've already been doing it for years without any repercussions. Personally I'm disturbed that businesses will try to get me to accept their SSL cert for their Wi-Fi portal, but I know the technology leaves little choice. One trick is to ignore the cert and try again with a non SSL address.</div><div dir="auto"><br></div><div dir="auto"><span style="font-family:sans-serif">It is pretty ironic that the first thing these captive portals ask users to do is blindly accept a bogus SSL cert. It is really just a sad state of affairs that we are literally training people to accept bad SSL certificates.</span><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<p>For years my Firefox has had an option to "always use HTTPS", and
I'm sure all other modern browsers do as well. Plus, Mozilla.org
has a free plugin - I think it's from EFF.org - called "HTTPS
Everywhere". It's all very easy to use, and will be almost
entirely transparent to Grandma.<br></p></div></blockquote></div></div></div><div dir="auto">This won't do anything to protect you/grandma from bogus ssl certs. Imagine connecting to a bad AP at Starbucks that is proxying all your SSL connections. Your only defense is trusted roots and knowing not to accept bogus SSL certs. If only we had a captive router-based SSL education program... ;)</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><p>
</p><div class="elided-text">
<br>
<div class="m_3664614906642159284moz-cite-prefix">On 3/20/2017 3:14 PM, Brien Dieterle
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">A system like I described would just be an
"educational tool" to encourage people to use HTTPS (properly).
It wouldn't stop you from accepting bogus certificates-- just a
speed bump. Now that I've thought about it I'd really like to
install something like this on my grandparent's router. . .
heck, my own router. . .<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Mar 20, 2017 at 2:50 PM,
Vara La Fey <span dir="ltr"><<a href="mailto:varalafey@gmail.com" target="_blank">varalafey@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Oh HELL no!! What kind of hall-monitor nanny
mentality do you want people to adopt??</p>
<p>I accept "bogus" certificates all the time because
the whole idea of certificates is crap in the first
place - they are NOT maintained - and years ago I
got tired of that procedure warning me about
"invalid" certificates for sites that were perfectly
valid.</p>
<p>I've never had a problem. Of course I'm also
careful where I go, certificate or not.</p>
<span class="m_3664614906642159284HOEnZb"><font color="#888888">
<p>- Vara<br>
</p>
</font></span>
<div>
<div class="m_3664614906642159284h5"> <br>
<div class="m_3664614906642159284m_6778587083276554415moz-cite-prefix">On
3/20/2017 2:12 PM, Brien Dieterle wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Maybe every commercial router
should do SSL interception by default. If a
user accepts a bogus certificate they are
taken to a page that thoroughly scolds them
and informs them about the huge mistake they
made, forces them to read a few slides and
take a quiz on network safety before allowing
them on the Internet. Maybe do the same for
non-ssl HTTP traffic, etc.. . <br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Mar 20, 2017
at 1:55 PM, Matt Graham <span dir="ltr"><<a href="mailto:mhgraham@crow202.org" target="_blank">mhgraham@crow202.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Mon, Mar
20, 2017 at 12:29 PM, Victor Odhner
<<a href="mailto:vodhner@cox.net" target="_blank">vodhner@cox.net</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I’m really
annoyed that so many companies offer
open WIFI when it would be<br>
so easy to secure those hot spots.
Restaurants, hotels, and the waiting<br>
rooms of auto dealerships are almost
100% open.<br>
</blockquote>
</blockquote>
</span> [snip]<span><br>
On 2017-03-20 13:20, Stephen Partington
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> This is
usually done as a means to be easy for
their customers.<br>
</blockquote>
<br>
</span> Pretty much this. Convenience is
more valuable than security in most
people's minds.<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> they’d be
happy to do the right thing if we
could explain it to the right
people.<br>
</blockquote>
</blockquote>
<br>
</span> I'm not sure this would happen.
Setting up passwords and then distributing
those passwords has a non-zero cost and
offers zero visible benefits for most of
the people who are using the wireless
networks.[0] And as another poster said,
what about football/baseball stadiums?
Distributing passwords to tens of
thousands of people is sort of difficult.
"Just watching the game" is not an option;
people want to FaceTweet pictures of
themselves at the game.<br>
<br>
OTOH, the last time I looked at the access
points visible from my living room, almost
all of them had some sort of access
control enabled. Maybe there's a social
convention forming that "my access point"
~= "my back yard" and "open access point"
~= "a public park"?<br>
<br>
[0] Having a more educated user population
would make the benefits more visible, but
it's very difficult to make people care
about these things.<span class="m_3664614906642159284m_6778587083276554415HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Crow202 Blog: <a href="http://crow202.org/wordpress" rel="noreferrer" target="_blank">http://crow202.org/wordpress</a><br>
There is no Darkness in Eternity<br>
But only Light too dim for us to see.</font></span>
<div class="m_3664614906642159284m_6778587083276554415HOEnZb">
<div class="m_3664614906642159284m_6778587083276554415h5"><br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to
change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="m_3664614906642159284m_6778587083276554415mimeAttachmentHeader"></fieldset>
<br>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a class="m_3664614906642159284m_6778587083276554415moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="m_3664614906642159284m_6778587083276554415moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div></div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a>
</blockquote></div>
</div></div></div>
<fieldset class="m_3664614906642159284mimeAttachmentHeader"></fieldset>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a class="m_3664614906642159284moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="m_3664614906642159284moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div><br>------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br></blockquote></div><br></div></div></div>