<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
First you were talking about open hotspots. Then you were talking
about https. Now you are talking about ssl.<br>
<br>
But all the while you're still just talking about monitoring and
restricting the activity of 3rd parties on 4th party systems. And it
seems really important to you for some reason.<br>
<br>
Please, waste time and effort and money patenting your <i>spyware </i>chaperone
system that monitors web activity with the intent of <i>creating
consequences </i>for activity which you - or your intended
customer - opines is "invalid". I doubt very many people will buy
into it because there is no upside for them. Even when they alter it
to fit their own agenda, they just anger their customers who can
click OK for EULAs and enter logins, but cannot bypass your 3 Minute
Hate.<br>
<br>
If it can detect an "invalid" certificate, then by changing a couple
code lines (if even), it can detect anything else about an attempted
site visit. Of course this ability is ancient now, but less evil
implementations of it merely censor by blocking, which is bad
enough. Yours is "educational" - and it's interesting that <i>you </i>put
the quotes around that word yourself - for the purpose of taking up
other people's time with propaganda.
<p>If it became common, it would become a mandatory advertising
medium anytime anyone clicked on a competitor's site, or a site
with bad reviews for your customer. If it became law, it would
become a mandatory propaganda delivery system anytime anyone
clicked on a site containing any kind of dissenting viewpoint.</p>
<p>Are you hoping to create one of those conditions? If so, which?<br>
</p>
<p>Because this sure looks like more than just wanting to manipulate
lesser people into a system designed to reinforce your wishful
feelings of superiority. There has to be a more compelling reason
that you're this overly concerned about what 3rd parties do on 4th
party systems.<br>
</p>
<p>Which, btw, brings up the fact that your system is not equivalent
to EULAs or logins or pay systems, because the connection provider
has the right to set conditions for using their connection. Your
spyware idea is to harass people who are using <i>other people's</i>
connections.</p>
<p>I'm not an expert on web connection technology per se, but it
seems that Tor would nicely wire around all SSL issues after the
initial connection to the now-restricted hotspot. You certainly
make a great case for using it, even if just on general principle.
So what would you do about that?</p>
<p>I don't think your grandmother wants you monitoring her activity.
I don't think <i>anyone </i>wants you monitoring their activity.
But you seem to want to do it anyway. And no one but me is saying
boo to you. :-(</p>
<p>As to the trivia: I personally have never had trouble from
visiting a site with an "invalid certificate" of any kind, because
that stuff simply isn't 100% maintained. Obviously I am careful
where I go and what I click and download anyway. I do not so
easily ignore "known malware site" warnings, and if in doubt about
a site I reflexively check the web address. MyBank.Phishing.com
and Phishing.com/MyBank do not get clicks from me. But that's all
beside the point.<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 3/20/2017 9:57 PM, Brien Dieterle
wrote:<br>
</div>
<blockquote
cite="mid:CAA_Swr=tOvKCDNfi=Cit9ccggBX=joHuFZShLFn=hm7ik+X67Q@mail.gmail.com"
type="cite">
<div dir="auto">
<div>
<div class="gmail_extra">
<div class="gmail_quote">On Mar 20, 2017 3:36 PM, "Vara La
Fey" <<a moz-do-not-send="true"
href="mailto:varalafey@gmail.com">varalafey@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>OMG!!</p>
<p>First of all, you'd be mis-educating them if
telling them that certificate "validity" has any
real meaning. (But now you're talking about http.)<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">I mean validity as in trusted roots that have
been shipped with your OS or browser. Surely you don't mean
these are meaningless. AFAIK they are very reliable as long as
you never accept bogus certs. If you accept bogus certs "all
the time", I really hope you know what you're doing. Pretty
much any important site should have working SSL.</div>
<div dir="auto"><br>
</div>
<div dir="auto">There is a reason why all the browsers freak out
when you get a bad cert, but users still click "add
exception". My captive education portal would give real
consequence to this with the 3 minute power point slideshow
and mandatory quiz. I wonder if this is already patented. . .</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<p>Second, why do you think you have any right to put
speed bumps in the way of people who are doing
nothing to you? <br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">Plenty of businesses do this already for captive
portals and forcing users to log in, pay, or accept an EULA.
They are already tampering with your SSL connection in order
to redirect you to the portal. I'm just suggesting to use this
technology for "educational" purposes.</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<p>Third, if your grandmother needs internet "safety"
education, just educate her, or refuse to keep
fixing the problems she encounters in her ignorance
- if she really is all that ignorant. I hope you
wouldn't install a browser re-direct without her
consent, because then you'd be just any other
malware propagator with just any other
self-righteous rationalization.<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">Well, I'm lazy. I'd much rather have an ongoing
passive education program for anyone that uses that router.
Maybe only 1 in 1000 requests trigger the "test", or once a
month per mac address maybe. If grandma fails the test I can
get an email so I can call her up and gently chastise her.
"Grandmaaaa, did you accept a bogus SSL certificate again?
Hmmm?"</div>
<div dir="auto"><br>
</div>
<div dir="auto">As far as consent goes, I'm only talking about
routers you own or have permission to modify. That should go
without saying.</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<p>Fourth, if <i>you </i>need educational "speed
bumps" on <i>your </i>router, <i>you </i>are
free to have them. One of the great things about
freedom - from government or from meddling
busybodies - is that <i>you </i>get to be free
too.</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">My post is in the context of businesses or
individuals that provide Internet to the public. Presumably
businesses and individuals have the freedom to do this kind of
SSL interception, since they've already been doing it for
years without any repercussions. Personally I'm disturbed
that businesses will try to get me to accept their SSL cert
for their Wi-Fi portal, but I know the technology leaves
little choice. One trick is to ignore the cert and try again
with a non SSL address.</div>
<div dir="auto"><br>
</div>
<div dir="auto"><span style="font-family:sans-serif">It is
pretty ironic that the first thing these captive portals ask
users to do is blindly accept a bogus SSL cert. It is
really just a sad state of affairs that we are literally
training people to accept bad SSL certificates.</span><br>
</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>For years my Firefox has had an option to "always
use HTTPS", and I'm sure all other modern browsers
do as well. Plus, Mozilla.org has a free plugin - I
think it's from EFF.org - called "HTTPS Everywhere".
It's all very easy to use, and will be almost
entirely transparent to Grandma.<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">This won't do anything to protect you/grandma
from bogus ssl certs. Imagine connecting to a bad AP at
Starbucks that is proxying all your SSL connections. Your
only defense is trusted roots and knowing not to accept bogus
SSL certs. If only we had a captive router-based SSL
education program... ;)</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<div class="elided-text"> <br>
<div class="m_3664614906642159284moz-cite-prefix">On
3/20/2017 3:14 PM, Brien Dieterle wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">A system like I described would
just be an "educational tool" to encourage
people to use HTTPS (properly). It wouldn't
stop you from accepting bogus certificates--
just a speed bump. Now that I've thought about
it I'd really like to install something like
this on my grandparent's router. . . heck, my
own router. . .<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Mar 20,
2017 at 2:50 PM, Vara La Fey <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:varalafey@gmail.com"
target="_blank">varalafey@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Oh HELL no!! What kind of
hall-monitor nanny mentality do you
want people to adopt??</p>
<p>I accept "bogus" certificates all
the time because the whole idea of
certificates is crap in the first
place - they are NOT maintained -
and years ago I got tired of that
procedure warning me about "invalid"
certificates for sites that were
perfectly valid.</p>
<p>I've never had a problem. Of course
I'm also careful where I go,
certificate or not.</p>
<span
class="m_3664614906642159284HOEnZb"><font
color="#888888">
<p>- Vara<br>
</p>
</font></span>
<div>
<div class="m_3664614906642159284h5">
<br>
<div
class="m_3664614906642159284m_6778587083276554415moz-cite-prefix">On
3/20/2017 2:12 PM, Brien
Dieterle wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Maybe every
commercial router should do
SSL interception by default.
If a user accepts a bogus
certificate they are taken to
a page that thoroughly scolds
them and informs them about
the huge mistake they made,
forces them to read a few
slides and take a quiz on
network safety before allowing
them on the Internet. Maybe
do the same for non-ssl HTTP
traffic, etc.. . <br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Mar 20, 2017 at 1:55
PM, Matt Graham <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mhgraham@crow202.org"
target="_blank">mhgraham@crow202.org</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"><span>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
On Mon, Mar 20, 2017
at 12:29 PM, Victor
Odhner <<a
moz-do-not-send="true"
href="mailto:vodhner@cox.net" target="_blank">vodhner@cox.net</a>>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
I’m really annoyed
that so many
companies offer open
WIFI when it would
be<br>
so easy to secure
those hot spots.
Restaurants, hotels,
and the waiting<br>
rooms of auto
dealerships are
almost 100% open.<br>
</blockquote>
</blockquote>
</span> [snip]<span><br>
On 2017-03-20 13:20,
Stephen Partington
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
This is usually done
as a means to be easy
for their customers.<br>
</blockquote>
<br>
</span> Pretty much this.
Convenience is more
valuable than security in
most people's minds.<span><br>
<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
they’d be happy to
do the right thing
if we could explain
it to the right
people.<br>
</blockquote>
</blockquote>
<br>
</span> I'm not sure this
would happen. Setting up
passwords and then
distributing those
passwords has a non-zero
cost and offers zero
visible benefits for most
of the people who are
using the wireless
networks.[0] And as
another poster said, what
about football/baseball
stadiums? Distributing
passwords to tens of
thousands of people is
sort of difficult. "Just
watching the game" is not
an option; people want to
FaceTweet pictures of
themselves at the game.<br>
<br>
OTOH, the last time I
looked at the access
points visible from my
living room, almost all of
them had some sort of
access control enabled.
Maybe there's a social
convention forming that
"my access point" ~= "my
back yard" and "open
access point" ~= "a public
park"?<br>
<br>
[0] Having a more educated
user population would make
the benefits more visible,
but it's very difficult to
make people care about
these things.<span
class="m_3664614906642159284m_6778587083276554415HOEnZb"><font
color="#888888"><br>
<br>
-- <br>
Crow202 Blog: <a
moz-do-not-send="true"
href="http://crow202.org/wordpress" rel="noreferrer" target="_blank">http://crow202.org/wordpress</a><br>
There is no Darkness
in Eternity<br>
But only Light too dim
for us to see.</font></span>
<div
class="m_3664614906642159284m_6778587083276554415HOEnZb">
<div
class="m_3664614906642159284m_6778587083276554415h5"><br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing
list - <a
moz-do-not-send="true"
href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe,
unsubscribe, or to
change your mail
settings:<br>
<a
moz-do-not-send="true"
href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss"
rel="noreferrer"
target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset
class="m_3664614906642159284m_6778587083276554415mimeAttachmentHeader"></fieldset>
<br>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="m_3664614906642159284m_6778587083276554415moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="m_3664614906642159284m_6778587083276554415moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div></div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a>
</blockquote></div>
</div></div></div>
<fieldset class="m_3664614906642159284mimeAttachmentHeader"></fieldset>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="m_3664614906642159284moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="m_3664614906642159284moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a>
</blockquote></div>
</div></div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">---------------------------------------------------
PLUG-discuss mailing list - <a class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</body></html>