<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Mmm hmm. But at least nobody will know that you're streaming the
footage of his arrival.</p>
<p>Are these captcha-blockings you mention the same as when Google
and others intercept you when they detect that you're not trying
to login from the same IP as your previous logons? Back when I
last used Tor to actually login to an account, sites I used
weren't doing that kind of interception. I've merely browsed with
Tor since.<br>
</p>
<p>- Vara<br>
</p>
<br>
<div class="moz-cite-prefix">On 3/23/2017 5:13 PM, Eric Oyen wrote:<br>
</div>
<blockquote
cite="mid:4E03AC1C-3C30-4297-80DF-722CDDD12C89@icloud.com"
type="cite">That is the other problem I have seen with TOR. Any
slower and the second coming of christ will arrive sooner. :)
<div><br>
</div>
<div>-eric</div>
<div>from the central office of the Technomage Guild, Editors
choice dept.</div>
<div><br>
<div>
<div>On Mar 23, 2017, at 4:02 PM, Vara La Fey wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<p>I'm all for education. I'm a trans-girl, and believe
me, I would like to educate people a little about us.
But I wouldn't take it upon myself to intrude on their
time for a 3 Minute Love unless they're trying to hurt
someone.<br>
</p>
<p>I don't want people semi-forcing content on me. And the
desired "campaign" is exactly that. It's sad that
everyone here who comments keeps asserting the "safety"
benefits, without a care in the world about the sheer
intrusiveness and the obvious socio-political abuses of
systems like that becoming commonplace. Which hopefully
they won't.</p>
<p>I don't need a VPN and have never set one up, but I
don't doubt the security of a VPN/Tor combination. And
if you are really afraid of snoops and spooks, encrypt
all your text traffic with large PGP keys. But I rarely
use Tor because it's horribly slow, and PGP because it's
an extra few steps. But they are always there for those
special occasions. :-)</p>
<p>- Vara<br>
</p>
<br>
<div class="moz-cite-prefix">On 3/23/2017 3:16 PM, Eric
Oyen wrote:<br>
</div>
<blockquote
cite="mid:4EF5D72B-DFFB-4ECA-BDB1-A5CB66859068@icloud.com"
type="cite">well, if you don't want to deal with bad
certs, redirected https,etc, you can either not use that
router/service or get a VPN and secure all your traffic.
And yes, I will not use paywall systems of any kind,
they have no business knowing what my credentials are.
<div><br>
</div>
<div>Lastly, if I want real security, a combo of VPN and
TOR cannot be beat. I use private internet access for
the VPN and also have a TOR node setup here. the TOR
node will not be connected until after the VPN comes
up. why let my ISP know I am running a TOR node here
at home? The only issue I have with this is that my
search engine queries don't work right (mostly, I get
blocked and asked to solve a captcha, which is not
doable for the blind most times)</div>
<div>Anyway, do what you must, but education should be
the first item on the list when it comes to net
security.</div>
<div>
<div><br>
</div>
<div>-eric</div>
<div>from the central office of the Technomage Guild,
Security applications dept.</div>
<div><br>
<div>
<div>On Mar 23, 2017, at 2:50 PM, Vara La Fey
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000"> First you
were talking about open hotspots. Then you
were talking about https. Now you are talking
about ssl.<br>
<br>
But all the while you're still just talking
about monitoring and restricting the activity
of 3rd parties on 4th party systems. And it
seems really important to you for some reason.<br>
<br>
Please, waste time and effort and money
patenting your <i>spyware </i>chaperone
system that monitors web activity with the
intent of <i>creating consequences </i>for
activity which you - or your intended customer
- opines is "invalid". I doubt very many
people will buy into it because there is no
upside for them. Even when they alter it to
fit their own agenda, they just anger their
customers who can click OK for EULAs and enter
logins, but cannot bypass your 3 Minute Hate.<br>
<br>
If it can detect an "invalid" certificate,
then by changing a couple code lines (if
even), it can detect anything else about an
attempted site visit. Of course this ability
is ancient now, but less evil implementations
of it merely censor by blocking, which is bad
enough. Yours is "educational" - and it's
interesting that <i>you </i>put the quotes
around that word yourself - for the purpose of
taking up other people's time with propaganda.
<p>If it became common, it would become a
mandatory advertising medium anytime anyone
clicked on a competitor's site, or a site
with bad reviews for your customer. If it
became law, it would become a mandatory
propaganda delivery system anytime anyone
clicked on a site containing any kind of
dissenting viewpoint.</p>
<p>Are you hoping to create one of those
conditions? If so, which?<br>
</p>
<p>Because this sure looks like more than just
wanting to manipulate lesser people into a
system designed to reinforce your wishful
feelings of superiority. There has to be a
more compelling reason that you're this
overly concerned about what 3rd parties do
on 4th party systems.<br>
</p>
<p>Which, btw, brings up the fact that your
system is not equivalent to EULAs or logins
or pay systems, because the connection
provider has the right to set conditions for
using their connection. Your spyware idea is
to harass people who are using <i>other
people's</i> connections.</p>
<p>I'm not an expert on web connection
technology per se, but it seems that Tor
would nicely wire around all SSL issues
after the initial connection to the
now-restricted hotspot. You certainly make a
great case for using it, even if just on
general principle. So what would you do
about that?</p>
<p>I don't think your grandmother wants you
monitoring her activity. I don't think <i>anyone
</i>wants you monitoring their activity. But
you seem to want to do it anyway. And no one
but me is saying boo to you. :-(</p>
<p>As to the trivia: I personally have never
had trouble from visiting a site with an
"invalid certificate" of any kind, because
that stuff simply isn't 100% maintained.
Obviously I am careful where I go and what I
click and download anyway. I do not so
easily ignore "known malware site" warnings,
and if in doubt about a site I reflexively
check the web address. <a
moz-do-not-send="true"
href="http://MyBank.Phishing.com/">MyBank.Phishing.com</a>
and <a moz-do-not-send="true"
href="http://Phishing.com/MyBank">Phishing.com/MyBank</a>
do not get clicks from me. But that's all
beside the point.<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 3/20/2017 9:57
PM, Brien Dieterle wrote:<br>
</div>
<blockquote
cite="mid:CAA_Swr=tOvKCDNfi=Cit9ccggBX=joHuFZShLFn=hm7ik+X67Q@mail.gmail.com"
type="cite">
<div dir="auto">
<div>
<div class="gmail_extra">
<div class="gmail_quote">On Mar 20,
2017 3:36 PM, "Vara La Fey" <<a
moz-do-not-send="true"
href="mailto:varalafey@gmail.com">varalafey@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<p>OMG!!</p>
<p>First of all, you'd be
mis-educating them if telling
them that certificate
"validity" has any real
meaning. (But now you're
talking about http.)<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">I mean validity as in
trusted roots that have been shipped
with your OS or browser. Surely you
don't mean these are meaningless. AFAIK
they are very reliable as long as you
never accept bogus certs. If you accept
bogus certs "all the time", I really
hope you know what you're doing. Pretty
much any important site should have
working SSL.</div>
<div dir="auto"><br>
</div>
<div dir="auto">There is a reason why all
the browsers freak out when you get a
bad cert, but users still click "add
exception". My captive education portal
would give real consequence to this with
the 3 minute power point slideshow and
mandatory quiz. I wonder if this is
already patented. . .</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div> <br
class="webkit-block-placeholder">
</div>
<p>Second, why do you think you
have any right to put speed
bumps in the way of people who
are doing nothing to you? <br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">Plenty of businesses do
this already for captive portals and
forcing users to log in, pay, or accept
an EULA. They are already tampering
with your SSL connection in order to
redirect you to the portal. I'm just
suggesting to use this technology for
"educational" purposes.</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div> <br
class="webkit-block-placeholder">
</div>
<p>Third, if your grandmother
needs internet "safety"
education, just educate her,
or refuse to keep fixing the
problems she encounters in her
ignorance - if she really is
all that ignorant. I hope you
wouldn't install a browser
re-direct without her consent,
because then you'd be just any
other malware propagator with
just any other self-righteous
rationalization.<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">Well, I'm lazy. I'd much
rather have an ongoing passive education
program for anyone that uses that
router. Maybe only 1 in 1000 requests
trigger the "test", or once a month per
mac address maybe. If grandma fails the
test I can get an email so I can call
her up and gently chastise her.
"Grandmaaaa, did you accept a bogus SSL
certificate again? Hmmm?"</div>
<div dir="auto"><br>
</div>
<div dir="auto">As far as consent goes,
I'm only talking about routers you own
or have permission to modify. That
should go without saying.</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div> <br
class="webkit-block-placeholder">
</div>
<p>Fourth, if <i>you </i>need
educational "speed bumps" on <i>your
</i>router, <i>you </i>are
free to have them. One of the
great things about freedom -
from government or from
meddling busybodies - is that
<i>you </i>get to be free
too.</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">My post is in the context
of businesses or individuals that
provide Internet to the public.
Presumably businesses and individuals
have the freedom to do this kind of SSL
interception, since they've already been
doing it for years without any
repercussions. Personally I'm disturbed
that businesses will try to get me to
accept their SSL cert for their Wi-Fi
portal, but I know the technology leaves
little choice. One trick is to ignore
the cert and try again with a non SSL
address.</div>
<div dir="auto"><br>
</div>
<div dir="auto"><span
style="font-family:sans-serif">It is
pretty ironic that the first thing
these captive portals ask users to do
is blindly accept a bogus SSL cert.
It is really just a sad state of
affairs that we are literally training
people to accept bad SSL certificates.</span><br>
</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<p>For years my Firefox has had
an option to "always use
HTTPS", and I'm sure all other
modern browsers do as well.
Plus, <a
moz-do-not-send="true"
href="http://Mozilla.org/">Mozilla.org</a>
has a free plugin - I think
it's from <a
moz-do-not-send="true"
href="http://EFF.org/">EFF.org</a>
- called "HTTPS Everywhere".
It's all very easy to use, and
will be almost entirely
transparent to Grandma.<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">This won't do anything to
protect you/grandma from bogus ssl
certs. Imagine connecting to a bad AP
at Starbucks that is proxying all your
SSL connections. Your only defense is
trusted roots and knowing not to accept
bogus SSL certs. If only we had a
captive router-based SSL education
program... ;)</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div> <br
class="webkit-block-placeholder">
</div>
<div class="elided-text"> <br>
<div
class="m_3664614906642159284moz-cite-prefix">On
3/20/2017 3:14 PM, Brien
Dieterle wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">A system like
I described would just be
an "educational tool" to
encourage people to use
HTTPS (properly). It
wouldn't stop you from
accepting bogus
certificates-- just a
speed bump. Now that I've
thought about it I'd
really like to install
something like this on my
grandparent's router. .
. heck, my own router. .
.<br>
<div>
<div class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Mar 20, 2017 at
2:50 PM, Vara La Fey
<span dir="ltr"><<a
moz-do-not-send="true" href="mailto:varalafey@gmail.com" target="_blank">varalafey@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<p>Oh HELL no!!
What kind of
hall-monitor
nanny
mentality do
you want
people to
adopt??</p>
<p>I accept
"bogus"
certificates
all the time
because the
whole idea of
certificates
is crap in the
first place -
they are NOT
maintained -
and years ago
I got tired of
that procedure
warning me
about
"invalid"
certificates
for sites that
were perfectly
valid.</p>
<p>I've never
had a problem.
Of course I'm
also careful
where I go,
certificate or
not.</p>
<span
class="m_3664614906642159284HOEnZb"><font
color="#888888">
<p>- Vara<br>
</p>
</font></span>
<div>
<div
class="m_3664614906642159284h5">
<br>
<div
class="m_3664614906642159284m_6778587083276554415moz-cite-prefix">On
3/20/2017 2:12
PM, Brien
Dieterle
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">Maybe
every
commercial
router should
do SSL
interception
by default.
If a user
accepts a
bogus
certificate
they are taken
to a page that
thoroughly
scolds them
and informs
them about the
huge mistake
they made,
forces them to
read a few
slides and
take a quiz on
network safety
before
allowing them
on the
Internet.
Maybe do the
same for
non-ssl HTTP
traffic, etc..
. <br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Mar 20,
2017 at 1:55
PM, Matt
Graham <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mhgraham@crow202.org"
target="_blank">mhgraham@crow202.org</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mon, Mar
20, 2017 at
12:29 PM,
Victor Odhner
<<a
moz-do-not-send="true"
href="mailto:vodhner@cox.net" target="_blank">vodhner@cox.net</a>>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I’m really
annoyed that
so many
companies
offer open
WIFI when it
would be<br>
so easy to
secure those
hot spots.
Restaurants,
hotels, and
the waiting<br>
rooms of auto
dealerships
are almost
100% open.<br>
</blockquote>
</blockquote>
</span> [snip]<span><br>
On 2017-03-20
13:20, Stephen
Partington
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This is
usually done
as a means to
be easy for
their
customers.<br>
</blockquote>
<br>
</span> Pretty
much this.
Convenience is
more valuable
than security
in most
people's
minds.<span><br>
<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
they’d be
happy to do
the right
thing if we
could explain
it to the
right people.<br>
</blockquote>
</blockquote>
<br>
</span> I'm
not sure this
would happen.
Setting up
passwords and
then
distributing
those
passwords has
a non-zero
cost and
offers zero
visible
benefits for
most of the
people who are
using the
wireless
networks.[0]
And as another
poster said,
what about
football/baseball
stadiums?
Distributing
passwords to
tens of
thousands of
people is sort
of difficult.
"Just watching
the game" is
not an option;
people want to
FaceTweet
pictures of
themselves at
the game.<br>
<br>
OTOH, the last
time I looked
at the access
points visible
from my living
room, almost
all of them
had some sort
of access
control
enabled. Maybe
there's a
social
convention
forming that
"my access
point" ~= "my
back yard" and
"open access
point" ~= "a
public park"?<br>
<br>
[0] Having a
more educated
user
population
would make the
benefits more
visible, but
it's very
difficult to
make people
care about
these things.<span
class="m_3664614906642159284m_6778587083276554415HOEnZb"><font
color="#888888"><br>
<br>
-- <br>
Crow202 Blog:
<a
moz-do-not-send="true"
href="http://crow202.org/wordpress" rel="noreferrer" target="_blank">http://crow202.org/wordpress</a><br>
There is no
Darkness in
Eternity<br>
But only Light
too dim for us
to see.</font></span>
<div
class="m_3664614906642159284m_6778587083276554415HOEnZb">
<div
class="m_3664614906642159284m_6778587083276554415h5"><br>
------------------------------<wbr>---------------------<br>
PLUG-discuss
mailing list -
<a
moz-do-not-send="true"
href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe,
unsubscribe,
or to change
your mail
settings:<br>
<a
moz-do-not-send="true"
href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss"
rel="noreferrer"
target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset
class="m_3664614906642159284m_6778587083276554415mimeAttachmentHeader"></fieldset>
<br>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="m_3664614906642159284m_6778587083276554415moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="m_3664614906642159284m_6778587083276554415moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div></div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a>
</blockquote></div>
</div></div></div>
<fieldset class="m_3664614906642159284mimeAttachmentHeader"></fieldset>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="m_3664614906642159284moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="m_3664614906642159284moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a>
</blockquote></div>
</div></div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">---------------------------------------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</div>---------------------------------------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></blockquote></div>
</div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">---------------------------------------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</div>---------------------------------------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">---------------------------------------------------
PLUG-discuss mailing list - <a class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</body></html>