<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Even if spyware isn't the intent, it's still the result. And when
someone keeps pushing for a bad result, they eventually give you
little choice but to suspect bad intent. I don't <i>want </i>to
suspect that. But neither he nor Brien really address my concerns
about intrusiveness and abuse. They just keep asserting "safety"
benefits of semi-forcing their chosen content onto other people.
And it's none of their business, and it's just wrong.</p>
<p>If someone wanted to set up a true educational system, instead of
spyware and intrusive propaganda, that would be a worthwhile
campaign.<br>
</p>
<br>
<div class="moz-cite-prefix">On 3/23/2017 3:36 PM, Bob Elzer wrote:<br>
</div>
<blockquote
cite="mid:CANQAHVA5o_hyJ10W0ANms01E_Z6=vozDwVQKhx++4bHgUeAi+A@mail.gmail.com"
type="cite">
<p dir="ltr">I don't think Victor was trying to create spyware, he
was just trying to come up with a way to stop identity theft.</p>
<p dir="ltr">But unfortunately that is a task not easily solved,
too many restrictions and people wont use it, and if it takes
away privacy they won't use it . If its complicated, guess what,
they won't use it. </p>
<p dir="ltr">While most users know about the dangers of the
internet, there are far too many that don't know what to do
about it.</p>
<p dir="ltr">People still get sunburn because they don't use
sunscreen, and that isn't complicated.</p>
<p dir="ltr">Education is the answer, but some still won't
understand and others will still say its too complicated. Its a
catch 22.</p>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mar 23, 2017 2:51 PM, "Vara La Fey"
<<a moz-do-not-send="true"
href="mailto:varalafey@gmail.com">varalafey@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> First you were
talking about open hotspots. Then you were talking about
https. Now you are talking about ssl.<br>
<br>
But all the while you're still just talking about
monitoring and restricting the activity of 3rd parties on
4th party systems. And it seems really important to you
for some reason.<br>
<br>
Please, waste time and effort and money patenting your <i>spyware
</i>chaperone system that monitors web activity with the
intent of <i>creating consequences </i>for activity
which you - or your intended customer - opines is
"invalid". I doubt very many people will buy into it
because there is no upside for them. Even when they alter
it to fit their own agenda, they just anger their
customers who can click OK for EULAs and enter logins, but
cannot bypass your 3 Minute Hate.<br>
<br>
If it can detect an "invalid" certificate, then by
changing a couple code lines (if even), it can detect
anything else about an attempted site visit. Of course
this ability is ancient now, but less evil implementations
of it merely censor by blocking, which is bad enough.
Yours is "educational" - and it's interesting that <i>you
</i>put the quotes around that word yourself - for the
purpose of taking up other people's time with propaganda.
<p>If it became common, it would become a mandatory
advertising medium anytime anyone clicked on a
competitor's site, or a site with bad reviews for your
customer. If it became law, it would become a mandatory
propaganda delivery system anytime anyone clicked on a
site containing any kind of dissenting viewpoint.</p>
<p>Are you hoping to create one of those conditions? If
so, which?<br>
</p>
<p>Because this sure looks like more than just wanting to
manipulate lesser people into a system designed to
reinforce your wishful feelings of superiority. There
has to be a more compelling reason that you're this
overly concerned about what 3rd parties do on 4th party
systems.<br>
</p>
<p>Which, btw, brings up the fact that your system is not
equivalent to EULAs or logins or pay systems, because
the connection provider has the right to set conditions
for using their connection. Your spyware idea is to
harass people who are using <i>other people's</i>
connections.</p>
<p>I'm not an expert on web connection technology per se,
but it seems that Tor would nicely wire around all SSL
issues after the initial connection to the
now-restricted hotspot. You certainly make a great case
for using it, even if just on general principle. So what
would you do about that?</p>
<p>I don't think your grandmother wants you monitoring her
activity. I don't think <i>anyone </i>wants you
monitoring their activity. But you seem to want to do it
anyway. And no one but me is saying boo to you. :-(</p>
<p>As to the trivia: I personally have never had trouble
from visiting a site with an "invalid certificate" of
any kind, because that stuff simply isn't 100%
maintained. Obviously I am careful where I go and what I
click and download anyway. I do not so easily ignore
"known malware site" warnings, and if in doubt about a
site I reflexively check the web address. <a
moz-do-not-send="true"
href="http://MyBank.Phishing.com" target="_blank">MyBank.Phishing.com</a>
and Phishing.com/MyBank do not get clicks from me. But
that's all beside the point.<br>
</p>
<p><br>
</p>
<div class="m_-4849299353738584098moz-cite-prefix">On
3/20/2017 9:57 PM, Brien Dieterle wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">
<div>
<div class="gmail_extra">
<div class="gmail_quote">On Mar 20, 2017 3:36 PM,
"Vara La Fey" <<a moz-do-not-send="true"
href="mailto:varalafey@gmail.com"
target="_blank">varalafey@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="m_-4849299353738584098quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>OMG!!</p>
<p>First of all, you'd be mis-educating them
if telling them that certificate
"validity" has any real meaning. (But now
you're talking about http.)<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">I mean validity as in trusted roots
that have been shipped with your OS or browser.
Surely you don't mean these are meaningless. AFAIK
they are very reliable as long as you never accept
bogus certs. If you accept bogus certs "all the
time", I really hope you know what you're doing.
Pretty much any important site should have working
SSL.</div>
<div dir="auto"><br>
</div>
<div dir="auto">There is a reason why all the browsers
freak out when you get a bad cert, but users still
click "add exception". My captive education portal
would give real consequence to this with the 3
minute power point slideshow and mandatory quiz. I
wonder if this is already patented. . .</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="m_-4849299353738584098quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<p>Second, why do you think you have any
right to put speed bumps in the way of
people who are doing nothing to you? <br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">Plenty of businesses do this already
for captive portals and forcing users to log in,
pay, or accept an EULA. They are already tampering
with your SSL connection in order to redirect you to
the portal. I'm just suggesting to use this
technology for "educational" purposes.</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="m_-4849299353738584098quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<p>Third, if your grandmother needs internet
"safety" education, just educate her, or
refuse to keep fixing the problems she
encounters in her ignorance - if she
really is all that ignorant. I hope you
wouldn't install a browser re-direct
without her consent, because then you'd be
just any other malware propagator with
just any other self-righteous
rationalization.<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">Well, I'm lazy. I'd much rather have
an ongoing passive education program for anyone that
uses that router. Maybe only 1 in 1000 requests
trigger the "test", or once a month per mac address
maybe. If grandma fails the test I can get an email
so I can call her up and gently chastise her.
"Grandmaaaa, did you accept a bogus SSL certificate
again? Hmmm?"</div>
<div dir="auto"><br>
</div>
<div dir="auto">As far as consent goes, I'm only
talking about routers you own or have permission to
modify. That should go without saying.</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="m_-4849299353738584098quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<p>Fourth, if <i>you </i>need educational
"speed bumps" on <i>your </i>router, <i>you
</i>are free to have them. One of the
great things about freedom - from
government or from meddling busybodies -
is that <i>you </i>get to be free too.</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">My post is in the context of
businesses or individuals that provide Internet to
the public. Presumably businesses and individuals
have the freedom to do this kind of SSL
interception, since they've already been doing it
for years without any repercussions. Personally I'm
disturbed that businesses will try to get me to
accept their SSL cert for their Wi-Fi portal, but I
know the technology leaves little choice. One trick
is to ignore the cert and try again with a non SSL
address.</div>
<div dir="auto"><br>
</div>
<div dir="auto"><span style="font-family:sans-serif">It
is pretty ironic that the first thing these
captive portals ask users to do is blindly accept
a bogus SSL cert. It is really just a sad state
of affairs that we are literally training people
to accept bad SSL certificates.</span><br>
</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="m_-4849299353738584098quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>For years my Firefox has had an option to
"always use HTTPS", and I'm sure all other
modern browsers do as well. Plus,
Mozilla.org has a free plugin - I think
it's from EFF.org - called "HTTPS
Everywhere". It's all very easy to use,
and will be almost entirely transparent to
Grandma.<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">This won't do anything to protect
you/grandma from bogus ssl certs. Imagine
connecting to a bad AP at Starbucks that is proxying
all your SSL connections. Your only defense is
trusted roots and knowing not to accept bogus SSL
certs. If only we had a captive router-based SSL
education program... ;)</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="m_-4849299353738584098quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<div
class="m_-4849299353738584098elided-text">
<br>
<div
class="m_-4849299353738584098m_3664614906642159284moz-cite-prefix">On
3/20/2017 3:14 PM, Brien Dieterle wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">A system like I described
would just be an "educational tool" to
encourage people to use HTTPS
(properly). It wouldn't stop you from
accepting bogus certificates-- just a
speed bump. Now that I've thought
about it I'd really like to install
something like this on my
grandparent's router. . . heck, my
own router. . .<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon,
Mar 20, 2017 at 2:50 PM, Vara La
Fey <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:varalafey@gmail.com"
target="_blank">varalafey@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<p>Oh HELL no!! What kind of
hall-monitor nanny
mentality do you want
people to adopt??</p>
<p>I accept "bogus"
certificates all the time
because the whole idea of
certificates is crap in
the first place - they are
NOT maintained - and years
ago I got tired of that
procedure warning me about
"invalid" certificates for
sites that were perfectly
valid.</p>
<p>I've never had a problem.
Of course I'm also careful
where I go, certificate or
not.</p>
<span
class="m_-4849299353738584098m_3664614906642159284HOEnZb"><font
color="#888888">
<p>- Vara<br>
</p>
</font></span>
<div>
<div
class="m_-4849299353738584098m_3664614906642159284h5">
<br>
<div
class="m_-4849299353738584098m_3664614906642159284m_6778587083276554415moz-cite-prefix">On
3/20/2017 2:12 PM,
Brien Dieterle wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Maybe
every commercial
router should do SSL
interception by
default. If a user
accepts a bogus
certificate they are
taken to a page that
thoroughly scolds
them and informs
them about the huge
mistake they made,
forces them to read
a few slides and
take a quiz on
network safety
before allowing them
on the Internet.
Maybe do the same
for non-ssl HTTP
traffic, etc.. . <br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Mar 20, 2017
at 1:55 PM, Matt
Graham <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mhgraham@crow202.org"
target="_blank">mhgraham@crow202.org</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex"><span>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mon, Mar
20, 2017 at
12:29 PM,
Victor Odhner
<<a
moz-do-not-send="true"
href="mailto:vodhner@cox.net" target="_blank">vodhner@cox.net</a>>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I’m really
annoyed that
so many
companies
offer open
WIFI when it
would be<br>
so easy to
secure those
hot spots.
Restaurants,
hotels, and
the waiting<br>
rooms of auto
dealerships
are almost
100% open.<br>
</blockquote>
</blockquote>
</span> [snip]<span><br>
On 2017-03-20
13:20, Stephen
Partington
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This is
usually done
as a means to
be easy for
their
customers.<br>
</blockquote>
<br>
</span> Pretty
much this.
Convenience is
more valuable
than security in
most people's
minds.<span><br>
<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
they’d be
happy to do
the right
thing if we
could explain
it to the
right people.<br>
</blockquote>
</blockquote>
<br>
</span> I'm not
sure this would
happen. Setting
up passwords and
then
distributing
those passwords
has a non-zero
cost and offers
zero visible
benefits for
most of the
people who are
using the
wireless
networks.[0]
And as another
poster said,
what about
football/baseball
stadiums?
Distributing
passwords to
tens of
thousands of
people is sort
of difficult.
"Just watching
the game" is not
an option;
people want to
FaceTweet
pictures of
themselves at
the game.<br>
<br>
OTOH, the last
time I looked at
the access
points visible
from my living
room, almost all
of them had some
sort of access
control enabled.
Maybe there's a
social
convention
forming that "my
access point" ~=
"my back yard"
and "open access
point" ~= "a
public park"?<br>
<br>
[0] Having a
more educated
user population
would make the
benefits more
visible, but
it's very
difficult to
make people care
about these
things.<span
class="m_-4849299353738584098m_3664614906642159284m_6778587083276554415HOEnZb"><font
color="#888888"><br>
<br>
-- <br>
Crow202 Blog:
<a
moz-do-not-send="true"
href="http://crow202.org/wordpress" rel="noreferrer" target="_blank">http://crow202.org/wordpress</a><br>
There is no
Darkness in
Eternity<br>
But only Light
too dim for us
to see.</font></span>
<div
class="m_-4849299353738584098m_3664614906642159284m_6778587083276554415HOEnZb">
<div
class="m_-4849299353738584098m_3664614906642159284m_6778587083276554415h5"><br>
------------------------------<wbr>---------------------<br>
PLUG-discuss
mailing list -
<a
moz-do-not-send="true"
href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe,
unsubscribe,
or to change
your mail
settings:<br>
<a
moz-do-not-send="true"
href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss"
rel="noreferrer"
target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset
class="m_-4849299353738584098m_3664614906642159284m_6778587083276554415mimeAttachmentHeader"></fieldset>
<br>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="m_-4849299353738584098m_3664614906642159284m_6778587083276554415moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="m_-4849299353738584098m_3664614906642159284m_6778587083276554415moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div></div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a>
</blockquote></div>
</div></div></div>
<fieldset class="m_-4849299353738584098m_3664614906642159284mimeAttachmentHeader"></fieldset>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="m_-4849299353738584098m_3664614906642159284moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="m_-4849299353738584098m_3664614906642159284moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a>
</blockquote></div>
</div></div></div>
<fieldset class="m_-4849299353738584098mimeAttachmentHeader"></fieldset>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="m_-4849299353738584098moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="m_-4849299353738584098moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a>
</blockquote></div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">---------------------------------------------------
PLUG-discuss mailing list - <a class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</body></html>