<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I'm all for education. I'm a trans-girl, and believe me, I would
like to educate people a little about us. But I wouldn't take it
upon myself to intrude on their time for a 3 Minute Love unless
they're trying to hurt someone.<br>
</p>
<p>I don't want people semi-forcing content on me. And the desired
"campaign" is exactly that. It's sad that everyone here who
comments keeps asserting the "safety" benefits, without a care in
the world about the sheer intrusiveness and the obvious
socio-political abuses of systems like that becoming commonplace.
Which hopefully they won't.</p>
<p>I don't need a VPN and have never set one up, but I don't doubt
the security of a VPN/Tor combination. And if you are really
afraid of snoops and spooks, encrypt all your text traffic with
large PGP keys. But I rarely use Tor because it's horribly slow,
and PGP because it's an extra few steps. But they are always there
for those special occasions. :-)</p>
<p>- Vara<br>
</p>
<br>
<div class="moz-cite-prefix">On 3/23/2017 3:16 PM, Eric Oyen wrote:<br>
</div>
<blockquote
cite="mid:4EF5D72B-DFFB-4ECA-BDB1-A5CB66859068@icloud.com"
type="cite">well, if you don't want to deal with bad certs,
redirected https,etc, you can either not use that router/service
or get a VPN and secure all your traffic. And yes, I will not use
paywall systems of any kind, they have no business knowing what my
credentials are.
<div><br>
</div>
<div>Lastly, if I want real security, a combo of VPN and TOR
cannot be beat. I use private internet access for the VPN and
also have a TOR node setup here. the TOR node will not be
connected until after the VPN comes up. why let my ISP know I am
running a TOR node here at home? The only issue I have with this
is that my search engine queries don't work right (mostly, I get
blocked and asked to solve a captcha, which is not doable for
the blind most times)</div>
<div>Anyway, do what you must, but education should be the first
item on the list when it comes to net security.</div>
<div>
<div><br>
</div>
<div>-eric</div>
<div>from the central office of the Technomage Guild, Security
applications dept.</div>
<div><br>
<div>
<div>On Mar 23, 2017, at 2:50 PM, Vara La Fey wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000"> First you were
talking about open hotspots. Then you were talking about
https. Now you are talking about ssl.<br>
<br>
But all the while you're still just talking about
monitoring and restricting the activity of 3rd parties
on 4th party systems. And it seems really important to
you for some reason.<br>
<br>
Please, waste time and effort and money patenting your <i>spyware
</i>chaperone system that monitors web activity with the
intent of <i>creating consequences </i>for activity
which you - or your intended customer - opines is
"invalid". I doubt very many people will buy into it
because there is no upside for them. Even when they
alter it to fit their own agenda, they just anger their
customers who can click OK for EULAs and enter logins,
but cannot bypass your 3 Minute Hate.<br>
<br>
If it can detect an "invalid" certificate, then by
changing a couple code lines (if even), it can detect
anything else about an attempted site visit. Of course
this ability is ancient now, but less evil
implementations of it merely censor by blocking, which
is bad enough. Yours is "educational" - and it's
interesting that <i>you </i>put the quotes around that
word yourself - for the purpose of taking up other
people's time with propaganda.
<p>If it became common, it would become a mandatory
advertising medium anytime anyone clicked on a
competitor's site, or a site with bad reviews for your
customer. If it became law, it would become a
mandatory propaganda delivery system anytime anyone
clicked on a site containing any kind of dissenting
viewpoint.</p>
<p>Are you hoping to create one of those conditions? If
so, which?<br>
</p>
<p>Because this sure looks like more than just wanting
to manipulate lesser people into a system designed to
reinforce your wishful feelings of superiority. There
has to be a more compelling reason that you're this
overly concerned about what 3rd parties do on 4th
party systems.<br>
</p>
<p>Which, btw, brings up the fact that your system is
not equivalent to EULAs or logins or pay systems,
because the connection provider has the right to set
conditions for using their connection. Your spyware
idea is to harass people who are using <i>other
people's</i> connections.</p>
<p>I'm not an expert on web connection technology per
se, but it seems that Tor would nicely wire around all
SSL issues after the initial connection to the
now-restricted hotspot. You certainly make a great
case for using it, even if just on general principle.
So what would you do about that?</p>
<p>I don't think your grandmother wants you monitoring
her activity. I don't think <i>anyone </i>wants you
monitoring their activity. But you seem to want to do
it anyway. And no one but me is saying boo to you.
:-(</p>
<p>As to the trivia: I personally have never had trouble
from visiting a site with an "invalid certificate" of
any kind, because that stuff simply isn't 100%
maintained. Obviously I am careful where I go and what
I click and download anyway. I do not so easily ignore
"known malware site" warnings, and if in doubt about a
site I reflexively check the web address. <a
moz-do-not-send="true"
href="http://MyBank.Phishing.com">MyBank.Phishing.com</a>
and <a moz-do-not-send="true"
href="http://Phishing.com/MyBank">Phishing.com/MyBank</a>
do not get clicks from me. But that's all beside the
point.<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 3/20/2017 9:57 PM, Brien
Dieterle wrote:<br>
</div>
<blockquote
cite="mid:CAA_Swr=tOvKCDNfi=Cit9ccggBX=joHuFZShLFn=hm7ik+X67Q@mail.gmail.com"
type="cite">
<div dir="auto">
<div>
<div class="gmail_extra">
<div class="gmail_quote">On Mar 20, 2017 3:36
PM, "Vara La Fey" <<a
moz-do-not-send="true"
href="mailto:varalafey@gmail.com">varalafey@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>OMG!!</p>
<p>First of all, you'd be mis-educating
them if telling them that certificate
"validity" has any real meaning. (But
now you're talking about http.)<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">I mean validity as in trusted roots
that have been shipped with your OS or browser.
Surely you don't mean these are meaningless. AFAIK
they are very reliable as long as you never accept
bogus certs. If you accept bogus certs "all the
time", I really hope you know what you're doing.
Pretty much any important site should have working
SSL.</div>
<div dir="auto"><br>
</div>
<div dir="auto">There is a reason why all the
browsers freak out when you get a bad cert, but
users still click "add exception". My captive
education portal would give real consequence to
this with the 3 minute power point slideshow and
mandatory quiz. I wonder if this is already
patented. . .</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br
class="webkit-block-placeholder">
</div>
<p>Second, why do you think you have any
right to put speed bumps in the way of
people who are doing nothing to you? <br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">Plenty of businesses do this already
for captive portals and forcing users to log in,
pay, or accept an EULA. They are already
tampering with your SSL connection in order to
redirect you to the portal. I'm just suggesting to
use this technology for "educational" purposes.</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br
class="webkit-block-placeholder">
</div>
<p>Third, if your grandmother needs
internet "safety" education, just
educate her, or refuse to keep fixing
the problems she encounters in her
ignorance - if she really is all that
ignorant. I hope you wouldn't install a
browser re-direct without her consent,
because then you'd be just any other
malware propagator with just any other
self-righteous rationalization.<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">Well, I'm lazy. I'd much rather
have an ongoing passive education program for
anyone that uses that router. Maybe only 1 in
1000 requests trigger the "test", or once a month
per mac address maybe. If grandma fails the test
I can get an email so I can call her up and gently
chastise her. "Grandmaaaa, did you accept a bogus
SSL certificate again? Hmmm?"</div>
<div dir="auto"><br>
</div>
<div dir="auto">As far as consent goes, I'm only
talking about routers you own or have permission
to modify. That should go without saying.</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br
class="webkit-block-placeholder">
</div>
<p>Fourth, if <i>you </i>need
educational "speed bumps" on <i>your </i>router,
<i>you </i>are free to have them. One
of the great things about freedom - from
government or from meddling busybodies -
is that <i>you </i>get to be free too.</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">My post is in the context of
businesses or individuals that provide Internet to
the public. Presumably businesses and individuals
have the freedom to do this kind of SSL
interception, since they've already been doing it
for years without any repercussions. Personally
I'm disturbed that businesses will try to get me
to accept their SSL cert for their Wi-Fi portal,
but I know the technology leaves little choice.
One trick is to ignore the cert and try again with
a non SSL address.</div>
<div dir="auto"><br>
</div>
<div dir="auto"><span style="font-family:sans-serif">It
is pretty ironic that the first thing these
captive portals ask users to do is blindly
accept a bogus SSL cert. It is really just a
sad state of affairs that we are literally
training people to accept bad SSL certificates.</span><br>
</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>For years my Firefox has had an option
to "always use HTTPS", and I'm sure all
other modern browsers do as well. Plus,
<a moz-do-not-send="true"
href="http://Mozilla.org">Mozilla.org</a>
has a free plugin - I think it's from <a
moz-do-not-send="true"
href="http://EFF.org">EFF.org</a> -
called "HTTPS Everywhere". It's all very
easy to use, and will be almost entirely
transparent to Grandma.<br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
<div dir="auto">This won't do anything to protect
you/grandma from bogus ssl certs. Imagine
connecting to a bad AP at Starbucks that is
proxying all your SSL connections. Your only
defense is trusted roots and knowing not to accept
bogus SSL certs. If only we had a captive
router-based SSL education program... ;)</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br
class="webkit-block-placeholder">
</div>
<div class="elided-text"> <br>
<div
class="m_3664614906642159284moz-cite-prefix">On
3/20/2017 3:14 PM, Brien Dieterle
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">A system like I
described would just be an
"educational tool" to encourage
people to use HTTPS (properly). It
wouldn't stop you from accepting
bogus certificates-- just a speed
bump. Now that I've thought about
it I'd really like to install
something like this on my
grandparent's router. . . heck, my
own router. . .<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon,
Mar 20, 2017 at 2:50 PM, Vara
La Fey <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:varalafey@gmail.com"
target="_blank">varalafey@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<p>Oh HELL no!! What kind
of hall-monitor nanny
mentality do you want
people to adopt??</p>
<p>I accept "bogus"
certificates all the
time because the whole
idea of certificates is
crap in the first place
- they are NOT
maintained - and years
ago I got tired of that
procedure warning me
about "invalid"
certificates for sites
that were perfectly
valid.</p>
<p>I've never had a
problem. Of course I'm
also careful where I go,
certificate or not.</p>
<span
class="m_3664614906642159284HOEnZb"><font
color="#888888">
<p>- Vara<br>
</p>
</font></span>
<div>
<div
class="m_3664614906642159284h5">
<br>
<div
class="m_3664614906642159284m_6778587083276554415moz-cite-prefix">On
3/20/2017 2:12 PM,
Brien Dieterle
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">Maybe
every commercial
router should do
SSL interception
by default. If a
user accepts a
bogus certificate
they are taken to
a page that
thoroughly scolds
them and informs
them about the
huge mistake they
made, forces them
to read a few
slides and take a
quiz on network
safety before
allowing them on
the Internet.
Maybe do the same
for non-ssl HTTP
traffic, etc.. . <br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Mar 20,
2017 at 1:55 PM,
Matt Graham <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mhgraham@crow202.org"
target="_blank">mhgraham@crow202.org</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mon, Mar
20, 2017 at
12:29 PM,
Victor Odhner
<<a
moz-do-not-send="true"
href="mailto:vodhner@cox.net" target="_blank">vodhner@cox.net</a>>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I’m really
annoyed that
so many
companies
offer open
WIFI when it
would be<br>
so easy to
secure those
hot spots.
Restaurants,
hotels, and
the waiting<br>
rooms of auto
dealerships
are almost
100% open.<br>
</blockquote>
</blockquote>
</span> [snip]<span><br>
On 2017-03-20
13:20, Stephen
Partington
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This is
usually done
as a means to
be easy for
their
customers.<br>
</blockquote>
<br>
</span> Pretty
much this.
Convenience is
more valuable
than security
in most
people's
minds.<span><br>
<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
they’d be
happy to do
the right
thing if we
could explain
it to the
right people.<br>
</blockquote>
</blockquote>
<br>
</span> I'm
not sure this
would happen.
Setting up
passwords and
then
distributing
those
passwords has
a non-zero
cost and
offers zero
visible
benefits for
most of the
people who are
using the
wireless
networks.[0]
And as another
poster said,
what about
football/baseball
stadiums?
Distributing
passwords to
tens of
thousands of
people is sort
of difficult.
"Just watching
the game" is
not an option;
people want to
FaceTweet
pictures of
themselves at
the game.<br>
<br>
OTOH, the last
time I looked
at the access
points visible
from my living
room, almost
all of them
had some sort
of access
control
enabled. Maybe
there's a
social
convention
forming that
"my access
point" ~= "my
back yard" and
"open access
point" ~= "a
public park"?<br>
<br>
[0] Having a
more educated
user
population
would make the
benefits more
visible, but
it's very
difficult to
make people
care about
these things.<span
class="m_3664614906642159284m_6778587083276554415HOEnZb"><font
color="#888888"><br>
<br>
-- <br>
Crow202 Blog:
<a
moz-do-not-send="true"
href="http://crow202.org/wordpress" rel="noreferrer" target="_blank">http://crow202.org/wordpress</a><br>
There is no
Darkness in
Eternity<br>
But only Light
too dim for us
to see.</font></span>
<div
class="m_3664614906642159284m_6778587083276554415HOEnZb">
<div
class="m_3664614906642159284m_6778587083276554415h5"><br>
------------------------------<wbr>---------------------<br>
PLUG-discuss
mailing list -
<a
moz-do-not-send="true"
href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe,
unsubscribe,
or to change
your mail
settings:<br>
<a
moz-do-not-send="true"
href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss"
rel="noreferrer"
target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset
class="m_3664614906642159284m_6778587083276554415mimeAttachmentHeader"></fieldset>
<br>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="m_3664614906642159284m_6778587083276554415moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="m_3664614906642159284m_6778587083276554415moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div></div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a>
</blockquote></div>
</div></div></div>
<fieldset class="m_3664614906642159284mimeAttachmentHeader"></fieldset>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="m_3664614906642159284moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="m_3664614906642159284moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</div></div>
------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a>
</blockquote></div>
</div></div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">---------------------------------------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</div>---------------------------------------------------
PLUG-discuss mailing list - <a moz-do-not-send="true" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a moz-do-not-send="true" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></blockquote></div>
</div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">---------------------------------------------------
PLUG-discuss mailing list - <a class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
</body></html>