I'm all for education. I'm a trans-girl, and believe me, I would like to educate people a little about us. But I wouldn't take it upon myself to intrude on their time for a 3 Minute Love unless they're trying to hurt someone. I don't want people semi-forcing content on me. And the desired "campaign" is exactly that. It's sad that everyone here who comments keeps asserting the "safety" benefits, without a care in the world about the sheer intrusiveness and the obvious socio-political abuses of systems like that becoming commonplace. Which hopefully they won't. I don't need a VPN and have never set one up, but I don't doubt the security of a VPN/Tor combination. And if you are really afraid of snoops and spooks, encrypt all your text traffic with large PGP keys. But I rarely use Tor because it's horribly slow, and PGP because it's an extra few steps. But they are always there for those special occasions. :-) - Vara On 3/23/2017 3:16 PM, Eric Oyen wrote: > well, if you don't want to deal with bad certs, redirected https,etc, > you can either not use that router/service or get a VPN and secure all > your traffic. And yes, I will not use paywall systems of any kind, > they have no business knowing what my credentials are. > > Lastly, if I want real security, a combo of VPN and TOR cannot be > beat. I use private internet access for the VPN and also have a TOR > node setup here. the TOR node will not be connected until after the > VPN comes up. why let my ISP know I am running a TOR node here at > home? The only issue I have with this is that my search engine queries > don't work right (mostly, I get blocked and asked to solve a captcha, > which is not doable for the blind most times) > Anyway, do what you must, but education should be the first item on > the list when it comes to net security. > > -eric > from the central office of the Technomage Guild, Security applications > dept. > > On Mar 23, 2017, at 2:50 PM, Vara La Fey wrote: > >> First you were talking about open hotspots. Then you were talking >> about https. Now you are talking about ssl. >> >> But all the while you're still just talking about monitoring and >> restricting the activity of 3rd parties on 4th party systems. And it >> seems really important to you for some reason. >> >> Please, waste time and effort and money patenting your /spyware >> /chaperone system that monitors web activity with the intent of >> /creating consequences /for activity which you - or your intended >> customer - opines is "invalid". I doubt very many people will buy >> into it because there is no upside for them. Even when they alter it >> to fit their own agenda, they just anger their customers who can >> click OK for EULAs and enter logins, but cannot bypass your 3 Minute >> Hate. >> >> If it can detect an "invalid" certificate, then by changing a couple >> code lines (if even), it can detect anything else about an attempted >> site visit. Of course this ability is ancient now, but less evil >> implementations of it merely censor by blocking, which is bad enough. >> Yours is "educational" - and it's interesting that /you /put the >> quotes around that word yourself - for the purpose of taking up other >> people's time with propaganda. >> >> If it became common, it would become a mandatory advertising medium >> anytime anyone clicked on a competitor's site, or a site with bad >> reviews for your customer. If it became law, it would become a >> mandatory propaganda delivery system anytime anyone clicked on a site >> containing any kind of dissenting viewpoint. >> >> Are you hoping to create one of those conditions? If so, which? >> >> Because this sure looks like more than just wanting to manipulate >> lesser people into a system designed to reinforce your wishful >> feelings of superiority. There has to be a more compelling reason >> that you're this overly concerned about what 3rd parties do on 4th >> party systems. >> >> Which, btw, brings up the fact that your system is not equivalent to >> EULAs or logins or pay systems, because the connection provider has >> the right to set conditions for using their connection. Your spyware >> idea is to harass people who are using /other people's/ connections. >> >> I'm not an expert on web connection technology per se, but it seems >> that Tor would nicely wire around all SSL issues after the initial >> connection to the now-restricted hotspot. You certainly make a great >> case for using it, even if just on general principle. So what would >> you do about that? >> >> I don't think your grandmother wants you monitoring her activity. I >> don't think /anyone /wants you monitoring their activity. But you >> seem to want to do it anyway. And no one but me is saying boo to you. :-( >> >> As to the trivia: I personally have never had trouble from visiting a >> site with an "invalid certificate" of any kind, because that stuff >> simply isn't 100% maintained. Obviously I am careful where I go and >> what I click and download anyway. I do not so easily ignore "known >> malware site" warnings, and if in doubt about a site I reflexively >> check the web address. MyBank.Phishing.com >> and Phishing.com/MyBank >> do not get clicks from me. But that's >> all beside the point. >> >> >> On 3/20/2017 9:57 PM, Brien Dieterle wrote: >>> On Mar 20, 2017 3:36 PM, "Vara La Fey" >> > wrote: >>> >>> OMG!! >>> >>> First of all, you'd be mis-educating them if telling them that >>> certificate "validity" has any real meaning. (But now you're >>> talking about http.) >>> >>> I mean validity as in trusted roots that have been shipped with your >>> OS or browser. Surely you don't mean these are meaningless. AFAIK >>> they are very reliable as long as you never accept bogus certs. If >>> you accept bogus certs "all the time", I really hope you know what >>> you're doing. Pretty much any important site should have working SSL. >>> >>> There is a reason why all the browsers freak out when you get a bad >>> cert, but users still click "add exception". My captive education >>> portal would give real consequence to this with the 3 minute power >>> point slideshow and mandatory quiz. I wonder if this is already >>> patented. . . >>> >>> >>> Second, why do you think you have any right to put speed bumps >>> in the way of people who are doing nothing to you? >>> >>> Plenty of businesses do this already for captive portals and forcing >>> users to log in, pay, or accept an EULA. They are already tampering >>> with your SSL connection in order to redirect you to the portal. I'm >>> just suggesting to use this technology for "educational" purposes. >>> >>> >>> Third, if your grandmother needs internet "safety" education, >>> just educate her, or refuse to keep fixing the problems she >>> encounters in her ignorance - if she really is all that >>> ignorant. I hope you wouldn't install a browser re-direct >>> without her consent, because then you'd be just any other >>> malware propagator with just any other self-righteous >>> rationalization. >>> >>> Well, I'm lazy. I'd much rather have an ongoing passive education >>> program for anyone that uses that router. Maybe only 1 in 1000 >>> requests trigger the "test", or once a month per mac address maybe. >>> If grandma fails the test I can get an email so I can call her up >>> and gently chastise her. "Grandmaaaa, did you accept a bogus SSL >>> certificate again? Hmmm?" >>> >>> As far as consent goes, I'm only talking about routers you own or >>> have permission to modify. That should go without saying. >>> >>> >>> Fourth, if /you /need educational "speed bumps" on /your >>> /router, /you /are free to have them. One of the great things >>> about freedom - from government or from meddling busybodies - is >>> that /you /get to be free too. >>> >>> My post is in the context of businesses or individuals that provide >>> Internet to the public. Presumably businesses and individuals have >>> the freedom to do this kind of SSL interception, since they've >>> already been doing it for years without any repercussions. >>> Personally I'm disturbed that businesses will try to get me to >>> accept their SSL cert for their Wi-Fi portal, but I know the >>> technology leaves little choice. One trick is to ignore the cert and >>> try again with a non SSL address. >>> >>> It is pretty ironic that the first thing these captive portals ask >>> users to do is blindly accept a bogus SSL cert. It is really just a >>> sad state of affairs that we are literally training people to accept >>> bad SSL certificates. >>> >>> For years my Firefox has had an option to "always use HTTPS", >>> and I'm sure all other modern browsers do as well. Plus, >>> Mozilla.org has a free plugin - I think >>> it's from EFF.org - called "HTTPS Everywhere". >>> It's all very easy to use, and will be almost entirely >>> transparent to Grandma. >>> >>> This won't do anything to protect you/grandma from bogus ssl certs. >>> Imagine connecting to a bad AP at Starbucks that is proxying all >>> your SSL connections. Your only defense is trusted roots and >>> knowing not to accept bogus SSL certs. If only we had a captive >>> router-based SSL education program... ;) >>> >>> >>> >>> >>> On 3/20/2017 3:14 PM, Brien Dieterle wrote: >>>> A system like I described would just be an "educational tool" >>>> to encourage people to use HTTPS (properly). It wouldn't stop >>>> you from accepting bogus certificates-- just a speed bump. Now >>>> that I've thought about it I'd really like to install something >>>> like this on my grandparent's router. . . heck, my own >>>> router. . . >>>> >>>> On Mon, Mar 20, 2017 at 2:50 PM, Vara La Fey >>>> > wrote: >>>> >>>> Oh HELL no!! What kind of hall-monitor nanny mentality do >>>> you want people to adopt?? >>>> >>>> I accept "bogus" certificates all the time because the >>>> whole idea of certificates is crap in the first place - >>>> they are NOT maintained - and years ago I got tired of that >>>> procedure warning me about "invalid" certificates for sites >>>> that were perfectly valid. >>>> >>>> I've never had a problem. Of course I'm also careful where >>>> I go, certificate or not. >>>> >>>> - Vara >>>> >>>> >>>> On 3/20/2017 2:12 PM, Brien Dieterle wrote: >>>>> Maybe every commercial router should do SSL interception >>>>> by default. If a user accepts a bogus certificate they >>>>> are taken to a page that thoroughly scolds them and >>>>> informs them about the huge mistake they made, forces them >>>>> to read a few slides and take a quiz on network safety >>>>> before allowing them on the Internet. Maybe do the same >>>>> for non-ssl HTTP traffic, etc.. . >>>>> >>>>> On Mon, Mar 20, 2017 at 1:55 PM, Matt Graham >>>>> > wrote: >>>>> >>>>> On Mon, Mar 20, 2017 at 12:29 PM, Victor Odhner >>>>> > wrote: >>>>> >>>>> I’m really annoyed that so many companies >>>>> offer open WIFI when it would be >>>>> so easy to secure those hot spots. >>>>> Restaurants, hotels, and the waiting >>>>> rooms of auto dealerships are almost 100% open. >>>>> >>>>> [snip] >>>>> On 2017-03-20 13:20, Stephen Partington wrote: >>>>> >>>>> This is usually done as a means to be easy for >>>>> their customers. >>>>> >>>>> >>>>> Pretty much this. Convenience is more valuable than >>>>> security in most people's minds. >>>>> >>>>> they’d be happy to do the right thing if we >>>>> could explain it to the right people. >>>>> >>>>> >>>>> I'm not sure this would happen. Setting up passwords >>>>> and then distributing those passwords has a non-zero >>>>> cost and offers zero visible benefits for most of the >>>>> people who are using the wireless networks.[0] And as >>>>> another poster said, what about football/baseball >>>>> stadiums? Distributing passwords to tens of thousands >>>>> of people is sort of difficult. "Just watching the >>>>> game" is not an option; people want to FaceTweet >>>>> pictures of themselves at the game. >>>>> >>>>> OTOH, the last time I looked at the access points >>>>> visible from my living room, almost all of them had >>>>> some sort of access control enabled. Maybe there's a >>>>> social convention forming that "my access point" ~= >>>>> "my back yard" and "open access point" ~= "a public park"? >>>>> >>>>> [0] Having a more educated user population would make >>>>> the benefits more visible, but it's very difficult to >>>>> make people care about these things. >>>>> >>>>> -- >>>>> Crow202 Blog: http://crow202.org/wordpress >>>>> There is no Darkness in Eternity >>>>> But only Light too dim for us to see. >>>>> >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list - >>>>> PLUG-discuss@lists.phxlinux.org >>>>> >>>>> To subscribe, unsubscribe, or to change your mail >>>>> settings: >>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list -PLUG-discuss@lists.phxlinux.org >>>>> >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>> >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>> To subscribe, >>>> unsubscribe, or to change your mail settings: >>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> >>>> >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list -PLUG-discuss@lists.phxlinux.org >>>> >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> >>> --------------------------------------------------- PLUG-discuss >>> mailing list - PLUG-discuss@lists.phxlinux.org >>> To subscribe, >>> unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list -PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> --------------------------------------------------- PLUG-discuss >> mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, >> or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss