Even if spyware isn't the intent, it's still the result. And when someone keeps pushing for a bad result, they eventually give you little choice but to suspect bad intent. I don't /want /to suspect that. But neither he nor Brien really address my concerns about intrusiveness and abuse. They just keep asserting "safety" benefits of semi-forcing their chosen content onto other people. And it's none of their business, and it's just wrong. If someone wanted to set up a true educational system, instead of spyware and intrusive propaganda, that would be a worthwhile campaign. On 3/23/2017 3:36 PM, Bob Elzer wrote: > > I don't think Victor was trying to create spyware, he was just trying > to come up with a way to stop identity theft. > > But unfortunately that is a task not easily solved, too many > restrictions and people wont use it, and if it takes away privacy they > won't use it . If its complicated, guess what, they won't use it. > > While most users know about the dangers of the internet, there are far > too many that don't know what to do about it. > > People still get sunburn because they don't use sunscreen, and that > isn't complicated. > > Education is the answer, but some still won't understand and others > will still say its too complicated. Its a catch 22. > > > On Mar 23, 2017 2:51 PM, "Vara La Fey" > wrote: > > First you were talking about open hotspots. Then you were talking > about https. Now you are talking about ssl. > > But all the while you're still just talking about monitoring and > restricting the activity of 3rd parties on 4th party systems. And > it seems really important to you for some reason. > > Please, waste time and effort and money patenting your /spyware > /chaperone system that monitors web activity with the intent of > /creating consequences /for activity which you - or your intended > customer - opines is "invalid". I doubt very many people will buy > into it because there is no upside for them. Even when they alter > it to fit their own agenda, they just anger their customers who > can click OK for EULAs and enter logins, but cannot bypass your 3 > Minute Hate. > > If it can detect an "invalid" certificate, then by changing a > couple code lines (if even), it can detect anything else about an > attempted site visit. Of course this ability is ancient now, but > less evil implementations of it merely censor by blocking, which > is bad enough. Yours is "educational" - and it's interesting that > /you /put the quotes around that word yourself - for the purpose > of taking up other people's time with propaganda. > > If it became common, it would become a mandatory advertising > medium anytime anyone clicked on a competitor's site, or a site > with bad reviews for your customer. If it became law, it would > become a mandatory propaganda delivery system anytime anyone > clicked on a site containing any kind of dissenting viewpoint. > > Are you hoping to create one of those conditions? If so, which? > > Because this sure looks like more than just wanting to manipulate > lesser people into a system designed to reinforce your wishful > feelings of superiority. There has to be a more compelling reason > that you're this overly concerned about what 3rd parties do on 4th > party systems. > > Which, btw, brings up the fact that your system is not equivalent > to EULAs or logins or pay systems, because the connection provider > has the right to set conditions for using their connection. Your > spyware idea is to harass people who are using /other people's/ > connections. > > I'm not an expert on web connection technology per se, but it > seems that Tor would nicely wire around all SSL issues after the > initial connection to the now-restricted hotspot. You certainly > make a great case for using it, even if just on general principle. > So what would you do about that? > > I don't think your grandmother wants you monitoring her activity. > I don't think /anyone /wants you monitoring their activity. But > you seem to want to do it anyway. And no one but me is saying boo > to you. :-( > > As to the trivia: I personally have never had trouble from > visiting a site with an "invalid certificate" of any kind, because > that stuff simply isn't 100% maintained. Obviously I am careful > where I go and what I click and download anyway. I do not so > easily ignore "known malware site" warnings, and if in doubt about > a site I reflexively check the web address. MyBank.Phishing.com > and Phishing.com/MyBank do not get > clicks from me. But that's all beside the point. > > > On 3/20/2017 9:57 PM, Brien Dieterle wrote: >> On Mar 20, 2017 3:36 PM, "Vara La Fey" > > wrote: >> >> OMG!! >> >> First of all, you'd be mis-educating them if telling them >> that certificate "validity" has any real meaning. (But now >> you're talking about http.) >> >> I mean validity as in trusted roots that have been shipped with >> your OS or browser. Surely you don't mean these are meaningless. >> AFAIK they are very reliable as long as you never accept bogus >> certs. If you accept bogus certs "all the time", I really hope >> you know what you're doing. Pretty much any important site should >> have working SSL. >> >> There is a reason why all the browsers freak out when you get a >> bad cert, but users still click "add exception". My captive >> education portal would give real consequence to this with the 3 >> minute power point slideshow and mandatory quiz. I wonder if >> this is already patented. . . >> >> Second, why do you think you have any right to put speed >> bumps in the way of people who are doing nothing to you? >> >> Plenty of businesses do this already for captive portals and >> forcing users to log in, pay, or accept an EULA. They are >> already tampering with your SSL connection in order to redirect >> you to the portal. I'm just suggesting to use this technology for >> "educational" purposes. >> >> Third, if your grandmother needs internet "safety" education, >> just educate her, or refuse to keep fixing the problems she >> encounters in her ignorance - if she really is all that >> ignorant. I hope you wouldn't install a browser re-direct >> without her consent, because then you'd be just any other >> malware propagator with just any other self-righteous >> rationalization. >> >> Well, I'm lazy. I'd much rather have an ongoing passive >> education program for anyone that uses that router. Maybe only 1 >> in 1000 requests trigger the "test", or once a month per mac >> address maybe. If grandma fails the test I can get an email so I >> can call her up and gently chastise her. "Grandmaaaa, did you >> accept a bogus SSL certificate again? Hmmm?" >> >> As far as consent goes, I'm only talking about routers you own or >> have permission to modify. That should go without saying. >> >> Fourth, if /you /need educational "speed bumps" on /your >> /router, /you /are free to have them. One of the great things >> about freedom - from government or from meddling busybodies - >> is that /you /get to be free too. >> >> My post is in the context of businesses or individuals that >> provide Internet to the public. Presumably businesses and >> individuals have the freedom to do this kind of SSL interception, >> since they've already been doing it for years without any >> repercussions. Personally I'm disturbed that businesses will try >> to get me to accept their SSL cert for their Wi-Fi portal, but I >> know the technology leaves little choice. One trick is to ignore >> the cert and try again with a non SSL address. >> >> It is pretty ironic that the first thing these captive portals >> ask users to do is blindly accept a bogus SSL cert. It is really >> just a sad state of affairs that we are literally training people >> to accept bad SSL certificates. >> >> For years my Firefox has had an option to "always use HTTPS", >> and I'm sure all other modern browsers do as well. Plus, >> Mozilla.org has a free plugin - I think it's from EFF.org - >> called "HTTPS Everywhere". It's all very easy to use, and >> will be almost entirely transparent to Grandma. >> >> This won't do anything to protect you/grandma from bogus ssl >> certs. Imagine connecting to a bad AP at Starbucks that is >> proxying all your SSL connections. Your only defense is trusted >> roots and knowing not to accept bogus SSL certs. If only we had >> a captive router-based SSL education program... ;) >> >> >> >> On 3/20/2017 3:14 PM, Brien Dieterle wrote: >>> A system like I described would just be an "educational >>> tool" to encourage people to use HTTPS (properly). It >>> wouldn't stop you from accepting bogus certificates-- just a >>> speed bump. Now that I've thought about it I'd really like >>> to install something like this on my grandparent's router. . >>> . heck, my own router. . . >>> >>> On Mon, Mar 20, 2017 at 2:50 PM, Vara La Fey >>> > wrote: >>> >>> Oh HELL no!! What kind of hall-monitor nanny mentality >>> do you want people to adopt?? >>> >>> I accept "bogus" certificates all the time because the >>> whole idea of certificates is crap in the first place - >>> they are NOT maintained - and years ago I got tired of >>> that procedure warning me about "invalid" certificates >>> for sites that were perfectly valid. >>> >>> I've never had a problem. Of course I'm also careful >>> where I go, certificate or not. >>> >>> - Vara >>> >>> >>> On 3/20/2017 2:12 PM, Brien Dieterle wrote: >>>> Maybe every commercial router should do SSL >>>> interception by default. If a user accepts a bogus >>>> certificate they are taken to a page that thoroughly >>>> scolds them and informs them about the huge mistake >>>> they made, forces them to read a few slides and take a >>>> quiz on network safety before allowing them on the >>>> Internet. Maybe do the same for non-ssl HTTP traffic, >>>> etc.. . >>>> >>>> On Mon, Mar 20, 2017 at 1:55 PM, Matt Graham >>>> > wrote: >>>> >>>> On Mon, Mar 20, 2017 at 12:29 PM, Victor Odhner >>>> > wrote: >>>> >>>> I’m really annoyed that so many companies >>>> offer open WIFI when it would be >>>> so easy to secure those hot spots. >>>> Restaurants, hotels, and the waiting >>>> rooms of auto dealerships are almost 100% open. >>>> >>>> [snip] >>>> On 2017-03-20 13:20, Stephen Partington wrote: >>>> >>>> This is usually done as a means to be easy for >>>> their customers. >>>> >>>> >>>> Pretty much this. Convenience is more valuable than >>>> security in most people's minds. >>>> >>>> they’d be happy to do the right thing if we >>>> could explain it to the right people. >>>> >>>> >>>> I'm not sure this would happen. Setting up >>>> passwords and then distributing those passwords has >>>> a non-zero cost and offers zero visible benefits >>>> for most of the people who are using the wireless >>>> networks.[0] And as another poster said, what about >>>> football/baseball stadiums? Distributing passwords >>>> to tens of thousands of people is sort of >>>> difficult. "Just watching the game" is not an >>>> option; people want to FaceTweet pictures of >>>> themselves at the game. >>>> >>>> OTOH, the last time I looked at the access points >>>> visible from my living room, almost all of them had >>>> some sort of access control enabled. Maybe there's >>>> a social convention forming that "my access point" >>>> ~= "my back yard" and "open access point" ~= "a >>>> public park"? >>>> >>>> [0] Having a more educated user population would >>>> make the benefits more visible, but it's very >>>> difficult to make people care about these things. >>>> >>>> -- >>>> Crow202 Blog: http://crow202.org/wordpress >>>> There is no Darkness in Eternity >>>> But only Light too dim for us to see. >>>> >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list - >>>> PLUG-discuss@lists.phxlinux.org >>>> >>>> To subscribe, unsubscribe, or to change your mail >>>> settings: >>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> >>>> >>>> >>>> >>>> >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list -PLUG-discuss@lists.phxlinux.org >>>> >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list - >>> PLUG-discuss@lists.phxlinux.org >>> To subscribe, >>> unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list -PLUG-discuss@lists.phxlinux.org >>> >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, >> unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list -PLUG-discuss@lists.phxlinux.org >> >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > --------------------------------------------------- PLUG-discuss > mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, > unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss