On Mar 20, 2017 3:36 PM, "Vara La Fey" <
varalafey@gmail.com> wrote:
OMG!!
First of all, you'd be mis-educating them if telling them that certificate
"validity" has any real meaning. (But now you're talking about http.)
I mean validity as in trusted roots that have been shipped with your OS or
browser. Surely you don't mean these are meaningless. AFAIK they are very
reliable as long as you never accept bogus certs. If you accept bogus
certs "all the time", I really hope you know what you're doing. Pretty
much any important site should have working SSL.
There is a reason why all the browsers freak out when you get a bad cert,
but users still click "add exception". My captive education portal would
give real consequence to this with the 3 minute power point slideshow and
mandatory quiz. I wonder if this is already patented. . .
Second, why do you think you have any right to put speed bumps in the way
of people who are doing nothing to you?
Plenty of businesses do this already for captive portals and forcing users
to log in, pay, or accept an EULA. They are already tampering with your
SSL connection in order to redirect you to the portal. I'm just suggesting
to use this technology for "educational" purposes.
Third, if your grandmother needs internet "safety" education, just educate
her, or refuse to keep fixing the problems she encounters in her ignorance
- if she really is all that ignorant. I hope you wouldn't install a browser
re-direct without her consent, because then you'd be just any other malware
propagator with just any other self-righteous rationalization.
Well, I'm lazy. I'd much rather have an ongoing passive education program
for anyone that uses that router. Maybe only 1 in 1000 requests trigger
the "test", or once a month per mac address maybe. If grandma fails the
test I can get an email so I can call her up and gently chastise her.
"Grandmaaaa, did you accept a bogus SSL certificate again? Hmmm?"
As far as consent goes, I'm only talking about routers you own or have
permission to modify. That should go without saying.
Fourth, if *you *need educational "speed bumps" on *your *router, *you *are
free to have them. One of the great things about freedom - from government
or from meddling busybodies - is that *you *get to be free too.
My post is in the context of businesses or individuals that provide
Internet to the public. Presumably businesses and individuals have the
freedom to do this kind of SSL interception, since they've already been
doing it for years without any repercussions. Personally I'm disturbed
that businesses will try to get me to accept their SSL cert for their Wi-Fi
portal, but I know the technology leaves little choice. One trick is to
ignore the cert and try again with a non SSL address.
It is pretty ironic that the first thing these captive portals ask users to
do is blindly accept a bogus SSL cert. It is really just a sad state of
affairs that we are literally training people to accept bad SSL
certificates.
For years my Firefox has had an option to "always use HTTPS", and I'm sure
all other modern browsers do as well. Plus, Mozilla.org has a free plugin -
I think it's from EFF.org - called "HTTPS Everywhere". It's all very easy
to use, and will be almost entirely transparent to Grandma.
This won't do anything to protect you/grandma from bogus ssl certs.
Imagine connecting to a bad AP at Starbucks that is proxying all your SSL
connections. Your only defense is trusted roots and knowing not to accept
bogus SSL certs. If only we had a captive router-based SSL education
program... ;)
On 3/20/2017 3:14 PM, Brien Dieterle wrote:
A system like I described would just be an "educational tool" to encourage
people to use HTTPS (properly). It wouldn't stop you from accepting bogus
certificates-- just a speed bump. Now that I've thought about it I'd
really like to install something like this on my grandparent's router. .
. heck, my own router. . .
On Mon, Mar 20, 2017 at 2:50 PM, Vara La Fey <
varalafey@gmail.com> wrote:
> Oh HELL no!! What kind of hall-monitor nanny mentality do you want people
> to adopt??
>
> I accept "bogus" certificates all the time because the whole idea of
> certificates is crap in the first place - they are NOT maintained - and
> years ago I got tired of that procedure warning me about "invalid"
> certificates for sites that were perfectly valid.
>
> I've never had a problem. Of course I'm also careful where I go,
> certificate or not.
>
> - Vara
>
> On 3/20/2017 2:12 PM, Brien Dieterle wrote:
>
> Maybe every commercial router should do SSL interception by default. If a
> user accepts a bogus certificate they are taken to a page that thoroughly
> scolds them and informs them about the huge mistake they made, forces them
> to read a few slides and take a quiz on network safety before allowing them
> on the Internet. Maybe do the same for non-ssl HTTP traffic, etc.. .
>
> On Mon, Mar 20, 2017 at 1:55 PM, Matt Graham <mhgraham@crow202.org> wrote:
>
>> On Mon, Mar 20, 2017 at 12:29 PM, Victor Odhner <vodhner@cox.net> wrote:
>>>
>>>> I’m really annoyed that so many companies offer open WIFI when it would
>>>> be
>>>> so easy to secure those hot spots. Restaurants, hotels, and the waiting
>>>> rooms of auto dealerships are almost 100% open.
>>>>
>>> [snip]
>> On 2017-03-20 13:20, Stephen Partington wrote:
>>
>>> This is usually done as a means to be easy for their customers.
>>>
>>
>> Pretty much this. Convenience is more valuable than security in most
>> people's minds.
>>
>> they’d be happy to do the right thing if we could explain it to the right
>>>> people.
>>>>
>>>
>> I'm not sure this would happen. Setting up passwords and then
>> distributing those passwords has a non-zero cost and offers zero visible
>> benefits for most of the people who are using the wireless networks.[0]
>> And as another poster said, what about football/baseball stadiums?
>> Distributing passwords to tens of thousands of people is sort of
>> difficult. "Just watching the game" is not an option; people want to
>> FaceTweet pictures of themselves at the game.
>>
>> OTOH, the last time I looked at the access points visible from my living
>> room, almost all of them had some sort of access control enabled. Maybe
>> there's a social convention forming that "my access point" ~= "my back
>> yard" and "open access point" ~= "a public park"?
>>
>> [0] Having a more educated user population would make the benefits more
>> visible, but it's very difficult to make people care about these things.
>>
>> --
>> Crow202 Blog: http://crow202.org/wordpress
>> There is no Darkness in Eternity
>> But only Light too dim for us to see.
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> --------------------------------------------------- PLUG-discuss mailing
> list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to
> change your mail settings: http://lists.phxlinux.org/mail
> man/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail
settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)