Re: OT: Need a Campaign to Secure WIFI Sites

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Vara La Fey
Date:  
To: Main PLUG discussion list
Subject: Re: OT: Need a Campaign to Secure WIFI Sites
Even if spyware isn't the intent, it's still the result. And when
someone keeps pushing for a bad result, they eventually give you little
choice but to suspect bad intent. I don't /want /to suspect that. But
neither he nor Brien really address my concerns about intrusiveness and
abuse. They just keep asserting "safety" benefits of semi-forcing their
chosen content onto other people. And it's none of their business, and
it's just wrong.

If someone wanted to set up a true educational system, instead of
spyware and intrusive propaganda, that would be a worthwhile campaign.


On 3/23/2017 3:36 PM, Bob Elzer wrote:
>
> I don't think Victor was trying to create spyware, he was just trying
> to come up with a way to stop identity theft.
>
> But unfortunately that is a task not easily solved, too many
> restrictions and people wont use it, and if it takes away privacy they
> won't use it . If its complicated, guess what, they won't use it.
>
> While most users know about the dangers of the internet, there are far
> too many that don't know what to do about it.
>
> People still get sunburn because they don't use sunscreen, and that
> isn't complicated.
>
> Education is the answer, but some still won't understand and others
> will still say its too complicated. Its a catch 22.
>
>
> On Mar 23, 2017 2:51 PM, "Vara La Fey" <
> <mailto:varalafey@gmail.com>> wrote:
>
>     First you were talking about open hotspots. Then you were talking
>     about https. Now you are talking about ssl.

>
>     But all the while you're still just talking about monitoring and
>     restricting the activity of 3rd parties on 4th party systems. And
>     it seems really important to you for some reason.

>
>     Please, waste time and effort and money patenting your /spyware
>     /chaperone system that monitors web activity with the intent of
>     /creating consequences /for activity which you - or your intended
>     customer - opines is "invalid". I doubt very many people will buy
>     into it because there is no upside for them. Even when they alter
>     it to fit their own agenda, they just anger their customers who
>     can click OK for EULAs and enter logins, but cannot bypass your 3
>     Minute Hate.

>
>     If it can detect an "invalid" certificate, then by changing a
>     couple code lines (if even), it can detect anything else about an
>     attempted site visit. Of course this ability is ancient now, but
>     less evil implementations of it merely censor by blocking, which
>     is bad enough. Yours is "educational" - and it's interesting that
>     /you /put the quotes around that word yourself - for the purpose
>     of taking up other people's time with propaganda.

>
>     If it became common, it would become a mandatory advertising
>     medium anytime anyone clicked on a competitor's site, or a site
>     with bad reviews for your customer. If it became law, it would
>     become a mandatory propaganda delivery system anytime anyone
>     clicked on a site containing any kind of dissenting viewpoint.

>
>     Are you hoping to create one of those conditions? If so, which?

>
>     Because this sure looks like more than just wanting to manipulate
>     lesser people into a system designed to reinforce your wishful
>     feelings of superiority. There has to be a more compelling reason
>     that you're this overly concerned about what 3rd parties do on 4th
>     party systems.

>
>     Which, btw, brings up the fact that your system is not equivalent
>     to EULAs or logins or pay systems, because the connection provider
>     has the right to set conditions for using their connection. Your
>     spyware idea is to harass people who are using /other people's/
>     connections.

>
>     I'm not an expert on web connection technology per se, but it
>     seems that Tor would nicely wire around all SSL issues after the
>     initial connection to the now-restricted hotspot. You certainly
>     make a great case for using it, even if just on general principle.
>     So what would you do about that?

>
>     I don't think your grandmother wants you monitoring her activity.
>     I don't think /anyone /wants you monitoring their activity. But
>     you seem to want to do it anyway. And no one but me is saying boo
>     to you.  :-(

>
>     As to the trivia: I personally have never had trouble from
>     visiting a site with an "invalid certificate" of any kind, because
>     that stuff simply isn't 100% maintained. Obviously I am careful
>     where I go and what I click and download anyway. I do not so
>     easily ignore "known malware site" warnings, and if in doubt about
>     a site I reflexively check the web address. MyBank.Phishing.com
>     <http://MyBank.Phishing.com> and Phishing.com/MyBank do not get
>     clicks from me. But that's all beside the point.

>
>
>     On 3/20/2017 9:57 PM, Brien Dieterle wrote:
>>     On Mar 20, 2017 3:36 PM, "Vara La Fey" <
>>     <mailto:varalafey@gmail.com>> wrote:

>>
>>         OMG!!

>>
>>         First of all, you'd be mis-educating them if telling them
>>         that certificate "validity" has any real meaning. (But now
>>         you're talking about http.)

>>
>>     I mean validity as in trusted roots that have been shipped with
>>     your OS or browser. Surely you don't mean these are meaningless.
>>     AFAIK they are very reliable as long as you never accept bogus
>>     certs.  If you accept bogus certs "all the time", I really hope
>>     you know what you're doing. Pretty much any important site should
>>     have working SSL.

>>
>>     There is a reason why all the browsers freak out when you get a
>>     bad cert, but users still click "add exception".  My captive
>>     education portal would give real consequence to this with the 3
>>     minute power point slideshow and mandatory quiz.  I wonder if
>>     this is already patented. . .

>>
>>         Second, why do you think you have any right to put speed
>>         bumps in the way of people who are doing nothing to you?

>>
>>     Plenty of businesses do this already for captive portals and
>>     forcing users to log in, pay, or accept an EULA.  They are
>>     already tampering with your SSL connection in order to redirect
>>     you to the portal. I'm just suggesting to use this technology for
>>     "educational" purposes.

>>
>>         Third, if your grandmother needs internet "safety" education,
>>         just educate her, or refuse to keep fixing the problems she
>>         encounters in her ignorance - if she really is all that
>>         ignorant. I hope you wouldn't install a browser re-direct
>>         without her consent, because then you'd be just any other
>>         malware propagator with just any other self-righteous
>>         rationalization.

>>
>>     Well, I'm lazy.  I'd much rather have an ongoing passive
>>     education program for anyone that uses that router.  Maybe only 1
>>     in 1000 requests trigger the "test", or once a month per mac
>>     address maybe.  If grandma fails the test I can get an email so I
>>     can call her up and gently chastise her.  "Grandmaaaa, did you
>>     accept a bogus SSL certificate again? Hmmm?"

>>
>>     As far as consent goes, I'm only talking about routers you own or
>>     have permission to modify.  That should go without saying.

>>
>>         Fourth, if /you /need educational "speed bumps" on /your
>>         /router, /you /are free to have them. One of the great things
>>         about freedom - from government or from meddling busybodies -
>>         is that /you /get to be free too.

>>
>>     My post is in the context of businesses or individuals that
>>     provide Internet to the public.  Presumably businesses and
>>     individuals have the freedom to do this kind of SSL interception,
>>     since they've already been doing it for years without any
>>     repercussions.  Personally I'm disturbed that businesses will try
>>     to get me to accept their SSL cert for their Wi-Fi portal, but I
>>     know the technology leaves little choice.  One trick is to ignore
>>     the cert and try again with a non SSL address.

>>
>>     It is pretty ironic that the first thing these captive portals
>>     ask users to do is blindly accept a bogus SSL cert.  It is really
>>     just a sad state of affairs that we are literally training people
>>     to accept bad SSL certificates.

>>
>>         For years my Firefox has had an option to "always use HTTPS",
>>         and I'm sure all other modern browsers do as well. Plus,
>>         Mozilla.org has a free plugin - I think it's from EFF.org -
>>         called "HTTPS Everywhere". It's all very easy to use, and
>>         will be almost entirely transparent to Grandma.

>>
>>     This won't do anything to protect you/grandma from bogus ssl
>>     certs.  Imagine connecting to a bad AP at Starbucks that is
>>     proxying all your SSL connections.  Your only defense is trusted
>>     roots and knowing not to accept bogus SSL certs.  If only we had
>>     a captive router-based SSL education program... ;)

>>
>>
>>
>>         On 3/20/2017 3:14 PM, Brien Dieterle wrote:
>>>         A system like I described would just be an "educational
>>>         tool" to encourage people to use HTTPS (properly).  It
>>>         wouldn't stop you from accepting bogus certificates-- just a
>>>         speed bump.  Now that I've thought about it I'd really like
>>>         to install something like this on my grandparent's router. .
>>>         .   heck, my own router. . .

>>>
>>>         On Mon, Mar 20, 2017 at 2:50 PM, Vara La Fey
>>>         < <mailto:varalafey@gmail.com>> wrote:

>>>
>>>             Oh HELL no!! What kind of hall-monitor nanny mentality
>>>             do you want people to adopt??

>>>
>>>             I accept "bogus" certificates all the time because the
>>>             whole idea of certificates is crap in the first place -
>>>             they are NOT maintained - and years ago I got tired of
>>>             that procedure warning me about "invalid" certificates
>>>             for sites that were perfectly valid.

>>>
>>>             I've never had a problem. Of course I'm also careful
>>>             where I go, certificate or not.

>>>
>>>             - Vara

>>>
>>>
>>>             On 3/20/2017 2:12 PM, Brien Dieterle wrote:
>>>>             Maybe every commercial router should do SSL
>>>>             interception by default.  If a user accepts a bogus
>>>>             certificate they are taken to a page that thoroughly
>>>>             scolds them and informs them about the huge mistake
>>>>             they made, forces them to read a few slides and take a
>>>>             quiz on network safety before allowing them on the
>>>>             Internet. Maybe do the same for non-ssl HTTP traffic,
>>>>             etc.. .

>>>>
>>>>             On Mon, Mar 20, 2017 at 1:55 PM, Matt Graham
>>>>             < <mailto:mhgraham@crow202.org>> wrote:

>>>>
>>>>                     On Mon, Mar 20, 2017 at 12:29 PM, Victor Odhner
>>>>                     < <mailto:vodhner@cox.net>> wrote:

>>>>
>>>>                         I’m really annoyed that so many companies
>>>>                         offer open WIFI when it would be
>>>>                         so easy to secure those hot spots.
>>>>                         Restaurants, hotels, and the waiting
>>>>                         rooms of auto dealerships are almost 100% open.

>>>>
>>>>                 [snip]
>>>>                 On 2017-03-20 13:20, Stephen Partington wrote:

>>>>
>>>>                     This is usually done as a means to be easy for
>>>>                     their customers.

>>>>
>>>>
>>>>                 Pretty much this. Convenience is more valuable than
>>>>                 security in most people's minds.

>>>>
>>>>                         they’d be happy to do the right thing if we
>>>>                         could explain it to the right people.

>>>>
>>>>
>>>>                 I'm not sure this would happen.  Setting up
>>>>                 passwords and then distributing those passwords has
>>>>                 a non-zero cost and offers zero visible benefits
>>>>                 for most of the people who are using the wireless
>>>>                 networks.[0] And as another poster said, what about
>>>>                 football/baseball stadiums? Distributing passwords
>>>>                 to tens of thousands of people is sort of
>>>>                 difficult. "Just watching the game" is not an
>>>>                 option; people want to FaceTweet pictures of
>>>>                 themselves at the game.

>>>>
>>>>                 OTOH, the last time I looked at the access points
>>>>                 visible from my living room, almost all of them had
>>>>                 some sort of access control enabled. Maybe there's
>>>>                 a social convention forming that "my access point"
>>>>                 ~= "my back yard" and "open access point" ~= "a
>>>>                 public park"?

>>>>
>>>>                 [0] Having a more educated user population would
>>>>                 make the benefits more visible, but it's very
>>>>                 difficult to make people care about these things.

>>>>
>>>>                 -- 
>>>>                 Crow202 Blog: http://crow202.org/wordpress
>>>>                 There is no Darkness in Eternity
>>>>                 But only Light too dim for us to see.

>>>>
>>>>                 ---------------------------------------------------
>>>>                 PLUG-discuss mailing list -
>>>>                 
>>>>                 <mailto:PLUG-discuss@lists.phxlinux.org>
>>>>                 To subscribe, unsubscribe, or to change your mail
>>>>                 settings:
>>>>                 http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>                 <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>

>>>>
>>>>
>>>>
>>>>
>>>>             ---------------------------------------------------
>>>>             PLUG-discuss mailing list -
>>>>             <mailto:PLUG-discuss@lists.phxlinux.org>
>>>>             To subscribe, unsubscribe, or to change your mail settings:
>>>>             http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>             <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>             ---------------------------------------------------
>>>             PLUG-discuss mailing list -
>>>             
>>>             <mailto:PLUG-discuss@lists.phxlinux.org> To subscribe,
>>>             unsubscribe, or to change your mail settings:
>>>             http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>             <http://lists.phxlinux.org/mailman/listinfo/plug-discuss> 

>>>
>>>         ---------------------------------------------------
>>>         PLUG-discuss mailing list -
>>>         <mailto:PLUG-discuss@lists.phxlinux.org>
>>>         To subscribe, unsubscribe, or to change your mail settings:
>>>         http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>         <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>         ---------------------------------------------------
>>         PLUG-discuss mailing list - 
>>         <mailto:PLUG-discuss@lists.phxlinux.org> To subscribe,
>>         unsubscribe, or to change your mail settings:
>>         http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>         <http://lists.phxlinux.org/mailman/listinfo/plug-discuss> 

>>
>>     ---------------------------------------------------
>>     PLUG-discuss mailing list -
>>     <mailto:PLUG-discuss@lists.phxlinux.org>
>>     To subscribe, unsubscribe, or to change your mail settings:
>>     http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>     <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>     --------------------------------------------------- PLUG-discuss
>     mailing list - 
>     <mailto:PLUG-discuss@lists.phxlinux.org> To subscribe,
>     unsubscribe, or to change your mail settings:
>     http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>     <http://lists.phxlinux.org/mailman/listinfo/plug-discuss> 

>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss