OT: Need a Campaign to Secure WIFI Sites
Vara La Fey
varalafey at gmail.com
Thu Mar 23 16:02:35 MST 2017
I'm all for education. I'm a trans-girl, and believe me, I would like to
educate people a little about us. But I wouldn't take it upon myself to
intrude on their time for a 3 Minute Love unless they're trying to hurt
someone.
I don't want people semi-forcing content on me. And the desired
"campaign" is exactly that. It's sad that everyone here who comments
keeps asserting the "safety" benefits, without a care in the world about
the sheer intrusiveness and the obvious socio-political abuses of
systems like that becoming commonplace. Which hopefully they won't.
I don't need a VPN and have never set one up, but I don't doubt the
security of a VPN/Tor combination. And if you are really afraid of
snoops and spooks, encrypt all your text traffic with large PGP keys.
But I rarely use Tor because it's horribly slow, and PGP because it's an
extra few steps. But they are always there for those special occasions. :-)
- Vara
On 3/23/2017 3:16 PM, Eric Oyen wrote:
> well, if you don't want to deal with bad certs, redirected https,etc,
> you can either not use that router/service or get a VPN and secure all
> your traffic. And yes, I will not use paywall systems of any kind,
> they have no business knowing what my credentials are.
>
> Lastly, if I want real security, a combo of VPN and TOR cannot be
> beat. I use private internet access for the VPN and also have a TOR
> node setup here. the TOR node will not be connected until after the
> VPN comes up. why let my ISP know I am running a TOR node here at
> home? The only issue I have with this is that my search engine queries
> don't work right (mostly, I get blocked and asked to solve a captcha,
> which is not doable for the blind most times)
> Anyway, do what you must, but education should be the first item on
> the list when it comes to net security.
>
> -eric
> from the central office of the Technomage Guild, Security applications
> dept.
>
> On Mar 23, 2017, at 2:50 PM, Vara La Fey wrote:
>
>> First you were talking about open hotspots. Then you were talking
>> about https. Now you are talking about ssl.
>>
>> But all the while you're still just talking about monitoring and
>> restricting the activity of 3rd parties on 4th party systems. And it
>> seems really important to you for some reason.
>>
>> Please, waste time and effort and money patenting your /spyware
>> /chaperone system that monitors web activity with the intent of
>> /creating consequences /for activity which you - or your intended
>> customer - opines is "invalid". I doubt very many people will buy
>> into it because there is no upside for them. Even when they alter it
>> to fit their own agenda, they just anger their customers who can
>> click OK for EULAs and enter logins, but cannot bypass your 3 Minute
>> Hate.
>>
>> If it can detect an "invalid" certificate, then by changing a couple
>> code lines (if even), it can detect anything else about an attempted
>> site visit. Of course this ability is ancient now, but less evil
>> implementations of it merely censor by blocking, which is bad enough.
>> Yours is "educational" - and it's interesting that /you /put the
>> quotes around that word yourself - for the purpose of taking up other
>> people's time with propaganda.
>>
>> If it became common, it would become a mandatory advertising medium
>> anytime anyone clicked on a competitor's site, or a site with bad
>> reviews for your customer. If it became law, it would become a
>> mandatory propaganda delivery system anytime anyone clicked on a site
>> containing any kind of dissenting viewpoint.
>>
>> Are you hoping to create one of those conditions? If so, which?
>>
>> Because this sure looks like more than just wanting to manipulate
>> lesser people into a system designed to reinforce your wishful
>> feelings of superiority. There has to be a more compelling reason
>> that you're this overly concerned about what 3rd parties do on 4th
>> party systems.
>>
>> Which, btw, brings up the fact that your system is not equivalent to
>> EULAs or logins or pay systems, because the connection provider has
>> the right to set conditions for using their connection. Your spyware
>> idea is to harass people who are using /other people's/ connections.
>>
>> I'm not an expert on web connection technology per se, but it seems
>> that Tor would nicely wire around all SSL issues after the initial
>> connection to the now-restricted hotspot. You certainly make a great
>> case for using it, even if just on general principle. So what would
>> you do about that?
>>
>> I don't think your grandmother wants you monitoring her activity. I
>> don't think /anyone /wants you monitoring their activity. But you
>> seem to want to do it anyway. And no one but me is saying boo to you. :-(
>>
>> As to the trivia: I personally have never had trouble from visiting a
>> site with an "invalid certificate" of any kind, because that stuff
>> simply isn't 100% maintained. Obviously I am careful where I go and
>> what I click and download anyway. I do not so easily ignore "known
>> malware site" warnings, and if in doubt about a site I reflexively
>> check the web address. MyBank.Phishing.com
>> <http://MyBank.Phishing.com> and Phishing.com/MyBank
>> <http://Phishing.com/MyBank> do not get clicks from me. But that's
>> all beside the point.
>>
>>
>> On 3/20/2017 9:57 PM, Brien Dieterle wrote:
>>> On Mar 20, 2017 3:36 PM, "Vara La Fey" <varalafey at gmail.com
>>> <mailto:varalafey at gmail.com>> wrote:
>>>
>>> OMG!!
>>>
>>> First of all, you'd be mis-educating them if telling them that
>>> certificate "validity" has any real meaning. (But now you're
>>> talking about http.)
>>>
>>> I mean validity as in trusted roots that have been shipped with your
>>> OS or browser. Surely you don't mean these are meaningless. AFAIK
>>> they are very reliable as long as you never accept bogus certs. If
>>> you accept bogus certs "all the time", I really hope you know what
>>> you're doing. Pretty much any important site should have working SSL.
>>>
>>> There is a reason why all the browsers freak out when you get a bad
>>> cert, but users still click "add exception". My captive education
>>> portal would give real consequence to this with the 3 minute power
>>> point slideshow and mandatory quiz. I wonder if this is already
>>> patented. . .
>>>
>>>
>>> Second, why do you think you have any right to put speed bumps
>>> in the way of people who are doing nothing to you?
>>>
>>> Plenty of businesses do this already for captive portals and forcing
>>> users to log in, pay, or accept an EULA. They are already tampering
>>> with your SSL connection in order to redirect you to the portal. I'm
>>> just suggesting to use this technology for "educational" purposes.
>>>
>>>
>>> Third, if your grandmother needs internet "safety" education,
>>> just educate her, or refuse to keep fixing the problems she
>>> encounters in her ignorance - if she really is all that
>>> ignorant. I hope you wouldn't install a browser re-direct
>>> without her consent, because then you'd be just any other
>>> malware propagator with just any other self-righteous
>>> rationalization.
>>>
>>> Well, I'm lazy. I'd much rather have an ongoing passive education
>>> program for anyone that uses that router. Maybe only 1 in 1000
>>> requests trigger the "test", or once a month per mac address maybe.
>>> If grandma fails the test I can get an email so I can call her up
>>> and gently chastise her. "Grandmaaaa, did you accept a bogus SSL
>>> certificate again? Hmmm?"
>>>
>>> As far as consent goes, I'm only talking about routers you own or
>>> have permission to modify. That should go without saying.
>>>
>>>
>>> Fourth, if /you /need educational "speed bumps" on /your
>>> /router, /you /are free to have them. One of the great things
>>> about freedom - from government or from meddling busybodies - is
>>> that /you /get to be free too.
>>>
>>> My post is in the context of businesses or individuals that provide
>>> Internet to the public. Presumably businesses and individuals have
>>> the freedom to do this kind of SSL interception, since they've
>>> already been doing it for years without any repercussions.
>>> Personally I'm disturbed that businesses will try to get me to
>>> accept their SSL cert for their Wi-Fi portal, but I know the
>>> technology leaves little choice. One trick is to ignore the cert and
>>> try again with a non SSL address.
>>>
>>> It is pretty ironic that the first thing these captive portals ask
>>> users to do is blindly accept a bogus SSL cert. It is really just a
>>> sad state of affairs that we are literally training people to accept
>>> bad SSL certificates.
>>>
>>> For years my Firefox has had an option to "always use HTTPS",
>>> and I'm sure all other modern browsers do as well. Plus,
>>> Mozilla.org <http://Mozilla.org> has a free plugin - I think
>>> it's from EFF.org <http://EFF.org> - called "HTTPS Everywhere".
>>> It's all very easy to use, and will be almost entirely
>>> transparent to Grandma.
>>>
>>> This won't do anything to protect you/grandma from bogus ssl certs.
>>> Imagine connecting to a bad AP at Starbucks that is proxying all
>>> your SSL connections. Your only defense is trusted roots and
>>> knowing not to accept bogus SSL certs. If only we had a captive
>>> router-based SSL education program... ;)
>>>
>>>
>>>
>>>
>>> On 3/20/2017 3:14 PM, Brien Dieterle wrote:
>>>> A system like I described would just be an "educational tool"
>>>> to encourage people to use HTTPS (properly). It wouldn't stop
>>>> you from accepting bogus certificates-- just a speed bump. Now
>>>> that I've thought about it I'd really like to install something
>>>> like this on my grandparent's router. . . heck, my own
>>>> router. . .
>>>>
>>>> On Mon, Mar 20, 2017 at 2:50 PM, Vara La Fey
>>>> <varalafey at gmail.com <mailto:varalafey at gmail.com>> wrote:
>>>>
>>>> Oh HELL no!! What kind of hall-monitor nanny mentality do
>>>> you want people to adopt??
>>>>
>>>> I accept "bogus" certificates all the time because the
>>>> whole idea of certificates is crap in the first place -
>>>> they are NOT maintained - and years ago I got tired of that
>>>> procedure warning me about "invalid" certificates for sites
>>>> that were perfectly valid.
>>>>
>>>> I've never had a problem. Of course I'm also careful where
>>>> I go, certificate or not.
>>>>
>>>> - Vara
>>>>
>>>>
>>>> On 3/20/2017 2:12 PM, Brien Dieterle wrote:
>>>>> Maybe every commercial router should do SSL interception
>>>>> by default. If a user accepts a bogus certificate they
>>>>> are taken to a page that thoroughly scolds them and
>>>>> informs them about the huge mistake they made, forces them
>>>>> to read a few slides and take a quiz on network safety
>>>>> before allowing them on the Internet. Maybe do the same
>>>>> for non-ssl HTTP traffic, etc.. .
>>>>>
>>>>> On Mon, Mar 20, 2017 at 1:55 PM, Matt Graham
>>>>> <mhgraham at crow202.org <mailto:mhgraham at crow202.org>> wrote:
>>>>>
>>>>> On Mon, Mar 20, 2017 at 12:29 PM, Victor Odhner
>>>>> <vodhner at cox.net <mailto:vodhner at cox.net>> wrote:
>>>>>
>>>>> I’m really annoyed that so many companies
>>>>> offer open WIFI when it would be
>>>>> so easy to secure those hot spots.
>>>>> Restaurants, hotels, and the waiting
>>>>> rooms of auto dealerships are almost 100% open.
>>>>>
>>>>> [snip]
>>>>> On 2017-03-20 13:20, Stephen Partington wrote:
>>>>>
>>>>> This is usually done as a means to be easy for
>>>>> their customers.
>>>>>
>>>>>
>>>>> Pretty much this. Convenience is more valuable than
>>>>> security in most people's minds.
>>>>>
>>>>> they’d be happy to do the right thing if we
>>>>> could explain it to the right people.
>>>>>
>>>>>
>>>>> I'm not sure this would happen. Setting up passwords
>>>>> and then distributing those passwords has a non-zero
>>>>> cost and offers zero visible benefits for most of the
>>>>> people who are using the wireless networks.[0] And as
>>>>> another poster said, what about football/baseball
>>>>> stadiums? Distributing passwords to tens of thousands
>>>>> of people is sort of difficult. "Just watching the
>>>>> game" is not an option; people want to FaceTweet
>>>>> pictures of themselves at the game.
>>>>>
>>>>> OTOH, the last time I looked at the access points
>>>>> visible from my living room, almost all of them had
>>>>> some sort of access control enabled. Maybe there's a
>>>>> social convention forming that "my access point" ~=
>>>>> "my back yard" and "open access point" ~= "a public park"?
>>>>>
>>>>> [0] Having a more educated user population would make
>>>>> the benefits more visible, but it's very difficult to
>>>>> make people care about these things.
>>>>>
>>>>> --
>>>>> Crow202 Blog: http://crow202.org/wordpress
>>>>> There is no Darkness in Eternity
>>>>> But only Light too dim for us to see.
>>>>>
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list -
>>>>> PLUG-discuss at lists.phxlinux.org
>>>>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>>>> To subscribe, unsubscribe, or to change your mail
>>>>> settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list -PLUG-discuss at lists.phxlinux.org
>>>>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>> <mailto:PLUG-discuss at lists.phxlinux.org> To subscribe,
>>>> unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list -PLUG-discuss at lists.phxlinux.org
>>>> <mailto:PLUG-discuss at lists.phxlinux.org>
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>> --------------------------------------------------- PLUG-discuss
>>> mailing list - PLUG-discuss at lists.phxlinux.org
>>> <mailto:PLUG-discuss at lists.phxlinux.org> To subscribe,
>>> unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> --------------------------------------------------- PLUG-discuss
>> mailing list - PLUG-discuss at lists.phxlinux.org
>> <mailto:PLUG-discuss at lists.phxlinux.org> To subscribe, unsubscribe,
>> or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20170323/d52959cb/attachment.html>
More information about the PLUG-discuss
mailing list