First you were talking about open hotspots. Then you were talking about
https. Now you are talking about ssl.
But all the while you're still just talking about monitoring and
restricting the activity of 3rd parties on 4th party systems. And it
seems really important to you for some reason.
Please, waste time and effort and money patenting your /spyware
/chaperone system that monitors web activity with the intent of
/creating consequences /for activity which you - or your intended
customer - opines is "invalid". I doubt very many people will buy into
it because there is no upside for them. Even when they alter it to fit
their own agenda, they just anger their customers who can click OK for
EULAs and enter logins, but cannot bypass your 3 Minute Hate.
If it can detect an "invalid" certificate, then by changing a couple
code lines (if even), it can detect anything else about an attempted
site visit. Of course this ability is ancient now, but less evil
implementations of it merely censor by blocking, which is bad enough.
Yours is "educational" - and it's interesting that /you /put the quotes
around that word yourself - for the purpose of taking up other people's
time with propaganda.
If it became common, it would become a mandatory advertising medium
anytime anyone clicked on a competitor's site, or a site with bad
reviews for your customer. If it became law, it would become a mandatory
propaganda delivery system anytime anyone clicked on a site containing
any kind of dissenting viewpoint.
Are you hoping to create one of those conditions? If so, which?
Because this sure looks like more than just wanting to manipulate lesser
people into a system designed to reinforce your wishful feelings of
superiority. There has to be a more compelling reason that you're this
overly concerned about what 3rd parties do on 4th party systems.
Which, btw, brings up the fact that your system is not equivalent to
EULAs or logins or pay systems, because the connection provider has the
right to set conditions for using their connection. Your spyware idea is
to harass people who are using /other people's/ connections.
I'm not an expert on web connection technology per se, but it seems that
Tor would nicely wire around all SSL issues after the initial connection
to the now-restricted hotspot. You certainly make a great case for using
it, even if just on general principle. So what would you do about that?
I don't think your grandmother wants you monitoring her activity. I
don't think /anyone /wants you monitoring their activity. But you seem
to want to do it anyway. And no one but me is saying boo to you. :-(
As to the trivia: I personally have never had trouble from visiting a
site with an "invalid certificate" of any kind, because that stuff
simply isn't 100% maintained. Obviously I am careful where I go and what
I click and download anyway. I do not so easily ignore "known malware
site" warnings, and if in doubt about a site I reflexively check the web
address. MyBank.Phishing.com and Phishing.com/MyBank do not get clicks
from me. But that's all beside the point.
On 3/20/2017 9:57 PM, Brien Dieterle wrote:
On Mar 20, 2017 3:36 PM, "Vara La Fey" <[email protected]
<mailto:[email protected]>> wrote:
OMG!!
First of all, you'd be mis-educating them if telling them that
certificate "validity" has any real meaning. (But now you're
talking about http.)
I mean validity as in trusted roots that have been shipped with your
OS or browser. Surely you don't mean these are meaningless. AFAIK
they are very reliable as long as you never accept bogus certs. If
you accept bogus certs "all the time", I really hope you know what
you're doing. Pretty much any important site should have working SSL.
There is a reason why all the browsers freak out when you get a bad
cert, but users still click "add exception". My captive education
portal would give real consequence to this with the 3 minute power
point slideshow and mandatory quiz. I wonder if this is already
patented. . .
Second, why do you think you have any right to put speed bumps in
the way of people who are doing nothing to you?
Plenty of businesses do this already for captive portals and forcing
users to log in, pay, or accept an EULA. They are already tampering
with your SSL connection in order to redirect you to the portal. I'm
just suggesting to use this technology for "educational" purposes.
Third, if your grandmother needs internet "safety" education, just
educate her, or refuse to keep fixing the problems she encounters
in her ignorance - if she really is all that ignorant. I hope you
wouldn't install a browser re-direct without her consent, because
then you'd be just any other malware propagator with just any
other self-righteous rationalization.
Well, I'm lazy. I'd much rather have an ongoing passive education
program for anyone that uses that router. Maybe only 1 in 1000
requests trigger the "test", or once a month per mac address maybe.
If grandma fails the test I can get an email so I can call her up and
gently chastise her. "Grandmaaaa, did you accept a bogus SSL
certificate again? Hmmm?"
As far as consent goes, I'm only talking about routers you own or have
permission to modify. That should go without saying.
Fourth, if /you /need educational "speed bumps" on /your /router,
/you /are free to have them. One of the great things about freedom
- from government or from meddling busybodies - is that /you /get
to be free too.
My post is in the context of businesses or individuals that provide
Internet to the public. Presumably businesses and individuals have
the freedom to do this kind of SSL interception, since they've already
been doing it for years without any repercussions. Personally I'm
disturbed that businesses will try to get me to accept their SSL cert
for their Wi-Fi portal, but I know the technology leaves little
choice. One trick is to ignore the cert and try again with a non SSL
address.
It is pretty ironic that the first thing these captive portals ask
users to do is blindly accept a bogus SSL cert. It is really just a
sad state of affairs that we are literally training people to accept
bad SSL certificates.
For years my Firefox has had an option to "always use HTTPS", and
I'm sure all other modern browsers do as well. Plus, Mozilla.org
has a free plugin - I think it's from EFF.org - called "HTTPS
Everywhere". It's all very easy to use, and will be almost
entirely transparent to Grandma.
This won't do anything to protect you/grandma from bogus ssl certs.
Imagine connecting to a bad AP at Starbucks that is proxying all your
SSL connections. Your only defense is trusted roots and knowing not
to accept bogus SSL certs. If only we had a captive router-based SSL
education program... ;)
On 3/20/2017 3:14 PM, Brien Dieterle wrote:
A system like I described would just be an "educational tool" to
encourage people to use HTTPS (properly). It wouldn't stop you
from accepting bogus certificates-- just a speed bump. Now that
I've thought about it I'd really like to install something like
this on my grandparent's router. . . heck, my own router. . .
On Mon, Mar 20, 2017 at 2:50 PM, Vara La Fey <[email protected]
<mailto:[email protected]>> wrote:
Oh HELL no!! What kind of hall-monitor nanny mentality do you
want people to adopt??
I accept "bogus" certificates all the time because the whole
idea of certificates is crap in the first place - they are
NOT maintained - and years ago I got tired of that procedure
warning me about "invalid" certificates for sites that were
perfectly valid.
I've never had a problem. Of course I'm also careful where I
go, certificate or not.
- Vara
On 3/20/2017 2:12 PM, Brien Dieterle wrote:
Maybe every commercial router should do SSL interception by
default. If a user accepts a bogus certificate they are
taken to a page that thoroughly scolds them and informs them
about the huge mistake they made, forces them to read a few
slides and take a quiz on network safety before allowing
them on the Internet. Maybe do the same for non-ssl HTTP
traffic, etc.. .
On Mon, Mar 20, 2017 at 1:55 PM, Matt Graham
<[email protected] <mailto:[email protected]>> wrote:
On Mon, Mar 20, 2017 at 12:29 PM, Victor Odhner
<[email protected] <mailto:[email protected]>> wrote:
I’m really annoyed that so many companies offer
open WIFI when it would be
so easy to secure those hot spots. Restaurants,
hotels, and the waiting
rooms of auto dealerships are almost 100% open.
[snip]
On 2017-03-20 13:20, Stephen Partington wrote:
This is usually done as a means to be easy for their
customers.
Pretty much this. Convenience is more valuable than
security in most people's minds.
they’d be happy to do the right thing if we
could explain it to the right people.
I'm not sure this would happen. Setting up passwords
and then distributing those passwords has a non-zero
cost and offers zero visible benefits for most of the
people who are using the wireless networks.[0] And as
another poster said, what about football/baseball
stadiums? Distributing passwords to tens of thousands
of people is sort of difficult. "Just watching the
game" is not an option; people want to FaceTweet
pictures of themselves at the game.
OTOH, the last time I looked at the access points
visible from my living room, almost all of them had some
sort of access control enabled. Maybe there's a social
convention forming that "my access point" ~= "my back
yard" and "open access point" ~= "a public park"?
[0] Having a more educated user population would make
the benefits more visible, but it's very difficult to
make people care about these things.
--
Crow202 Blog: http://crow202.org/wordpress
There is no Darkness in Eternity
But only Light too dim for us to see.
---------------------------------------------------
PLUG-discuss mailing list -
[email protected]
<mailto:[email protected]>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
---------------------------------------------------
PLUG-discuss mailing list [email protected]
<mailto:[email protected]>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
<mailto:[email protected]> To subscribe,
unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
---------------------------------------------------
PLUG-discuss mailing list [email protected]
<mailto:[email protected]>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
--------------------------------------------------- PLUG-discuss
mailing list - [email protected]
<mailto:[email protected]> To subscribe,
unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
