Re: OT: Need a Campaign to Secure WIFI Sites

[Vara La Fey]

I'm all for education. I'm a trans-girl, and believe me, I would like to 
educate people a little about us. But I wouldn't take it upon myself to 
intrude on their time for a 3 Minute Love unless they're trying to hurt 
someone.

I don't want people semi-forcing content on me. And the desired 
"campaign" is exactly that. It's sad that everyone here who comments 
keeps asserting the "safety" benefits, without a care in the world about 
the sheer intrusiveness and the obvious socio-political abuses of 
systems like that becoming commonplace. Which hopefully they won't.

I don't need a VPN and have never set one up, but I don't doubt the 
security of a VPN/Tor combination. And if you are really afraid of 
snoops and spooks, encrypt all your text traffic with large PGP keys. 
But I rarely use Tor because it's horribly slow, and PGP because it's an 
extra few steps. But they are always there for those special occasions.  :-)

- Vara


On 3/23/2017 3:16 PM, Eric Oyen wrote:
well, if you don't want to deal with bad certs, redirected https,etc, 
you can either not use that router/service or get a VPN and secure all 
your traffic. And yes, I will not use paywall systems of any kind, 
they have no business knowing what my credentials are.

Lastly, if I want real security, a combo of VPN and TOR cannot be 
beat. I use private internet access for the VPN and also have a TOR 
node setup here. the TOR node will not be connected until after the 
VPN comes up. why let my ISP know I am running a TOR node here at 
home? The only issue I have with this is that my search engine queries 
don't work right (mostly, I get blocked and asked to solve a captcha, 
which is not doable for the blind most times)
Anyway, do what you must, but education should be the first item on 
the list when it comes to net security.

-eric
from the central office of the Technomage Guild, Security applications 
dept.

On Mar 23, 2017, at 2:50 PM, Vara La Fey wrote:

First you were talking about open hotspots. Then you were talking 
about https. Now you are talking about ssl.

But all the while you're still just talking about monitoring and 
restricting the activity of 3rd parties on 4th party systems. And it 
seems really important to you for some reason.

Please, waste time and effort and money patenting your /spyware 
/chaperone system that monitors web activity with the intent of 
/creating consequences /for activity which you - or your intended 
customer - opines is "invalid". I doubt very many people will buy 
into it because there is no upside for them. Even when they alter it 
to fit their own agenda, they just anger their customers who can 
click OK for EULAs and enter logins, but cannot bypass your 3 Minute 
Hate.

If it can detect an "invalid" certificate, then by changing a couple 
code lines (if even), it can detect anything else about an attempted 
site visit. Of course this ability is ancient now, but less evil 
implementations of it merely censor by blocking, which is bad enough. 
Yours is "educational" - and it's interesting that /you /put the 
quotes around that word yourself - for the purpose of taking up other 
people's time with propaganda.

If it became common, it would become a mandatory advertising medium 
anytime anyone clicked on a competitor's site, or a site with bad 
reviews for your customer. If it became law, it would become a 
mandatory propaganda delivery system anytime anyone clicked on a site 
containing any kind of dissenting viewpoint.

Are you hoping to create one of those conditions? If so, which?

Because this sure looks like more than just wanting to manipulate 
lesser people into a system designed to reinforce your wishful 
feelings of superiority. There has to be a more compelling reason 
that you're this overly concerned about what 3rd parties do on 4th 
party systems.

Which, btw, brings up the fact that your system is not equivalent to 
EULAs or logins or pay systems, because the connection provider has 
the right to set conditions for using their connection. Your spyware 
idea is to harass people who are using /other people's/ connections.

I'm not an expert on web connection technology per se, but it seems 
that Tor would nicely wire around all SSL issues after the initial 
connection to the now-restricted hotspot. You certainly make a great 
case for using it, even if just on general principle. So what would 
you do about that?

I don't think your grandmother wants you monitoring her activity. I 
don't think /anyone /wants you monitoring their activity. But you 
seem to want to do it anyway. And no one but me is saying boo to you. :-(

As to the trivia: I personally have never had trouble from visiting a 
site with an "invalid certificate" of any kind, because that stuff 
simply isn't 100% maintained. Obviously I am careful where I go and 
what I click and download anyway. I do not so easily ignore "known 
malware site" warnings, and if in doubt about a site I reflexively 
check the web address. MyBank.Phishing.com 
<http://MyBank.Phishing.com> and Phishing.com/MyBank 
<http://Phishing.com/MyBank> do not get clicks from me. But that's 
all beside the point.


On 3/20/2017 9:57 PM, Brien Dieterle wrote:
On Mar 20, 2017 3:36 PM, "Vara La Fey" <varala...@gmail.com 
<mailto:varala...@gmail.com>> wrote:

    OMG!!

    First of all, you'd be mis-educating them if telling them that
    certificate "validity" has any real meaning. (But now you're
    talking about http.)

I mean validity as in trusted roots that have been shipped with your 
OS or browser. Surely you don't mean these are meaningless. AFAIK 
they are very reliable as long as you never accept bogus certs.  If 
you accept bogus certs "all the time", I really hope you know what 
you're doing. Pretty much any important site should have working SSL.

There is a reason why all the browsers freak out when you get a bad 
cert, but users still click "add exception".  My captive education 
portal would give real consequence to this with the 3 minute power 
point slideshow and mandatory quiz.  I wonder if this is already 
patented. . .


    Second, why do you think you have any right to put speed bumps
    in the way of people who are doing nothing to you?

Plenty of businesses do this already for captive portals and forcing 
users to log in, pay, or accept an EULA.  They are already tampering 
with your SSL connection in order to redirect you to the portal. I'm 
just suggesting to use this technology for "educational" purposes.


    Third, if your grandmother needs internet "safety" education,
    just educate her, or refuse to keep fixing the problems she
    encounters in her ignorance - if she really is all that
    ignorant. I hope you wouldn't install a browser re-direct
    without her consent, because then you'd be just any other
    malware propagator with just any other self-righteous
    rationalization.

Well, I'm lazy.  I'd much rather have an ongoing passive education 
program for anyone that uses that router.  Maybe only 1 in 1000 
requests trigger the "test", or once a month per mac address maybe.  
If grandma fails the test I can get an email so I can call her up 
and gently chastise her.  "Grandmaaaa, did you accept a bogus SSL 
certificate again? Hmmm?"

As far as consent goes, I'm only talking about routers you own or 
have permission to modify.  That should go without saying.


    Fourth, if /you /need educational "speed bumps" on /your
    /router, /you /are free to have them. One of the great things
    about freedom - from government or from meddling busybodies - is
    that /you /get to be free too.

My post is in the context of businesses or individuals that provide 
Internet to the public.  Presumably businesses and individuals have 
the freedom to do this kind of SSL interception, since they've 
already been doing it for years without any repercussions.  
Personally I'm disturbed that businesses will try to get me to 
accept their SSL cert for their Wi-Fi portal, but I know the 
technology leaves little choice. One trick is to ignore the cert and 
try again with a non SSL address.

It is pretty ironic that the first thing these captive portals ask 
users to do is blindly accept a bogus SSL cert.  It is really just a 
sad state of affairs that we are literally training people to accept 
bad SSL certificates.

    For years my Firefox has had an option to "always use HTTPS",
    and I'm sure all other modern browsers do as well. Plus,
    Mozilla.org <http://Mozilla.org> has a free plugin - I think
    it's from EFF.org <http://EFF.org> - called "HTTPS Everywhere".
    It's all very easy to use, and will be almost entirely
    transparent to Grandma.

This won't do anything to protect you/grandma from bogus ssl certs.  
Imagine connecting to a bad AP at Starbucks that is proxying all 
your SSL connections.  Your only defense is trusted roots and 
knowing not to accept bogus SSL certs.  If only we had a captive 
router-based SSL education program... ;)




    On 3/20/2017 3:14 PM, Brien Dieterle wrote:
    A system like I described would just be an "educational tool"
    to encourage people to use HTTPS (properly).  It wouldn't stop
    you from accepting bogus certificates-- just a speed bump.  Now
    that I've thought about it I'd really like to install something
    like this on my grandparent's router. . .   heck, my own
    router. . .

    On Mon, Mar 20, 2017 at 2:50 PM, Vara La Fey
    <varala...@gmail.com <mailto:varala...@gmail.com>> wrote:

        Oh HELL no!! What kind of hall-monitor nanny mentality do
        you want people to adopt??

        I accept "bogus" certificates all the time because the
        whole idea of certificates is crap in the first place -
        they are NOT maintained - and years ago I got tired of that
        procedure warning me about "invalid" certificates for sites
        that were perfectly valid.

        I've never had a problem. Of course I'm also careful where
        I go, certificate or not.

        - Vara


        On 3/20/2017 2:12 PM, Brien Dieterle wrote:
        Maybe every commercial router should do SSL interception
        by default.  If a user accepts a bogus certificate they
        are taken to a page that thoroughly scolds them and
        informs them about the huge mistake they made, forces them
        to read a few slides and take a quiz on network safety
        before allowing them on the Internet. Maybe do the same
        for non-ssl HTTP traffic, etc.. .

        On Mon, Mar 20, 2017 at 1:55 PM, Matt Graham
        <mhgra...@crow202.org <mailto:mhgra...@crow202.org>> wrote:

                On Mon, Mar 20, 2017 at 12:29 PM, Victor Odhner
                <vodh...@cox.net <mailto:vodh...@cox.net>> wrote:

                    I’m really annoyed that so many companies
                    offer open WIFI when it would be
                    so easy to secure those hot spots.
                    Restaurants, hotels, and the waiting
                    rooms of auto dealerships are almost 100% open.

            [snip]
            On 2017-03-20 13:20, Stephen Partington wrote:

                This is usually done as a means to be easy for
                their customers.


            Pretty much this. Convenience is more valuable than
            security in most people's minds.

                    they’d be happy to do the right thing if we
                    could explain it to the right people.


            I'm not sure this would happen. Setting up passwords
            and then distributing those passwords has a non-zero
            cost and offers zero visible benefits for most of the
            people who are using the wireless networks.[0] And as
            another poster said, what about football/baseball
            stadiums? Distributing passwords to tens of thousands
            of people is sort of difficult. "Just watching the
            game" is not an option; people want to FaceTweet
            pictures of themselves at the game.

            OTOH, the last time I looked at the access points
            visible from my living room, almost all of them had
            some sort of access control enabled. Maybe there's a
            social convention forming that "my access point" ~=
            "my back yard" and "open access point" ~= "a public park"?

            [0] Having a more educated user population would make
            the benefits more visible, but it's very difficult to
            make people care about these things.

            -- 
            Crow202 Blog: http://crow202.org/wordpress
            There is no Darkness in Eternity
            But only Light too dim for us to see.

            ---------------------------------------------------
            PLUG-discuss mailing list -
            PLUG-discuss@lists.phxlinux.org
            <mailto:PLUG-discuss@lists.phxlinux.org>
            To subscribe, unsubscribe, or to change your mail
            settings:
            http://lists.phxlinux.org/mailman/listinfo/plug-discuss
            <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>




        ---------------------------------------------------
        PLUG-discuss mailing list -PLUG-discuss@lists.phxlinux.org
        <mailto:PLUG-discuss@lists.phxlinux.org>
        To subscribe, unsubscribe, or to change your mail settings:
        http://lists.phxlinux.org/mailman/listinfo/plug-discuss
        <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
        ---------------------------------------------------
        PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
        <mailto:PLUG-discuss@lists.phxlinux.org> To subscribe,
        unsubscribe, or to change your mail settings:
        http://lists.phxlinux.org/mailman/listinfo/plug-discuss
        <http://lists.phxlinux.org/mailman/listinfo/plug-discuss> 

    ---------------------------------------------------
    PLUG-discuss mailing list -PLUG-discuss@lists.phxlinux.org
    <mailto:PLUG-discuss@lists.phxlinux.org>
    To subscribe, unsubscribe, or to change your mail settings:
    http://lists.phxlinux.org/mailman/listinfo/plug-discuss
    <http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
    --------------------------------------------------- PLUG-discuss
    mailing list - PLUG-discuss@lists.phxlinux.org
    <mailto:PLUG-discuss@lists.phxlinux.org> To subscribe,
    unsubscribe, or to change your mail settings:
    http://lists.phxlinux.org/mailman/listinfo/plug-discuss
    <http://lists.phxlinux.org/mailman/listinfo/plug-discuss> 

---------------------------------------------------
PLUG-discuss mailing list -PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
--------------------------------------------------- PLUG-discuss 
mailing list - PLUG-discuss@lists.phxlinux.org 
<mailto:PLUG-discuss@lists.phxlinux.org> To subscribe, unsubscribe, 
or to change your mail settings: 
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss