So as I've mentioned elsewhere, that depends on how much of a stickler we insist on being.
If we're ok with "mostly fix it but if a few teenagers get through it's not the end of the world," then there are a few simple measures that could help a lot:
- Keep an eye out for any credentials posted online, and put those on the revocation list.
- Keep expirations short (and auto-renew).
- Keep the credentials in phone secure enclaves and USB hardware "wallets."
- Consider including private information like name/dob/ssn or credit card number in the credentials, so users have good reason not to share. (We could consider making USB hardware optional if we do this.)
Given secure hardware it might be possible to prevent proxies entirely, the same way we prevent other MITM attacks.
Failing that, we could start by making it illegal to run proxies. Installing a proxy on your phone would mean getting an app from a criminal, not checked by an app store, and giving the criminal a way to pay you. I wouldn't expect this to happen much. Installing on a computer, using a VPN, taking payment via anonymous cryptocurrency, sure, if the VPN isn't compromised. But I wouldn't expect all that many people to do all this. Generating the proofs is a bit expensive so you wouldn't have huge capacity per person.
Criminals in foreign countries could do it with stolen credentials, and they'd only need one. But our teenagers would have to pay a foreign company for the service, and for porn at least they could just pay a foreign porn site directly. For phones, the teenager would have to install an app to use the proxy, which is another dodgy untrusted app (on android, and not possible at all on iphone), and it's easier for parents to check what apps are on the phone than to check what websites the kid visits. And social media gets less appealing if a lot of your friends aren't on it.
If we want to lock things down harder we could go with criminal penalties for intentionally sharing your credentials, which I do not support, but would still be better than pervasive surveillance of everything we do online.
Requiring everyone to have secure cryptographic hardware would in one sense be annoying, but less so if we use it for other things too.
> So as I've mentioned elsewhere, that depends on how much of a stickler we insist on being.
This is an argument about a crypto algorithm. If you somehow fix the mathematical problems I'll start checking how it behaves under ddos conditions and you best have a good answer. And I'm an amateur. With your attitude, I'd strongly advise against mailing the openbsd lists.
> Criminals in foreign countries could do it with stolen credentials, and they'd only need one. But our teenagers would have to pay a foreign company for the service, and ...
Indeed. You see the problem.
So now you're moving to making the system insecure (and obviously insecure). That was also not acceptable ...
You can have the system be:
* anonymous, but guaranteed to be insecure
* secure (or at least, as long as you get to use the police to go after "criminals"), but not anonymous
> If we want to lock things down harder we could go with criminal penalties for intentionally sharing your credentials, which I do not support, but would still be better than pervasive surveillance of everything we do online.
The only way to do this would be regular and surprise offline inspections of every device. Aside from being extremely impractical to do, it would also be much worse than online surveillance.
I'm not sure what my "attitude" is but I'm being pragmatic. This is not a binary situation, where it's either perfectly secure or useless. If our society is not willing to do what you and I prefer and leave things entirely open, then perhaps it's good enough to make things more difficult for teens to access, rather than accept pervasive surveillance to make it impossible. If people think it will improve society enough if most teens stay off certain sites, then we can do that and maintain anonymity.
I'll note that you skipped over my point that even with a "perfect" system, teens could still pay foreign porn sites etc directly. And that using a proxy would require installing an untrusted app on the phone, which would be relatively easy for parents to monitor and could be prevented entirely on iPhone. And that we can probably fix proxies with secure hardware anyway.
And no, the police idea that I do not support would not require surprise inspections. It just requires careless teenagers to occasionally reveal their identities online, with enough evidence to convince a judge to issue a warrant. It's dumb to make a federal case out of this, but not as dumb as losing all privacy and anonymity online. And, as I mentioned, this is not something actually required to make the idea workable.
I'm not going to keep repeating myself so I think I'm done here unless you have a point I haven't addressed in previous comments.