Comment by bnjms
13 hours ago
This is exactly reverse of the right idea. If parents need to censor things the solutions are the same as corpos are going to. Put the censors at the device or “mitm” the connection, either actually with a proxy, or maybe with a browser and curated apps - which is again on the device.
This brings us back to "sure you can use my guest wifi, just install my root CA/enroll in MDM".
I do agree though that it should be illegal for device manufacturers or application developers to use encryption that the device owner cannot MitM. The owner should always be able to install their own CA and all applications should be required to respect it.
Why would you want to censor based on network? You don't want to censor based on network, you want to censor based on device. If your 8yo kid is blocked from pornhub, that doesn't mean everyone on your network is blocked from pornhub, and you having the ability to even know if someone on your network is browsing pornhub is a security risk.
Because consumer devices are barely if at all capable of even setting policy, are basically incapable of enforcing it, and are generally adversarial. It's also easy to apply different policies to different clients at the network level.