Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×

Comment Re:Full Disclosure (Score 1) 171

by StartCom (#26316265) Attached to: Do the SSL Watchmen Watch Themselves?

Correct, specific plans exist for various scenarios. Concerning the web-of-trust, there are some inherent problems without a unifying institutional body. See, security has some clear rules which are easier to enforce in a corporate environment. Specially if you work at StartCom ;-)

And yes, I heard about "Perspectives", so it might have currently a single-point-of-failure problem. Personally I don't believe that it should provide a means for self-signed certificates. It might however provide a good additional layer to existing efforts.

Comment Re:Full Disclosure (Score 1) 171

by StartCom (#26315265) Attached to: Do the SSL Watchmen Watch Themselves?

I'm quite pleased to receive a A- :-)

The reason for not disclosing anything before is perhaps quite easy to understand. Minor events are logged in the ongoing events logs and no further actions are required. Events in the magnitude of issuing a certificate wrongfully due to a bug and which requires modifications to the systems, require detailed reporting (as seen in the "critical event report"). Those reports were reviewed in time by relevant parties and will be presented to the auditors during auditing. A major event like a CA key compromise (we don't sign directly from the root) would have to be made public and handled according to the "disaster recovery guidelines". In such an event, all software vendors, subscribers and the general public must be informed immediately.

The event which happened recently wasn't a major event, but obviously important enough to act accordingly and issue the critical event report. Important to note that no third party could have relied on and have taken damage. Therefore the resolution was appropriate. The disclosure was done in order to prevent any rumors and false accusations about what did and what not happened (once it was published by Mike).

Comment Re:Lemons. (Score 1) 4

by StartCom (#26206357) Attached to: Disclosure: No-check SSL Certificates...
According to the work done over at Mozilla, this shouldn't happen. The Mozilla CA Policy clearly requires domain control validation. Being myself part of the team which reviews CAs, I must say that there is a failure. It's unfortunate, because domain validated certificates do have a value and are excellent for protecting low-value sites like blogs, portals, webmail etc. But the practice disclosed in the article is certainly not going to work!
Security

Submission + - Disclosure: No-check SSL Certificates... (startcom.org) 4

Submitted by
StartCom
StartCom writes: "In a previous article I reported about Man-In-The-Middle (MITM) attacks and if they really happen. Unfortunately it does happen as some testimonials confirm. Now it's even easier because in the attack described previously, untrusted certificates from an unknown issuer were used. Want to make the attack perfect with no error and fully trusted certificate? No problem, just head over to one of Comodo's resellers.

And here the disclosure: In order to confirm for yourself, edit the hosts file at your computer and add the following entry:"
Security

Submission + - Another Mozilla security hole! (startcom.org)

Submitted by
Eddy Nigg
Eddy Nigg writes: "After Mozilla had some hard time fixing the Password Manager bug, which exposed user passwords willingly and without the users consent to different sites, it seems that there is another yet controversial security problem surfacing: Just imagine you enter a protected web site without even knowing that you did. More than that you just supplied to the site also some personal details about yourself. For example your name, from which country you are and in which city you live. And from now on they are tracking you wherever you go..."
Novell

Submission + - Is Oracle a Patent FUD-Fighter to Be? (boycottnovell.com)

Submitted by Boycott Novell
Boycott Novell writes: Here is how it goes.

Now with the SCO vs. Novell case coming to a close and with the continued threats spewed by Microsoft about patent violations against the Linux community after the Novell deal, I'm left wondering if it can be, that Red Hat and its partners got wind of the emerging deal between Novell and Microsoft, which after all took month to accomplish. Can it be, that Oracle scrambled to Red Hat's help, by producing effectively the same product? Because if Microsoft would sue Red Hat, they would be suing also Oracle which distributes the very same product!? Or at least Oracle would have good reasons to defend Red Hat. Was this a warning sign to Microsoft? At least it would explain, why the database giant started its own RHEL clone.
Patents

Submission + - The Oracle Anti Patent-Threat Conspiracy (startcom.org)

Submitted by
Eddy Nigg
Eddy Nigg writes: "At about the same time of the friendship announcement by Novell and Microsoft, Oracle announced its Unbreakable Linux, a distribution build from Red Hat source code. This move was not less surprising to the Linux folks and left many scratching their heads. It seemed that there was a longstanding partnership between this two companies and somehow it didn't made sense, that Oracle wanted to compete with Red Hat — by using the source code distributed by Red Hat of all things.

Now with the SCO vs. Novell case coming to a close and with the continued threats spewed by Microsoft about patent violations against the Linux community after the Novell deal, I'm left wondering if it can be, that Red Hat and its partners got wind of the emerging deal between Novell and Microsoft? Can it be, that Oracle scrambled to Red Hat's help, by producing effectively the same product?"
Mozilla

Submission + - Comunity reports back! (startcom.org)

Submitted by
StartCom
StartCom writes: "This report was compiled from hundreds of comments, ideas and suggestions made to various web blogs, wikis and mailing lists, due to the recent Email call to action by Mitchell Baker. It aims to provide an overview of the information we found important, ordered by feasibility and relevance, with possible suggestions for a future road map and plan for the Thunderbird mail application and possible revenue schemes and targets. It takes into account current limitations such as a limited team of lead developers (2) and the current focus and attention of MoCo on the Firefox browser. The report is intended to be helpful in the decision making process of an eventual organizational change and defining the future of Thunderbird."
Mozilla

Submission + - Bird has wings, but can it fly? (startcom.org)

Submitted by
Eddy Nigg
Eddy Nigg writes: "Yesterday I came across Mitchell Baker's* strange announcement at her personal web log, that somehow Thunderbird must be separated from the Mozilla corporation. The article was cleverly packaged with an interesting looking title and introduction, but after reading on I was surprised to see the objectives offered — to let Thunderbird determine its own destiny! A special concern seems to be the revenue model of Thunderbird, which unlike its bigger brother (Firefox) doesn't exist. Firefox is earning millions from Google search hits, something which Thunderbird doesn't offer currently. So Mitchell invites us all in providing ideas how Mozilla can earn on Thunderbird by stating: "If it turns out Thunderbird generates a revenue model from the product as Firefox does, then a Thunderbird foundation could follow the Mozilla Foundation model and create a subsidiary.".

But here my suggestion back to to her: "If Mozilla commits and provides the resources in money and development time, Thunderbird could follow the Mozilla Foundation model and create a subsidiary". Because Thunderbird has wings, but it can't fly on its own yet!"
Software

Submission + - Open Source is about Trust (startcom.org)

Submitted by
Eddy Nigg
Eddy Nigg writes: "...or more correct, it's also about trust, since open source has other aspects such as the freedom and rights to use, study, copy, modify, and redistribute computer programs as defined by the Free Software Foundation (FSF). And free software is a matter of liberty not price. Yeah, they get it right!

So many times, free software is associated with free as in beer, meaning you don't have to pay for it, however open source is much more than that. But what the heck is open source if not free software and what does this have to do with trust?"
Security

Submission + - More secure future at OpenID? (startcom.org)

Submitted by
StartCom
StartCom writes: "Is there a more secure future at OpenID? Two additional policy extensions have made their way (as drafts) into the OpenID standard: The former allows an RP to require certain security standards such as SSL/TLS encryption and enrollment properties (verification of the identity), the later provides a standard for a certain authentication requirement, such as digital certificates, smart cards, hardware tokens and OTP devices. I see with this two extensions, that OpenID is going into the right direction, so there is still no agreed standards body for IDPs and the verifications performed by the IDP is something which has to be strengthened further."

Slashdot Top Deals

HELP!!!! I'm being held prisoner in /usr/games/lib!

Close