Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Honest question here (Score 1) 148

by heypete (#49156363) Attached to: Google Taking Over New TLDs

If I were an entity that had its own TLD, say .ebh, it would be nice if people could get to my site with the minimalist URL http://ebh. Is there any way to disambiguate a TLD from a nonqualified host name to make that possible?

Sure. Just end the address with a dot, which identifies the name in the URL as being absolute.

For example, http://ai./ is a site in Anguilla that uses the TLD as its own name. However, if you leave out the dot it doesn't work -- this is a bit of a pain and most TLDs won't let anyone use the TLD itself as a name.

Comment: Re:Snowden uses PGP/web of trust (Score 1) 95

by heypete (#49117911) Attached to: Advertising Tool PrivDog Compromises HTTPS Security

Snowden of course used PGP which uses the web of trust system, it works enough to protect Greenwald and Snowden from NSA snooping.

To be fair, Snowden and Greenwald met in person and verified their key fingerprints. While useful in many situations, the WoT was not really a factor there.

Comment: Re:Comodo are the biggest Cert issuer (Score 1) 95

by heypete (#49117903) Attached to: Advertising Tool PrivDog Compromises HTTPS Security

Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

Email certs != SSL server certs. Are you sure you aren't thinking about CAcert instead, which does offer free email and server certs, but which isn't included in browsers? Obviously, CAcert's lack of inclusion in browsers makes it less useful for mose uses. Comodo, however, is a major certificate authority.

Various surveys, including this one (daily updates available here), scan HTTPS-enabled and report on the share of CAs.

Comodo recently overtook Symantec, which was probably helped by CloudFlare enabling TLS for all their customers (including free ones) using Comodo-issued certs -- that single action essentially doubled the number of HTTPS sites on the internet.

Comment: Re:Comodo, shame on you! (Score 1) 95

by heypete (#49117873) Attached to: Advertising Tool PrivDog Compromises HTTPS Security

What frigging kind of security company is Comodo? Is Comodo a security company at all?

Google for "cheap ssl" or "discount ssl", you will see them a lot. This is the Walmart of ssl.

It does not mean their certificates are not good, but buy a certificate from them and see the crappy online account management (a friggin popup that gets blocked by most browsers) and a flood of "special offers" in your inbox. Low-rent.

Who buys certs direct from Comodo? I always get them via a reseller like NameCheap. The NameCheap user interface is halfway decent: no need to deal with Comodo online management, popups, etc. I've never gotten any "special offers" or unwanted mail as a result of buying their certs. Your mileage may vary, of course.

But yeah, they're cheap, widely trusted by browsers, and generally work well. They're also the only CA I know that issues ECDSA certs from an all-ECDSA root/intermediate chain at a reasonable price (same price as RSA certs, typically less than $10/year), which is nice if you're interested in moving away from RSA for whatever reason.

Comment: Lesson: don't use root AWS API keys (Score 5, Interesting) 119

by heypete (#48722833) Attached to: Bots Scanning GitHub To Steal Amazon EC2 Keys

AWS strongly discourages the uses of root API keys, as they give bad guys who find them the "keys to the kingdom". Why should the credentials for one's S3 account also work for creating EC2 instances?

Amazon provides extensive control over access credentials through IAM, so one can create (for example) an S3-specific user with limited privileges and generate API keys for that user. If they get compromised, the bad guy has limited access: they might be able to add new files to S3, which is bad, but it's less bad than them spinning up hundreds of servers for nefarious purposes, deleting all your files, etc.

Judicious user of IAM can also reduce user errors: I use Amazon Glacier for backing up certain critical files (e.g. wedding photos, baby photos, copies of wills, passports, etc.). I created an "upload, view, and restore/download" user for Glacier that explicitly does not have the "delete" permission enabled. I have a second IAM user with "view and delete" permissions. API keys for both users are stored in FastGlacier, with the "delete" user credentials stored encrypted so I need to enter a password to switch to that user. The user without delete permissions is the default user and the credentials are not stored with a password. This way I can do the standard backup/restore functions needed while working with backups but significantly reduce the possibility of my accidentally deleting backed-up files if I fat-finger the wrong key.

Comment: Re:Stupid (Score 1) 396

by heypete (#48634401) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

And if you do pay the $60, you can only manage a single legal entity. Which means, if you are the certificate manager of some organization, you can either get certificates in the name of that organizationation (after completing the paperwork and paying the additional $60), or for your own private sites, but not for both at once. Yes, after completing the paperwork for getting certificates for your organization, you lose the right to get certificates for yourself. Crazy, but true!

Huh. I didn't know that, as I only have ever done the individual verification. It's not uncommon for someone to wear many hats (i.e., to be affiliated with several organizations). It'd certainly be nice if their system allowed for a single individual account to switch between different "identities", so that one could issue certs for themselves or any number of organizations with which they're affiliated and which they've validated with StartSSL.

Have you suggested such an improvement to them?

Oddly enough, if you don't pay anything at all ("class 1 certificates"), you can get certificates for several associations and yourself at once. Of course, then you can't get wildcards or SAN certificates, so you are forced to use SNI (more hassle to set up, and might not work with exotic browsers).

Technically, yes, but policy-wise, no: Class 1 certs are not intended for commercial use.

Wow, a place where beer is even more expensive than here in Luxembourg! But seriously, I guess the $9/year is for plain certificates, no wildcard and non SAN? In that case it would compete with StartSSL's free offering, rather than their $60 plan. If it actually does include wildcard certificates, I would be interested in details.

It's hard to directly compare the two offerings, as StartSSL charges for validation but you can issue numerous certificates at no additional cost. Other CAs charge on a per-cert basis.

As you suspected, the $9 offering from PositiveSSL is for a single, non-wildcard, non-SAN certificate. NameCheap also sells Comodo PositiveSSL multi-domain certs for $30/year for up to 100 domains, which is quite a reasonable price. Of course, those certs are domain-validated only. Organization-validated multi-domain certs start at $90/year. That's cheaper than StartSSL, but only gets you a single cert with multiple SANs. If you needed more than one, StartSSL is the more economical choice. Wildcard certs are also available, with Comodo wildcards costing $94/year.

Comment: Re: Stupid (Score 1) 396

by heypete (#48632931) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Did you include the necessary intermediate certificates in your server config? If you don't then browsers can't verify that the cert is legit. IE tries to be smart and can download many (but not all) intermediates automatically, but that's not something you should rely on.

I have never had any issues with PositiveSSL using any browser, so long as the intermediates are sent by the server.

Comment: Re:OK (Score 1) 396

by heypete (#48623037) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

While I think you should use HTTPS, it's also quite easy to strip away, anyone in the "man in the middle" position can do this, so no problem for the NSA, no problem for an ISP, no problem for a decent hacker (WiFi anyways), however it is "better than nothing".

Which seems to be what we have to settle for these days BTN "better than nothing".

It's difficult to strip HTTPS from sites that use HSTS. Considering that enabling HSTS is literally a one-line addition to a server's config file and prevents SSL stripping attacks, it'd be silly not to use it.

Assuming the client can access the authentic HTTPS-secured, HSTS-enabled site at least once, their browser will cache the "HTTPS is required" bit for as long as the site requests. Most deployment guides suggest HSTS cache times of 6-12 months, which would make an attackers job much more difficult.

Adding browser support for DANE would be even better: HSTS allows a server to instruct a browser to only use HTTPS on that site, while DANE allows the server to specify (via a valid DNSSEC-signed record) which HTTPS certificate/CA (including self-signed certs) is valid for that site. Using both methods provides a high degree of assurance that one is securely visiting the authentic site and that no tampering is taking place.

Comment: Re: Stupid (Score 4, Informative) 396

by heypete (#48623005) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Also to rent an ip address isn't free.

IP-based SSL hosting hasn't been necessary since the development of SNI nearly a decade ago.

Essentially all modern browsers (IE 7+, Firefox 2.0+, Chrome 6+ on XP [all versions of Chrome on Vista+ support SNI], Safari in iOS 4+, Android 3+, WP 7+, etc.) and servers support SNI.

Several web hosts offer SNI-based SSL/TLS hosting at no additional charge.

Comment: Re:Stupid (Score 4, Informative) 396

by heypete (#48622893) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

CPU and power increase for encryption is negligible for most sites.
The real cost is getting a certificate from a site that the browser will recognize.
Those are expensive especially if you want a site for a hobbie or a supplemental income.

StartSSL offers completely free-of-cost certificates that are widely recognized by browsers to individuals and non-commercial sites. $60/year gets you an ID-verified account and the ability to offer unlimited certificates (they only charge for the validation, certificates are free). A second $60 ($120 total) gets your organization verified, again with the ability to issue unlimited certs.

Let's Encrypt, run by the EFF, will be offering free certificates (starting in 2015) with an easy automatic validation and installation system that makes the technical side of deploying certs super easy.

If, for some reason, that's not satisfactory, Comodo resellers like NameCheap offer PositiveSSL certs for less than $9/year. That's less than a beer at the local bar.

The financial cost of getting a certificate is essentially negligible.

Comment: Re:So perhaps /. will finally fix its shit (Score 5, Insightful) 396

by heypete (#48622873) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.

Exactly. What's the benefit?

There's a time and place for encryption, and Slashdot ain't it.

Some folks at Belgacom may disagree.

Remember, SSL/TLS doesn't just protect the privacy of communications, it also protects the integrity of those communications and makes it much more difficult for an adversary to modify the traffic to insert hostile content.

Comment: Re:Shared hosting... (Score 2) 212

by heypete (#48413289) Attached to: Launching 2015: a New Certificate Authority To Encrypt the Entire Web

SNI is now supported by all the major players (IE was the last hold out) but... I'm pretty sure the current free cert providers don't support it.

SNI requres support from (a) the browser, and is near-universally supported by all browsers these days and (b) the web server, with many hosts supporting it already. If not, they should.

The certificate authority is not involved with SNI at all.

Comment: Re:Art Of War - Chapter 13 - The use of spies (Score 1) 184

by heypete (#48333289) Attached to: British Spies Are Free To Target Lawyers and Journalists

If fighting is sure to result in victory, then you must fight!

Sun Tzu said that, and I'd say he knows a little bit more about fighting than you do, pal, because he invented it, and then he perfected it so that no living man could best him in the ring of honor.

Then, he used his fight money to buy two of every animal on earth, and then he herded them onto a boat.

And then he beat the crap out of every single one.

And from that day forward any time a bunch of animals are together in one place it's called a 'zoo'!

OMG what are you on and do you have enough to share?

It's from Team Fortress 2's "Meet the Soldier" trailer.

When the weight of the paperwork equals the weight of the plane, the plane will fly. -- Donald Douglas