Follow Slashdot stories on Twitter


Forgot your password?

Comment: Re: Provided your MUA supports S/MIME (Score 1) 89

by heypete (#49421497) Attached to: The Problem With Using End-to-End Web Crypto as a Cure-All

Especially compared to generating a gpg key that process is still a huge pain, requiring you to fiddle with obscure commands (seriously, the openssl command-line options read like someone sat down for half a year and thought "how can I make this as unusable as possible?").
Why isn't there a one-line program that does everything, ideally including submitting the request for signing? Plus a GUI of course, especially for Windows users.

Private keys for S/MIME certs ("client certs", more generally) are generated automatically in the browser, a CSR is generated and sent automatically to the CA for verification/signing. No command-line utilities are needed at all and the private key doesn't leave the browser. Quick, easy, and secure.

If you go through the process to get an S/MIME cert at StartSSL or other CAs, everything is handled seamlessly in the browser without the CA generating (or knowing) the private key.

Of course, StartSSL offers the function to generate the private key for *server* certs for you (which is stupid but convenient) by default but one can readily submit a CSR for signing in the normal way.

Comment: (Score 2) 295

by heypete (#49281623) Attached to: Ask Slashdot: Advice For Domain Name Registration?

Highly recommend


Although not the cheapest (a .com with NameCheap and whois protection costs $13.57/year. With Gandi it's $15.50), I find that you get what you pay for: for an extra ~$2/year or so you get clueful staff who respond promptly and competently to issues, built-in whois protection (lots of registrars charge extra for that) that ensures that you're still the legal owner of the domain (your name is listed as the registrant, but all the contact information can be masked with Gandi's information by the whois protection), the ability to add DS records for DNSSEC (neither NameCheap nor Hover allow this), a good API if you want to do things programmatically, and a great UI. You get a free SSL cert when you register/transfer in a domain, and SSL certs can be purchased from them (they chain up to Comodo) for a reasonable price.

They support a variety of organizations, including the EFF and Debian, that do good works on-line and off-.

Also, they're located in France. This offers some protection from various US shenanigans when it comes to seizing domains (assuming the TLD is not US-based), if that's something you're worried about. It's not perfect, of course, but it's something to keep in mind.

They offer decent, anycasted DNS service. Their nodes are located in Paris, Luxembourg, and Baltimore, so they have reasonable resolution speeds in Europe and North America. Nothing fancy, but it works well. You can, of course, use any other DNS host you want (e.g. one run by your web host, a third party service like easyDNS, etc.).

They also offer three types of hosting: basic web hosting, "Simple Hosting", and VPSs. The VPSs are pretty bog-standard, so you won't see any surprises, but I find DigitalOcean to be a better value for VPSs. The "Simple Hosting" is interesting to me, as it's a sort of crossover between shared hosting and a VPS: you choose what type of instance you want (PHP, Node.js, Python, or Ruby), what database type you want (MySQL, PgSQL, or MongoDB) and how much resources you need and you get a dedicated instance of that type. Instances are managed by a hypervisor so other users on the same hardware are logically separated and don't interfere with your service. Additionally, they put a Varnish cache server upstream of your instance so it's extremely fast.

Alternatively, I recommend for excellent hosting.

In short: Gandi is a fine registrar and I strongly recommend them.

Comment: CODE Keyboard (Score 5, Interesting) 452

by heypete (#49273569) Attached to: Ask Slashdot: Good Keyboard?

I've been using a CODE Keyboard for several months now. I really like it.

It's a mechanical keyboard using Cherry MX Clear switches, so it has a good tactile response without being super clicky. Certain settings can be changed using a DIP switch on the bottom. The keyboard uses a standard, detachable micro USB cable: cables have always been a weak spot on my keyboards, so it's nice to know I can replace it if needed.

The keys are mounted on a steel plate (not as heavy as the Model M, though) so they keyboard feels very solid.

Comment: Re:I don't get the pricing? (Score 1) 71

by heypete (#49239955) Attached to: Google Nearline Delivers Some Serious Competition To Amazon Glacier

One reason I'm about to start using Amazon Glacier for personal backups is specifically because you can't delete files. I want to put up all of my family photos and videos, and know that they will be there even if my kid installs ransomware, our house gets robbed and burns down, and I'm in a coma for six months and can't deal with trying to retrieve deleted files (along with determining the real ones vs ransom ones) in a timely manner from Dropbox or Crashplan.

You can absolutely delete files in Amazon Glacier if the access key you're using has that permission enabled. I imagine there's a surprising number of people who use their AWS root account credentials to access Glacier even though this is strongly discouraged. Even if one creates a new IAM user with access only to Glacier (so a bad guy who compromised your computer can't spin up EC2 instances), the default is for all permissions to be enabled.

Of course, you can disable the permissions to delete files: I've done that, and it works well, but it's not the default. I have a separate IAM user with list-and-delete privileges, but that is a separate user in FastGlacier and requires a password to use -- that keeps me from inadvertently fat-fingering the delete key.

Comment: Re:Honest question here (Score 1) 185

by heypete (#49156363) Attached to: Google Taking Over New TLDs

If I were an entity that had its own TLD, say .ebh, it would be nice if people could get to my site with the minimalist URL http://ebh. Is there any way to disambiguate a TLD from a nonqualified host name to make that possible?

Sure. Just end the address with a dot, which identifies the name in the URL as being absolute.

For example, http://ai./ is a site in Anguilla that uses the TLD as its own name. However, if you leave out the dot it doesn't work -- this is a bit of a pain and most TLDs won't let anyone use the TLD itself as a name.

Comment: Re:Snowden uses PGP/web of trust (Score 1) 95

by heypete (#49117911) Attached to: Advertising Tool PrivDog Compromises HTTPS Security

Snowden of course used PGP which uses the web of trust system, it works enough to protect Greenwald and Snowden from NSA snooping.

To be fair, Snowden and Greenwald met in person and verified their key fingerprints. While useful in many situations, the WoT was not really a factor there.

Comment: Re:Comodo are the biggest Cert issuer (Score 1) 95

by heypete (#49117903) Attached to: Advertising Tool PrivDog Compromises HTTPS Security

Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

Email certs != SSL server certs. Are you sure you aren't thinking about CAcert instead, which does offer free email and server certs, but which isn't included in browsers? Obviously, CAcert's lack of inclusion in browsers makes it less useful for mose uses. Comodo, however, is a major certificate authority.

Various surveys, including this one (daily updates available here), scan HTTPS-enabled and report on the share of CAs.

Comodo recently overtook Symantec, which was probably helped by CloudFlare enabling TLS for all their customers (including free ones) using Comodo-issued certs -- that single action essentially doubled the number of HTTPS sites on the internet.

Comment: Re:Comodo, shame on you! (Score 1) 95

by heypete (#49117873) Attached to: Advertising Tool PrivDog Compromises HTTPS Security

What frigging kind of security company is Comodo? Is Comodo a security company at all?

Google for "cheap ssl" or "discount ssl", you will see them a lot. This is the Walmart of ssl.

It does not mean their certificates are not good, but buy a certificate from them and see the crappy online account management (a friggin popup that gets blocked by most browsers) and a flood of "special offers" in your inbox. Low-rent.

Who buys certs direct from Comodo? I always get them via a reseller like NameCheap. The NameCheap user interface is halfway decent: no need to deal with Comodo online management, popups, etc. I've never gotten any "special offers" or unwanted mail as a result of buying their certs. Your mileage may vary, of course.

But yeah, they're cheap, widely trusted by browsers, and generally work well. They're also the only CA I know that issues ECDSA certs from an all-ECDSA root/intermediate chain at a reasonable price (same price as RSA certs, typically less than $10/year), which is nice if you're interested in moving away from RSA for whatever reason.

Comment: Lesson: don't use root AWS API keys (Score 5, Interesting) 119

by heypete (#48722833) Attached to: Bots Scanning GitHub To Steal Amazon EC2 Keys

AWS strongly discourages the uses of root API keys, as they give bad guys who find them the "keys to the kingdom". Why should the credentials for one's S3 account also work for creating EC2 instances?

Amazon provides extensive control over access credentials through IAM, so one can create (for example) an S3-specific user with limited privileges and generate API keys for that user. If they get compromised, the bad guy has limited access: they might be able to add new files to S3, which is bad, but it's less bad than them spinning up hundreds of servers for nefarious purposes, deleting all your files, etc.

Judicious user of IAM can also reduce user errors: I use Amazon Glacier for backing up certain critical files (e.g. wedding photos, baby photos, copies of wills, passports, etc.). I created an "upload, view, and restore/download" user for Glacier that explicitly does not have the "delete" permission enabled. I have a second IAM user with "view and delete" permissions. API keys for both users are stored in FastGlacier, with the "delete" user credentials stored encrypted so I need to enter a password to switch to that user. The user without delete permissions is the default user and the credentials are not stored with a password. This way I can do the standard backup/restore functions needed while working with backups but significantly reduce the possibility of my accidentally deleting backed-up files if I fat-finger the wrong key.

Comment: Re:Stupid (Score 1) 396

by heypete (#48634401) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

And if you do pay the $60, you can only manage a single legal entity. Which means, if you are the certificate manager of some organization, you can either get certificates in the name of that organizationation (after completing the paperwork and paying the additional $60), or for your own private sites, but not for both at once. Yes, after completing the paperwork for getting certificates for your organization, you lose the right to get certificates for yourself. Crazy, but true!

Huh. I didn't know that, as I only have ever done the individual verification. It's not uncommon for someone to wear many hats (i.e., to be affiliated with several organizations). It'd certainly be nice if their system allowed for a single individual account to switch between different "identities", so that one could issue certs for themselves or any number of organizations with which they're affiliated and which they've validated with StartSSL.

Have you suggested such an improvement to them?

Oddly enough, if you don't pay anything at all ("class 1 certificates"), you can get certificates for several associations and yourself at once. Of course, then you can't get wildcards or SAN certificates, so you are forced to use SNI (more hassle to set up, and might not work with exotic browsers).

Technically, yes, but policy-wise, no: Class 1 certs are not intended for commercial use.

Wow, a place where beer is even more expensive than here in Luxembourg! But seriously, I guess the $9/year is for plain certificates, no wildcard and non SAN? In that case it would compete with StartSSL's free offering, rather than their $60 plan. If it actually does include wildcard certificates, I would be interested in details.

It's hard to directly compare the two offerings, as StartSSL charges for validation but you can issue numerous certificates at no additional cost. Other CAs charge on a per-cert basis.

As you suspected, the $9 offering from PositiveSSL is for a single, non-wildcard, non-SAN certificate. NameCheap also sells Comodo PositiveSSL multi-domain certs for $30/year for up to 100 domains, which is quite a reasonable price. Of course, those certs are domain-validated only. Organization-validated multi-domain certs start at $90/year. That's cheaper than StartSSL, but only gets you a single cert with multiple SANs. If you needed more than one, StartSSL is the more economical choice. Wildcard certs are also available, with Comodo wildcards costing $94/year.

Comment: Re: Stupid (Score 1) 396

by heypete (#48632931) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Did you include the necessary intermediate certificates in your server config? If you don't then browsers can't verify that the cert is legit. IE tries to be smart and can download many (but not all) intermediates automatically, but that's not something you should rely on.

I have never had any issues with PositiveSSL using any browser, so long as the intermediates are sent by the server.

Comment: Re:OK (Score 1) 396

by heypete (#48623037) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

While I think you should use HTTPS, it's also quite easy to strip away, anyone in the "man in the middle" position can do this, so no problem for the NSA, no problem for an ISP, no problem for a decent hacker (WiFi anyways), however it is "better than nothing".

Which seems to be what we have to settle for these days BTN "better than nothing".

It's difficult to strip HTTPS from sites that use HSTS. Considering that enabling HSTS is literally a one-line addition to a server's config file and prevents SSL stripping attacks, it'd be silly not to use it.

Assuming the client can access the authentic HTTPS-secured, HSTS-enabled site at least once, their browser will cache the "HTTPS is required" bit for as long as the site requests. Most deployment guides suggest HSTS cache times of 6-12 months, which would make an attackers job much more difficult.

Adding browser support for DANE would be even better: HSTS allows a server to instruct a browser to only use HTTPS on that site, while DANE allows the server to specify (via a valid DNSSEC-signed record) which HTTPS certificate/CA (including self-signed certs) is valid for that site. Using both methods provides a high degree of assurance that one is securely visiting the authentic site and that no tampering is taking place.

Comment: Re: Stupid (Score 4, Informative) 396

by heypete (#48623005) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Also to rent an ip address isn't free.

IP-based SSL hosting hasn't been necessary since the development of SNI nearly a decade ago.

Essentially all modern browsers (IE 7+, Firefox 2.0+, Chrome 6+ on XP [all versions of Chrome on Vista+ support SNI], Safari in iOS 4+, Android 3+, WP 7+, etc.) and servers support SNI.

Several web hosts offer SNI-based SSL/TLS hosting at no additional charge.

The absent ones are always at fault.