Forgot your password?

Comment: Re:WRONG! (Score 2) 65

by heypete (#47860709) Attached to: Satoshi Nakamoto's Email Address Compromised

What is the alternative? Phone calls?

Several email services (e.g. Gmail, Yahoo, etc.) do just that: they can send voice calls or SMS messages to a phone number you've registered with them prior to the loss of your account.

Due to the importance of email addresses when it comes to authentication (e.g. password resets for non-email services are nearly always sent to one's email address) it makes sense to have email services be secure from compromise (e.g. 2FA) and recoverable in a secure manner (e.g. phone-based validation).

Domain names are also a "high-stakes" thing and it makes sense to have a high degree of security when allowing password resets at registrars: I wouldn't mind my domain registrar sending me a letter by post to my address on file with them if I were to ever request a password reset from them.

Comment: Re: We really need (Score 1) 528

by heypete (#47857375) Attached to: AT&T Says 10Mbps Is Too Fast For "Broadband," 4Mbps Is Enough

I'm curious, how's the performance of YouTube and Netflix over there. Do you notice a bottleneck most likely traced at the trans-Atlantic fiber pairings, or is all content cached on local servers too?

Google has many datacenters, including three in Europe. Alas, due to Google not providing reverse DNS on a lot of their router hops I'm not sure quite where the traces end up, but they're only ~30ms away from Bern, so the connection is definitely routed to their European facilities.

As for Netflix, their European service seems to be run from the Amazon AWS facility in Ireland, so there's no transatlantic links to cross. I imagine they also offer their CDN equipment to European ISPs, but they don't offer Netflix in Switzerland yet, so I don't know if that's the case here. I subscribe to the US Netflix and use Unlocator to trick their location-detection system into thinking I'm in the US, so the videos I watch do cross the Atlantic. There's maybe 10 seconds of lower-resolution video when streams from US Netflix first start, but after that things are in HD quality for the duration. No issues otherwise.

Comment: Re:We really need (Score 5, Interesting) 528

by heypete (#47856947) Attached to: AT&T Says 10Mbps Is Too Fast For "Broadband," 4Mbps Is Enough

American expat in Switzerland here. Using I get 246.08/15.21 Mbps. I pay the cable company the equivalent of $98 USD/month for 250/15 internet service (no data caps) and cable TV (my wife likes watching US sports, so we have the "all-inclusive" TV package that includes some US sports channels). I originally had the 35/5 plan, but upgraded to the 150/10. They discontinued that plan and switched me to the 250/15 plan, which was only $5/month more.

If I wasn't satisfied with them, Swisscom (major telco) and the electric company each offer fiber-to-the-home, with up to 1000/100 speeds and no caps. There's other options for DSL too, but not nearly as fast.

Comcast, a major US ISP, has a comparably-priced plan that goes from $89/month for the first year to $119/month for the second year and then up to $148/month thereafter. They offer a bunch of TV channels and 25 Mbps internet, plus data caps. That's absurdly awful.

As an American, I find it ridiculous that wholesale bandwidth in the US (e.g. connectivity in a datacenter) is dirt cheap and fast (as an example, Hurricane Electric offers 10GigE transit for $0.45/Mbps) but that retail bandwidth available to end-users is so expensive, slow, and limited by data caps and the like. Things really need to change.

Comment: Re:So 1024 Bits Not Enough Now? (Score 5, Informative) 67

by heypete (#47838273) Attached to: Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted

Symmetric and asymmetric keys are different things and have different key lengths. One cannot directly compare key sizes between two wholly different classes of ciphers. There are numerous reasons, mostly involving arcane mathematics, why asymmetric ciphers require longer key lengths than symmetric ciphers to offer similar levels of protection.

For example, a 1024-bit RSA key (RSA is an asymmetric cipher) is essentially equivalent to an 80-bit symmetric key (AES, 3DES, etc. are symmetric ciphers). SHA1, a hashing algorithm, provides less than 80 bits of security; those wishing stronger signatures are switching to SHA-256 (which offers 128 bits of security) and SHA-512 (which offers 256 bits).

A 2048-bit RSA key, such as those used by most CAs and web servers these days, has the same strength as a 112-bit symmetric key. NIST says they should be good enough until around 2030.

3072-bit RSA keys offer the same strength as a 128-bit symmetric key. A whopping 15,360-bit RSA key would be needed for 256-bit security; the same level of security could be achieved with a 512-bit elliptic curve key, which would be much, much faster than such a large RSA key.

Comment: Re:Seemed pretty obvious this was the case (Score 5, Insightful) 311

by heypete (#47817005) Attached to: Apple Denies Systems Breach In Photo Leak

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Who says you need to tell the truth on those questions?

Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."

Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.

Comment: Re:Does it matter? (Score 1) 65

by heypete (#47698601) Attached to: Plan Would Give Government Virtual Veto Over Internet Governance

Of course this is about power shifting towards governments in general. This is to be expected - after all, we can't just have random people running the internet and governments happen to be the very things that represent their countries internationally

(Emphasis mine.)

Why not? That's basically what Jon Postel did: he basically singlehandedly administered the DNS root and was IANA.

Sure, things are different now, but we certainly have had random people running the internet. It worked then, why not now?

Comment: Re:https is useless (Score 1) 166

by heypete (#47681719) Attached to: Watch a Cat Video, Get Hacked: the Death of Clear-Text

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

I wouldn't be too sure of that.

Of all the companies that have aided the NSA, how many are out of business or even really hurting?

Companies like what? The ones making network-tapping hardware and whatnot cater toward a limited market, not the general public. Certificate authorities directly transact with server administrators, but their primary audience are end-users and they have wide public exposure. If a CA was found to be doing shady things, browsers would remove their roots. That'd basically kill off the offending CA.

Comment: Re:https is useless (Score 1) 166

by heypete (#47681699) Attached to: Watch a Cat Video, Get Hacked: the Death of Clear-Text

>If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

HAHAHAHAno. Thanks to the demon that is backwards compatibility browser vendors have implicitly or explicitly confirmed that they cannot actually revoke root certs. Or, more specifically, that many websites rely on that particular root to verify their identity and would break horribly if a root cert got revoked. i.e. revoking a misbehaving root will break the web.

Why not? There have been roots that have been revoked due to being compromised and which have issued bogus certs (e.g. DigiNotar). That's caused some chaos, but people adapted.

Sure, VeriSign is large and commands (either directly or through its subsidiaries) a substantial fraction of the CA market. Nuking it would be a Very Big Deal that browsers wouldn't take lightly, but I have no doubt that if it were shown that VeriSign (or Comodo, or other CAs) were found to be issuing bogus certs for the government to compromise people, they'd get their roots pulled by browsers. That's a death sentence for a CA, hence my skepticism in response to the proposal that they're actively assisting governments.

A better solution would be the ability to provide multiple root certs, which is not technically feasible today, and won't be for a while - even things like SSL vhosts are considered unreliable due to the prevalence of legacy browsers that don't know how to use the proper TLS extensions for hostname identification. So maybe in 10 years we can start telling site operators that they can turn on multiple certs, and 10 years after that browser vendors will have enough data to determine if it's safe to actually revoke a root cert or not. In the meantime you will have to convince HTTPS services that it's worth paying n times as much in certification costs to avoid a hypothetical root revocation.

Agreed. That would be nice.

Comment: Re:https is useless (Score 4, Informative) 166

by heypete (#47681287) Attached to: Watch a Cat Video, Get Hacked: the Death of Clear-Text

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Sure, they could, but I doubt they are.

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.

Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.

I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.

Comment: Re:Fiber to the Home (Score 2) 98

by heypete (#47638299) Attached to: For Fast Internet in the US, Virginia Tops the Charts

Compared to what you can get in Europe or Asia, those "decent prices" are in fact insanely expensive.

Perhaps. Depends on the location and provider. Here in Bern, Switzerland, the cable company offers 250/15 internet for CHF 89/month ($98 USD). That's only $10 more than the 200/200 for $89.95 offering. Not unreasonable. For CHF 105/month they package a bunch of cable TV channels (including European and American sports) and 250/15 internet.

Swisscom, the incumbent phone company, has fiber-to-the-home. 300/60 internet with even more TV channels costs CHF 154/month. They offer up to 1000/100 connection if you're willing to pay and extra CHF 80/month above the CHF 154 rate. That's USD $258, only $8 more than the 1000/1000 plan offered in Clarksville (though the Swisscom offering does include TV. Phone is an extra CHF 15).

Then again, Switzerland does tend to be expensive. You may get cheaper service in other countries, but it is quite comparable in terms of cost here.

Comment: Re: Great step! (Score 1) 148

by heypete (#47636461) Attached to: Google Will Give a Search Edge To Websites That Use Encryption

While I wish they allowed free reissuance of certs at any time, I don't really see why requiring revocation is a showstopper.

It's not a showstopper, per se, but they do charge a revocation fee ($25, I think?), so that makes it decidedly less than free.

True, but how often does one need to revoke a certificate? Other than Heartbleed, I think I've only revoked one certificate in the last 10 years or so. Amortized over that timeframe, the costs are negligible. That said, I would like it if StartSSL would offer free revocations in the case of something like Heartbleed, where certs are compromised through no fault of the customer, but I understand the business reasons for not doing so (CRL/OCSP isn't free).

Of course, I've abandoned several certs where I deleted a VM hosting a site I no longer needed, but since the cert was not compromised and the private key was deleted, I just let the expiration timer run out. No big deal.

Comment: Re: Great step! (Score 1) 148

by heypete (#47636445) Attached to: Google Will Give a Search Edge To Websites That Use Encryption

To clarify I fully understand why startSSL do this, they are a buisness and they need to make money and they are certainly the best value widely recognised CA I have found.

I just don't think using startSSLs limited free certs as a rebuttal to claims that SSL increases costs for website operators is reasonable. Either you pay to get the wildcard certs or you pay to get extra IPv4 addresses or some combination of the two.

Why not just use SNI? I have multiple SSL-enabled virtualhosts running on a single server, and other than Internet Explorer on Windows XP and Android 2.x (neither of which I care about, as the former is EOL while the latter is effectively EOL) every browser on desktop and mobile devices works properly. I spend more money every two weeks on caffeinated beverages than my entire annual budget for SSL certs, and I have more than most. My cert budget is dwarfed by hosting costs (which I pay regardless of SSL support or not).

If you don't care about those systems (and I don't), SNI is perfectly satisfactory. If you need to support those old systems for some reason, you're probably a commercial enterprise who can afford IP-based SSL or wildcard certs. For typical individuals or small/medium-sized organizations using SNI, adding SSL support to your sites will essentially be a non-issue in terms of cost.

If anything, Google adding a small boost to SSL-enabled sites should encourage and improve support for SNI and hopefully sweep away the few older browsers that don't support it. I'm all for it.

Comment: Re:Avoid the Asus RT-N66U .. overpriced (Score 3, Informative) 427

by heypete (#47634643) Attached to: Ask Slashdot: Life Beyond the WRT54G Series?

Gotta agree. My RT-N66U(Shibby 121) is running a crap load of stuff with zero downtime. VLAN, IPTV, VoIP, OpenVPN server and client, Print server, etc etc etc.

I've got an RT-AC68U as my access point. Not as mature firmware wise, and hard to test to it's full potential, but rock solid none the less.

ASUS can shut up and take my money.

Seconded in regards to the N66U. It's a fantastic router. I've been running Tomato Shibby for years (most recently v121) and it's been rock-solid, reliable, and stable.

There's only one downside: Tomato doesn't include the necessary kernel module for hardware accelerated WAN-to-LAN NAT/routing. This only matters if your downstream WAN bandwidth is greater than ~120Mbps. If your downstream bandwidth is less, the software routing can keep up and you'll run at full speed. If your downstream bandwidth is greater, you will be limited to ~120-130Mbps, as that's as fast as the N66U can route in software. LAN-to-LAN bandwidth will run entirely in hardware regardless of what firmware you have.

My ISP just upgraded me to a 250Mbps downstream link, so I reluctantly went back to the factory firmware to take advantage of the hardware acceleration. It's clunky and annoying compared to the elegance of the Tomato web interface, but it works. The Merlin firmware maintains the look-and-feel of the factory firmware, includes support for hardware acceleration, fixes a few bug and adds a few features (but not as many as Tomato) that makes it suck less.

I highly recommend the N66U.

Comment: Re: Great step! (Score 3, Informative) 148

by heypete (#47625537) Attached to: Google Will Give a Search Edge To Websites That Use Encryption

2: they make the expiry artifically short (the CA industry as a whole does this but startSSLs free certs are epecially bad),

A validity time of one year is pretty standard for SSL certs (paid certs often charge per year). Could they issue them for 20 years? Sure, but a one year validity is not unusual. Class 2 certs are good for two years.

3: they refuse to renew certs until just before they expire and refuse to reissue certs without revoking the old one.

I get renewal notices two weeks prior to expiration. That's pretty reasonable. If I recall correctly, I can generate a new cert for my site any time in that two-week period, so I don't need to wait for the cert to expire before replacing it.

While I wish they allowed free reissuance of certs at any time, I don't really see why requiring revocation is a showstopper.

4: each free cert only covers a domain and one hostname under that domain (e.g. and This effectively means you end up needing one IP per hostname you want SSL on (until IE on XP becomes insignificant anyway).

That's also the case for pretty much any of the inexpensive paid certs too. You can always get a wildcard cert but most CAs charge at least $100/year for a single wildcard cert. StartSSL charges $60 for Class 2 validation, and you can issue unlimited certs (wildcard or not). Organizations can get Class 2 certified for $120 ($60 for identity verification, $60 for organization verification) and can issue unlimited certs. For a company needing more than one cert, StartSSL is still cheaper.

It's nice that there is a free (as in beer) option for some people but it's also clearly got a number of artificial restrictions on it to push people towards their paid options.

Considering their paid certs are often cheaper than comparable offerings from other CAs, it doesn't really seem unreasonable to me. Doubly so because they're run by competent people who respond promptly to inquiries, even from free users. I've been a StartSSL customer for years (and also used other CAs like GoDaddy, Comodo, Thawte, etc.) and the customer service from StartSSL has always been excellent.

If you don't want to get a StartSSL cert or they don't meet your needs, that's fine. NameCheap and others sell single-domain Comodo certs for $9/year. RapidSSL certs are a buck or two more per year. That costs less than a single beer at the local bar. Hardly a massive expense.

Just because he's dead is no reason to lay off work.