Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Comment: Re:Sly (Score 1) 394

by tom17 (#48651525) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Weird, what versions of those browsers? I have IE9 here and it's pre-installed.

I have been using it, hassle free (with the CA cert pre-installed on Chrome,FF & IE) since 2011 now...

Something must have been afoot with your testing - I'm not blaming you - I just can't see how it wouldn't have worked a year ago based on my experience with default browsers...

Comment: Re:A question I hope someone can answer (Score 1) 54

by tom17 (#48554827) Attached to: POODLE Flaw Returns, This Time Hitting TLS Protocol

Unless your company/vendor forces you to use it externally, or will not provide said VM for internal sites.

I'm not agreeing that it's OK to use such a browser, just saying that it's not necessarily the users own fault. Companies can be idiots too when it comes to IT security.

Comment: Re:A question I hope someone can answer (Score 1) 54

by tom17 (#48554491) Attached to: POODLE Flaw Returns, This Time Hitting TLS Protocol

I don't know his exact situation, but it's possible that the company he works at has an app that only works with IE6. There used to be many apps like this.

If this is such a case, the fuckwad is the company (for not hiring developers to upgrade the app) or the vendor that supplies the app without upgrading it (Maybe the company is still to blame for not moving to a more current product, or maybe there isn't one). Either way, the user that is forced to stick with the crappy browser is not necessarily the problem.

Though he might be! :) - Rather than assuming and bashing, we should answer the question... Oh wait. Slashdot :)

Comment: Re:Sounds good to me (Score 1) 238

by tom17 (#48524739) Attached to: The Cost of the "S" In HTTPS

You are correct in your understanding.

You can also check your privacy just by looking at the certificate for any site you are visiting over HTTPS. Check the certificate authority and make sure it looks legitimate. If you are unsure, you could look the cert up using an online service and compare the online version and your local version.

They should match but there always caveats - Maybe the site is using different certs on different parts of a CDN that has its own server cert installed in browsers. CloudFare is a good example of this - they can create valid certs as they please since they partnered with GlobalSign.

But your VM method should be just fine, yeah :)

Comment: Re:Cost of certificates (Score 2) 238

by tom17 (#48524477) Attached to: The Cost of the "S" In HTTPS

With StartSSL the actual cert generation is easier than that as they create the key on their server first and they ask for the forms on the site. No CSR is needed, though you can do it that way if you wish.

What is a tiny bit annoying is their authentication - you need a client authentication cert installed on your browser. Not hard in itself, but annoying if you have let the old one expire as they then need to review your request for a new one.

One other thing is verification that you own the domain, through various methods. Not hard to do, but automated and very necessary.

Comment: Re:Sounds good to me (Score 1) 238

by tom17 (#48524229) Attached to: The Cost of the "S" In HTTPS

What? I think this thread is going off track somewhat. I don't think Dave420 was talking about Client Auth certs. He was talking about root certs installed on the clients. Without the standard set of root and intermediate certs installed on the client (Installed by default on web browsers and some other clients such as Java virtual machines etc), TLS will not work (Well it will, but there will be warnings).

What Dave420 meant was that for the appliances and software solutions that cache/inspect the TLS traffic can only do so if a new root cert is installed on the client. This root cert enables the MITM device to create its own cert for any website without the client throwing up a warning.

Nothing to do with client auth.

You knew the job was dangerous when you took it, Fred. -- Superchicken

Working...