Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re: Phishing is good (Score 1) 212

LetsEncrypt now offers a no cost solution to replace self-signed certs.

This is true only for servers with fully qualified domain names, not for internal servers with private IP addresses or made-up TLDs such as .local or .internal. Is every householder supposed to buy a domain to make HTTPS communication across the LAN with a router, printer, or streaming media server work?

Comment Re:Phishing is good (Score 1) 212

You enable javascript for paypal.com and then anytime you visit paypall.com, your browser sits there not running any javascript.

Then phishers are going to make their sites compatible with NoScript, such as by computing the final DOM, serializing it to HTML, and sending that to the mark instead of the script that generates the DOM.

Comment Re:Encryption without trust = dangerous illusion (Score 1) 212

What you're complaining about is trust beyond the machines and into the organisation and people behind the servers. This is something outside of the scope of DVs

WaffleMonster's point as I understand it is that DV should never have existed, that the choice should have been between OV and cleartext passwords.

Comment OCSP actually is a short-term certificate (Score 1) 212

The best incremental refinement is short-lived certificates auto-issued by intermediate CAs. [...] The refinement being pushed instead of the obvious one is "OSCP stapling"

An OCSP response is a short-term statement issued by the CA that a TLS server's certificate is still valid. It can be thought of as exactly the sort of "short-lived certificate" that you describe. Stapling allows a TLS server to cache this response and present it alongside the main certificate. If only the TLS server contacts the CA to get OCSP responses, the CA can't see clients.

Sovereign Keys

From a footnote in the proposal: "In the current draft, there are additional requirements, including that an OCSP check for the CA certificate is successful".

Comment Re: blacklist them (Score 1) 212

A domain-validated certificate is for ensuring the authenticity of communications between your machine and a machine operated by the owner of a particular hostname. It isn't for ensuring that the owner of a particular hostname has any right under other applicable law, such as typosquatting provisions of trademark law, to use that hostname.

Comment Re:The following is going to happen. (Score 1) 212

Well, Let's Encrypt certificates are now going to be treated like self-signed certificates. Don't believe me? Just wait and see.

With both Mozilla and Google as "major sponsors" of Let's Encrypt listed on the front page, I don't see how this will happen any time soon. If Microsoft and Apple distrust Let's Encrypt for following the same CA/Browser Forum Baseline Requirements as every other certificate authority issuing domain-validated (DV) certificates, the only way to avoid a double standard would be to distrust all DV certificates. And as of today, the service formerly known as Hotmail appears to be using a DV certificate.

Comment Caching by you vs. by your ISP (Score 1) 212

An unencypted connection is fast, cacheable, and secure enough when you're just transfering photos and cat videos.

As far as I know, my browser does cache content served over https exactly the same as served over http.

But your ISP cannot cache said content. Say you have a classroom full of children all reading the same article on Wikipedia, and it's in a remote area with the only available Internet connection being a 0.13 Mbps ISDN or satellite link. With cleartext HTTP, a Squid or Polipo proxy can pull every . But with HTTPS, the proxy has to fall back to a separate CONNECT tunnel and transfer the same article 20 times unless the proxy is configured to intercept TLS, with its own root certificate in all browsers configured to use the proxy. Failure to cache in such a situation is inefficient, slow, and possibly costly if it causes the school to exceed a monthly Internet data transfer quota. (Source)

Comment How big is the DANE key? (Score 1) 212

[First-visit validation of a self-signed certificate is] where key fingerprints in DNS can help

Not until the root domain and major TLDs are signed with a key stronger than 1024-bit RSA. Short keys are why browsers haven't added support for DANE.

Even unauthenticated encryption is better than no encryption, because it prevents passive attacks.

It also gives the user a false sense of security that an active attack is not in progress. A self-signed certificate places the bar between "passive attack" and "active attack", but browser publishers have defined the https scheme to prefer a bar between "active attack" and "typosquatting".

Comment Block all DVs (Score 1) 212

The process might in fact be to block all domain-validated (DV) certificates and allow organization-validated (OV) and Extended Validation (EV) certificates. This would parallel the policy implemented by the Comodo Dragon browser, which displays a warning for DV certificates:

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

Comment Re:If I had my way... (Score 2) 221

I'd seriously like to see the courts side with consumers and insist Lexmar must refill the cartridge for free as long as I own the printer. Let's see how fast the printer companies back off from their outrageous claims.

All of the printer companies have a history of abusing the legal system. Lexmar just happens to the worse offender.

Comment Re:A way better solution (Score 1) 258

Literally never seen another stuck signal, and that was a temporary kit pulled from the trailer of a work vehicles. What makes you think this is a big problem?

Having seen several stuck signals in my home town. But then I guess a lot more signals are stuck for bikes than for cars.

Slashdot Top Deals

The faster I go, the behinder I get. -- Lewis Carroll