Become a fan of Slashdot on Facebook


Forgot your password?
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:How To Untrust the Blue Coat CA Cert (Score 1) 44

The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.

The reason is simple: most customers of these devices prefer to implement them in transparent proxy mode, which requires no endpoint device (browser, etc.) configuration, no pushing of internal certs, etc. Browsers are talking on 80/443 happily unaware that their traffic is being proxied, and the SSL server certs being presented by Google or Facebook or their bank are not actually certs from those servers...they're Blue Coat's imposter certificates, generated on-demand.

Comment Re:Anything other than eye candy? (Score 1) 174

I will tell you what Fedora version I plan to skip: whatever initially switches us to Wayland. That will be a guaranteed shit-show, and a good call to avoid upgrading for a few months. But 24 is solid methinks.

Thanks! Yeah, I'll likely sit that one out as well. X works just fine for what I do.

Comment Re:How To Untrust the Blue Coat CA Cert (Score 2) 44

This is spot-on.

As a one-time employee of Blue Coat who holds a technical certification on their ProxySG line of products, I can confirm absolutely that these devices use these intermediate CA certs to generate on-demand certs for any destination that the device's owner allows on their network by policy.

From the viewpoint of the user's browser, the remote server (Google or CNN or BankofAmerica) appears to be sending you a trusted certificate. You would have to open the security dialog and examine the details of the certificate to even notice anything unusual.

So all the scruples reside with the device owner, not the manufacturer. As delivered, the devices can impersonate ANY server certificate. It's up to the implementer to construct policies that exclude traffic to certain servers or of certain categories from this ability.

Comment Good way to die. (Score 1) 582

There are things I love about this town, and things I despise; and this sort of sanctimonious bullshit ranks high on the latter.

I actually hope someone gets killed doing that. You have absolutely *no* idea why any person at any given moment is driving in a particular manner. Could be they're just late, could be a life-threatening medical emergency. What gives *you* the right to presume anything and then try to impose your presumption onto anyone else?

Seriously, that's the worst sort of selfish assholery. And while I might not shoot you dead myself for deliberately impeding my way, if such a case came before me as a juror, it's unlikely I'd convict someone else for doing it.

Slashdot Top Deals

Everything should be made as simple as possible, but not simpler. -- Albert Einstein