Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Leakage of data is a big problem with certs (Score 1) 63

Which goes to show you how leaking of telemetry info is one of the biggest problems with certs.

How so?

So I have a server on my local network. To enable https, it needs a cert and you click through a form to create a Lets Encrypt cert. BUT if you do that, then you've injected an outside body in the verification!

What do you mean? If you mean the server validates its identity to the certificate authority, then yes, that's true. That's the point.

Each time it contacts that to check the cert, its informing the certificate company that you are accessing your own server on your own network

Let's Encrypt intends that the certificate issuance process is automated, such as with a cronjob. Thus, if you do things right, the server will periodically re-validate your site with Let's Encrypt and renew certificates automatically. This is intended.

If you mean that clients will query the CA's OCSP servers to verify the validity of the certificate, yes, this is true and a minor privacy concern. Fortunately, all modern browsers and servers support OCSP stapling. The server can, with a few lines (or enabling an option in Certbot, the major Let's Encrypt client), handle the OCSP checking itself and "staple" a signed OCSP response to the normal secure handshake. The stapled response is valid for a short period of time (a few days) and the server will query the OCSP servers periodically to get a fresh response. This way, clients don't reveal their browsing habits to the CA and the CA requires less resources for their OCSP servers. Win-win for all. If you haven't already, turn on OCSP stapling on your server.

Of course, if a server doesn't support OCSP stapling, browsers will fall back to querying the CA's OCSP responders.

Firefox should handle self signed certificates better. It treats them as dodgy, but they are not.

How would the browser know they're not dodgy? They are, by definition, self-issued. Anyone, including a bad guy, can make a self-signed certificate saying they're anyone else. There's no in-band way of authenticating a self-signed certificate.

Sure, one can manually elect to trust a self-signed certificate if one knows what one's doing, but the typical user is not knowledgeable enough to do that securely.

A certificate authority injected between you and a known server represents an unwanted man-in-the-middle.

The CA is not a "man in the middle", in that they're not involved in the secure handshake at all. They simply are a third party vouching for the validity of the information contained in the certificate: "We verified that the administrator of www.example.com controls that site and requested a certificate."

CAs undergo stringent vetting and auditing to ensure they follow specific policies before they're trusted by browsers, as well as annual audits thereafter. Is it perfect? No. Have CAs made errors, been compromised, or acted poorly? Yes, and in many cases those CAs received the "death penalty" of having their trust revoked by browsers. Still, it's the least-bad system available that scales for the internet. If you can think of something better, by all means, implement it.

Comment Re: I like the idea of encryption (Score 1, Informative) 63

It's only "free" if you don't value your time (the certs expire every few months), or if you don't need an EV cert, or if you don't need a wildcard cert.

Let's Encrypt intends that the installation and maintenance (e.g. renewal) is automated. A simple daily cronjob checks if any Let's Encrypt certs on that system are in need of renewal and, if so, handles the validation, issuance, and installation of those certs completely automatically. If anything, it dramatically *saves* admin time.

The vast majority of sites don't need EV or wildcard certs, so Let's Encrypt is perfect for them.

Comment Re:I thought this app was for privacy? (Score 5, Informative) 88

It says it needs access to:

Device & App History


All the permissions Signal requires are explained here. They all make sense in context, and many can be disabled without affecting normal use (e.g. location, calendar, camera, etc.).

To answer your question about SMS in particular, OWS says "Signal is capable of functioning as a complete replacement to your phone’s stock messaging application. In order to do this, it needs to be able to send and receive text messages (both SMS and MMS). You can also import your existing messages into Signal when it is first installed, and these permissions allow that database to be read as well."

Comment Re:GAO is right (Score 1) 296

That's all perfectly true, but how do you get the clients to trust the alternate root? Essentially all DNSSEC-capable resolvers come with the ICANN root being trusted. Essentially all the distribution channels are protected from tampering (e.g. package managers like apt, downloading binaries or source from the developer's website, etc. all use digital signatures, many use HTTPS, etc.).

Short of impractically-extreme measures (e.g. maintaining and mandating the use of software repos, mirrors, etc. that include the alternate root's key, mirroring the entire DNS tree with entries signed by the alternate root), even state-level attackers will have a tough time forcing clients to trust the alternate root key.

Comment Re:GAO is right (Score 3, Informative) 296

How exactly then will this work when one DNS server has a record for one Ip address and another points to another such as an anti Putin site?


Due to the nature of DNSSEC, so long as the root is trusted all DNSSEC-enabled domains (assuming they're part of a signed TLD) are protected from such forgeries.

A large-scale attacker could certainly setup their own DNS infrastructure that's essentially the same as the standard system but with some minor modifications to redirect specific domain names to systems they control, but this would cause DNSSEC failures (assuming the resolver supports DNSSEC).

Comment Re:Booo! (Score 1) 29

Out of curiosity, does your setup provide per-user control over spam/not-spam? That is, can a user flag a false-negative as spam and a false-positive as not-spam so the filters can be automatically tuned? Ideally this would be done by simply moving things into different folders in IMAP (e.g. move something into the Spam folder, it gets flagged as spam. Move something out of the spam folder, it gets flagged as not-spam.) rather than needing a separate web interface. If so, how did you go about setting that up?

I ask because I've been looking at doing something similar, but haven't found anything that does quite what I want.

Comment Re:Signal is great (Score 1) 171

True about the desktop version. They had something that claimed to be a desktop version, but when I ran it the first thing it wanted was a mobile #. Uhh.... my desktop PC doesn't have a phone number!

Signal uses your mobile number as a unique identifier akin to a username. Even if you don't run the app on a phone, you need to give it a mobile number to actually use the service.

That said, Signal is designed to be mainly used on mobile devices. The desktop version is convenient, but isn't really meant to be the primary means of using the service.

Comment Re:Which one should you be using? (Score 1) 171

The one your friends and family use. What's the point of a secure messaging network if nobody you know uses it?

Users can install multiple messaging apps. I, for one, have several: Signal, WhatsApp, Google Hangouts, Skype, etc.

So far it works fine, and most of my friends and family use Signal.

Comment Re:Why not press the switch (Score 2) 170

It's easy to know how a GPS receiver will work if there's no signal: it simply doesn't function.

But how does it function in the presence of strong jamming signals of different types? Does it produce spurious errors? False position or timing data? Does it have other issues? Can very strong signals cause damage to various components like amplifiers and the exquisitely sensitive receiver circuits?

I'm just speculating, but I suspect that they'll be doing tests of that type.

Comment Re:And what's our suggestion to friends and family (Score 1) 79

Have good, versioned backups. I like CrashPlan, as one can use it to backup to various destinations, including local systems/disks, remote systems associated with one's account, remote systems belonging to others (so long as they give permission), and for paid users, to the CrashPlan-run storage service.

All backups are encrypted so that the destinations cannot access one's data, it keeps regular versions so one can easily recover from a ransomware (or other) infection that corrupts or destroys files slowly over time, and compresses/deduplicates data to save space. I've used it for years and it's saved my bacon a few times. Their family plans are quite affordable.

(Disclosure: I am a paid CrashPlan user but otherwise have no connection, financial or otherwise, with the service.)

Comment Re:Why worry about credit cards? (Score 1) 64

I'm under no obligation to pay until the investigation and any related processes are ongoing.

Sorry, it's late. I meant to say I'm under no obligation to pay until the investigation and any related processes are complete (and I'd only need to pay if the investigation shows the charge was legitimate; obviously I'd not need to pay if the charge was fraudulent).

Comment Re:Why worry about credit cards? (Score 2) 64

That's why I essentially never use debit cards and advocate the use of credit cards: if I contest a charge on a debit card, I'm contesting whether or not I should get my own money back and, as you say, the money may be unavailable during the investigation.

With credit cards, I'm contesting if I owe the bank money and I'm under no obligation to pay until the investigation and any related processes are ongoing.

In regards to eBay, the merchants never get your credit card information. Virtually all transactions go through PayPal, which has its own buyer protection options above and beyond what your credit card offers. Things might have been different eight years ago.

Slashdot Top Deals

Steve Jobs said two years ago that X is brain-damaged and it will be gone in two years. He was half right. -- Dennis Ritchie