Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re: Phishing is good (Score 1) 212

LetsEncrypt now offers a no cost solution to replace self-signed certs.

This is true only for servers with fully qualified domain names, not for internal servers with private IP addresses or made-up TLDs such as .local or .internal. Is every householder supposed to buy a domain to make HTTPS communication across the LAN with a router, printer, or streaming media server work?

Comment Re:Phishing is good (Score 1) 212

You enable javascript for paypal.com and then anytime you visit paypall.com, your browser sits there not running any javascript.

Then phishers are going to make their sites compatible with NoScript, such as by computing the final DOM, serializing it to HTML, and sending that to the mark instead of the script that generates the DOM.

Comment Re:Encryption without trust = dangerous illusion (Score 1) 212

What you're complaining about is trust beyond the machines and into the organisation and people behind the servers. This is something outside of the scope of DVs

WaffleMonster's point as I understand it is that DV should never have existed, that the choice should have been between OV and cleartext passwords.

Comment OCSP actually is a short-term certificate (Score 1) 212

The best incremental refinement is short-lived certificates auto-issued by intermediate CAs. [...] The refinement being pushed instead of the obvious one is "OSCP stapling"

An OCSP response is a short-term statement issued by the CA that a TLS server's certificate is still valid. It can be thought of as exactly the sort of "short-lived certificate" that you describe. Stapling allows a TLS server to cache this response and present it alongside the main certificate. If only the TLS server contacts the CA to get OCSP responses, the CA can't see clients.

Sovereign Keys

From a footnote in the proposal: "In the current draft, there are additional requirements, including that an OCSP check for the CA certificate is successful".

Comment Re: blacklist them (Score 1) 212

A domain-validated certificate is for ensuring the authenticity of communications between your machine and a machine operated by the owner of a particular hostname. It isn't for ensuring that the owner of a particular hostname has any right under other applicable law, such as typosquatting provisions of trademark law, to use that hostname.

Comment Re:The following is going to happen. (Score 1) 212

Well, Let's Encrypt certificates are now going to be treated like self-signed certificates. Don't believe me? Just wait and see.

With both Mozilla and Google as "major sponsors" of Let's Encrypt listed on the front page, I don't see how this will happen any time soon. If Microsoft and Apple distrust Let's Encrypt for following the same CA/Browser Forum Baseline Requirements as every other certificate authority issuing domain-validated (DV) certificates, the only way to avoid a double standard would be to distrust all DV certificates. And as of today, the service formerly known as Hotmail appears to be using a DV certificate.

Comment Caching by you vs. by your ISP (Score 1) 212

An unencypted connection is fast, cacheable, and secure enough when you're just transfering photos and cat videos.

As far as I know, my browser does cache content served over https exactly the same as served over http.

But your ISP cannot cache said content. Say you have a classroom full of children all reading the same article on Wikipedia, and it's in a remote area with the only available Internet connection being a 0.13 Mbps ISDN or satellite link. With cleartext HTTP, a Squid or Polipo proxy can pull every . But with HTTPS, the proxy has to fall back to a separate CONNECT tunnel and transfer the same article 20 times unless the proxy is configured to intercept TLS, with its own root certificate in all browsers configured to use the proxy. Failure to cache in such a situation is inefficient, slow, and possibly costly if it causes the school to exceed a monthly Internet data transfer quota. (Source)

Comment How big is the DANE key? (Score 1) 212

[First-visit validation of a self-signed certificate is] where key fingerprints in DNS can help

Not until the root domain and major TLDs are signed with a key stronger than 1024-bit RSA. Short keys are why browsers haven't added support for DANE.

Even unauthenticated encryption is better than no encryption, because it prevents passive attacks.

It also gives the user a false sense of security that an active attack is not in progress. A self-signed certificate places the bar between "passive attack" and "active attack", but browser publishers have defined the https scheme to prefer a bar between "active attack" and "typosquatting".

Comment Block all DVs (Score 1) 212

The process might in fact be to block all domain-validated (DV) certificates and allow organization-validated (OV) and Extended Validation (EV) certificates. This would parallel the policy implemented by the Comodo Dragon browser, which displays a warning for DV certificates:

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

Comment Re:A way better solution (Score 1) 258

Literally never seen another stuck signal, and that was a temporary kit pulled from the trailer of a work vehicles. What makes you think this is a big problem?

Having seen several stuck signals in my home town. But then I guess a lot more signals are stuck for bikes than for cars.

Comment Re:Complain daily (Score 1) 258

They don't need me to tell them it's a bad intersection

They do if the city uses citizen reports as a metric to prioritize allocating budget for improvements to its intersections.

Another thing... are you suggesting that my lack of reporting this makes my analysis of the issue less valid?

No. But in my opinion, one analyzes an issue in order to find a solution.

Or are you simply trying to gently redirect the conversation

Yes. The conversation went in one direction, namely clarification of the problem with this particular approach. Once I realized the problem was an underprovisioned LTYOG, that direction concluded, and I redirected it toward what can be done about the problem.

from pointing out that your counterpoint isn't very good to a conversation about my poor citizenship?

I'm trying to be helpful, suggesting measures that have a chance of getting a problem solved.

Slashdot Top Deals

"The only way for a reporter to look at a politician is down." -- H.L. Mencken

Working...