|
malware is good
|
# ? Apr 21, 2016 03:17 |
|
|
# ? Jun 3, 2024 17:57 |
|
Subjunctive posted:I dunno, the credible death threats Kathleen and I got when Mozilla added CNNIC as a root were pretty fun. (Mozilla and Google now actively distrust that root, even if cross-signed, because of grossly improper issuance. Microsoft continues to trust it fully as a root.) People on the Internet and their loving death threats, will we ever grow up?
|
# ? Apr 21, 2016 03:19 |
|
wait, what?
|
# ? Apr 21, 2016 03:20 |
|
Rufus Ping posted:dishing up disreputable poo poo on port 443 is it too early for a new thread title
|
# ? Apr 21, 2016 03:27 |
|
at the very least that is my new grunge album title
|
# ? Apr 21, 2016 03:27 |
|
pseudorandom name posted:wait, what? in 2009 or 2010, CNNIC (Chinese internet organ) applied to be added as a root to the Mozilla cert database (and thereby to Chrome's and probably Apple's, since they just used the Mozilla one). they did all the right things in terms of audit and so forth, so they met our policy requirements, and we decided that they would be added to the list. other gov'ts controlled roots already. there was some disagreement with this decision. in addition to the usual mailing list and internet frothing, both myself and the person who operated the CA program for me (Kathleen) received death and assault threats that were specific enough that the police agreed that they should be investigated. it was mostly stuff you could learn from wikipedia and my blog posts, but there were other pieces of fact that were apparently signals that it wasn't necessarily all talk. (the police never said what elements made them think it deserved more attention.) nothing ever happened, and a month or so later the cops said that they didn't think there was anything to worry about. the CNNIC root, meanwhile, was shipped in Mozilla's root store, as well as Chrome's, Microsoft's, and Apple's. five years later, CNNIC was caught issuing an unconstrained intermediate, which was used for MITM attacks. in response, Mozilla and Google set notBefore blocks on CNNIC-issued certs. last I heard, Microsoft and Apple both kept the root in place without constraint.
|
# ? Apr 21, 2016 03:32 |
|
Shaggar posted:If they have a Lets Encrypt cert you cannot trust them. All you can do is guarantee your traffic is encrypted. All Lets Encrypt certs accomplish is the one thing they set out to do. Go figure. If you want validation that the website itself isn't going to steal your CC information then maybe you should be petitioning the Better Business Bureau to set up their own CA. ErIog fucked around with this message at 03:43 on Apr 21, 2016 |
# ? Apr 21, 2016 03:40 |
|
Shaggar complains about all them certs things but really loves that language whose installer tries to get people to install a search toolbar
|
# ? Apr 21, 2016 03:42 |
|
Subjunctive posted:if you want to deal with bad behaviour (or catastrophic error) post-issuance, you need short cert lifetimes. that's why LE has them. The overhead required in setting up a new company and getting clean employees would eventually outweigh the gains from the illegal activity. Certainly more than "oh, just click this button to get a new cert, no questions asked." Also I don't see how it would be a civil rights violation to deny a known fraudster a certificate. quote:their policy was quoted above. which other CA has a policy on this that you would like LE to adopt instead? I guess I want to see more EV certificate related policy enforcement prior to issuance on all certs, not just ev certs. CNNIC is still in the Microsoft and apple roots because they want to do business in China and regular users wouldn't understand if those certs weren't in there. Nothing prevents you from removing it from the stores yourself and you could do it w/ group policy to revoke it across entire domains. I suppose they could limit the installation to devices sold in china, though.
|
# ? Apr 21, 2016 03:44 |
|
ErIog posted:All Lets Encrypt certs accomplish is the one thing they set out to do. Go figure. why do you care about encryption if you don't trust the other end?
|
# ? Apr 21, 2016 03:44 |
|
Shaggar posted:The overhead required in setting up a new company and getting clean employees would eventually outweigh the gains from the illegal activity. Certainly more than "oh, just click this button to get a new cert, no questions asked." Also I don't see how it would be a civil rights violation to deny a known fraudster a certificate. If someone is convicted of fraud and serves their sentence, they should not be denied the ability to have communication with their server be secured against eavesdropping. Nor should a possession charge keep someone from being able to start an internet business. Similarly with someone who is charged by the Russian/Chinese/Saudi/Alabama government with something and convicted in absentia. Setting up (faking) a company in many countries is very easy, especially if you are a crime syndicate, and the proceeds from malware deployments are hard to eclipse with administrative fees. If malware deployment wasn't very profitable, criminals wouldn't be interested in it, and the market for vulnerabilities wouldn't be so lucrative. Of course, people don't even have to incorporate, they can just use an individual's identity, and they won't run out of those any time soon. People borrow national identifiers in order to play KMMOs before launch in the west, criminal organizations aren't going to blink. Both Apple and Microsoft did business in China before 2010 when the root was added, and nobody can use Chrome or Firefox with a site that's issued by CNNIC's root since whatever-2015, so I doubt it would really cause a lot of user consternation. But is your argument that Microsoft doesn't have standards for maintaining inclusion? Removing any cert could cause user confusion, so I guess they would never revoke a certificate for bad behaviour. (Coincidentally, this line of reasoning from MSFT is why EV is a separate class of certificate from DV.)
|
# ? Apr 21, 2016 03:52 |
|
CommunistPancake posted:i feel like if you're already paying for a domain you're not going to give up when you see that it's another for a cert
|
# ? Apr 21, 2016 03:55 |
|
anthonypants posted:no he's saying that $10 for a ssl cert in addition to a $10 domain is far too steep a price for anyone who wants to scam or spread malware I loving wish.
|
# ? Apr 21, 2016 03:58 |
|
What do regular certs (not code signing certs) have to do with malware
|
# ? Apr 21, 2016 03:58 |
|
Rufus Ping posted:What do regular certs (not code signing certs) have to do with malware because when shaggar sees a lock in the URL bar he thinks that the site has been granted top secret clearance and had a 3rd party audit of its IT practices and gets regular visits from the secret service. further, he believes that everyone else thinks that too, and therefore will trust the site unfailingly and fall victim to its nefarious malware shipping
|
# ? Apr 21, 2016 04:00 |
|
Subjunctive posted:because when shaggar sees a lock in the URL bar he thinks that the site has been granted top secret clearance and had a 3rd party audit of its IT practices and gets regular visits from the secret service. further, he believes that everyone else thinks that too, and therefore will trust the site unfailingly and fall victim to its nefarious malware shipping Shaggar posted:ssl/tls: see shiny lock/totally legit site
|
# ? Apr 21, 2016 04:03 |
|
Subjunctive posted:because when shaggar sees a lock in the URL bar he thinks that the site [...] gets regular visits from the secret service SA has the lock so this checks out
|
# ? Apr 21, 2016 04:11 |
|
Subjunctive posted:If someone is convicted of fraud and serves their sentence, they should not be denied the ability to have communication with their server be secured against eavesdropping. Nor should a possession charge keep someone from being able to start an internet business. Similarly with someone who is charged by the Russian/Chinese/Saudi/Alabama government with something and convicted in absentia. quote:Setting up (faking) a company in many countries is very easy, especially if you are a crime syndicate, and the proceeds from malware deployments are hard to eclipse with administrative fees. If malware deployment wasn't very profitable, criminals wouldn't be interested in it, and the market for vulnerabilities wouldn't be so lucrative. Of course, people don't even have to incorporate, they can just use an individual's identity, and they won't run out of those any time soon. People borrow national identifiers in order to play KMMOs before launch in the west, criminal organizations aren't going to blink. Subjunctive posted:If someone is convicted of fraud and serves their sentence, they should not be denied the ability to have communication with their server be secured against eavesdropping. Nor should a possession charge keep someone from being able to start an internet business. Similarly with someone who is charged by the Russian/Chinese/Saudi/Alabama government with something and convicted in absentia. quote:Both Apple and Microsoft did business in China before 2010 when the root was added, and nobody can use Chrome or Firefox with a site that's issued by CNNIC's root since whatever-2015, so I doubt it would really cause a lot of user consternation. But is your argument that Microsoft doesn't have standards for maintaining inclusion? Removing any cert could cause user confusion, so I guess they would never revoke a certificate for bad behaviour. (Coincidentally, this line of reasoning from MSFT is why EV is a separate class of certificate from DV.)
|
# ? Apr 21, 2016 04:11 |
|
Subjunctive posted:because when shaggar sees a lock in the URL bar he thinks that the site has been granted top secret clearance and had a 3rd party audit of its IT practices and gets regular visits from the secret service. further, he believes that everyone else thinks that too, and therefore will trust the site unfailingly and fall victim to its nefarious malware shipping thats not what ive said at all but ok
|
# ? Apr 21, 2016 04:12 |
|
Shaggar posted:Its still a barrier that lets encrypt is removing. hopefully they all migrate to lets encrypt so it becomes a honeypot that barrier didn't ever exist, as much as you apparently wish that only Good People were allowed to encrypt their traffic reliably
|
# ? Apr 21, 2016 04:14 |
|
again, I'm not talking about encryption I'm talking about trust. they aren't the same thing. There is an illusion of trust provided by DV certs that I would like to see go away and Lets Encrypt is moving in the wrong direction.
|
# ? Apr 21, 2016 04:17 |
|
Shaggar posted:again, I'm not talking about encryption I'm talking about trust. they aren't the same thing. That's funny, because it seems like the way LE is going about it is exactly the right way to shatter that illusion.
|
# ? Apr 21, 2016 04:23 |
|
its the worst way because now every site will provide that illusion and users will be worse off then ever before.
|
# ? Apr 21, 2016 04:24 |
|
the forums should totally get an EV cert. that would rule.
|
# ? Apr 21, 2016 04:31 |
|
suffix posted:SA has the lock so this checks out
|
# ? Apr 21, 2016 04:32 |
|
Shaggar posted:its the worst way because now every site will provide that illusion and users will be worse off then ever before. It doesn't matter if every site now has that effect, the "bad" sites always had the benefit of that. Giving all the benign sites the same treatment is not any sort of additional risk.
|
# ? Apr 21, 2016 04:34 |
|
the "trust" comes from being already familiar with the site I'm trying to visit I just want to know that I'm connecting to the real Facebook eBay Google Microsoft mydomain etc I'm not going to enter my bank info or download a Microsoft update from random site just because it has a cert
|
# ? Apr 21, 2016 04:36 |
|
right. thats fine for me or you where we understand how DNS works. Its not enough for grandma who doesn't understand the difference between facebook.com and facesbook.com but she sees both have the same lock which shes been told means its ok.
|
# ? Apr 21, 2016 04:40 |
|
well the browser ui needs to change then, and let's encrypt is the first step for that what you want is outside the scope of registrars and cert authority's maybe we should make some sort of distributed ledger of trusted sites
|
# ? Apr 21, 2016 05:00 |
|
Shaggar posted:right. thats fine for me or you where we understand how DNS works. I see you're conveniently ignoring Subjunctive's specific comments on "actually research shows people don't give a gently caress about the lock" Shaggar this is a really dumb hill to pick to die on, even for you
|
# ? Apr 21, 2016 05:04 |
|
Shaggar posted:right. thats fine for me or you where we understand how DNS works. that won't happen because of Internet Explorer's SmartScreen Filter which has existed since IE8. how do you not know about this?
|
# ? Apr 21, 2016 05:07 |
|
Gotta say, it's pretty bogus that LE currently does not issue certificates for IDN domains. As most of us (excluding Shaggar) agree, it's about encrypting everything, not preventing encrypted phishing, malware, etc. So why the double standard here? The responsible registries enforce policies with respect to which IDN characters they permit in top-level domains and some certainly already actively protect against lookalike domains. Responsible web browsers take protective steps such only showing the unicode characters belonging to user-accepted locales. So then, why is "free certs for all" LE preventing me from putting a certificate on my unicode domain (on a Chinese TLD) that, at last check, is also not supported by any of the for-money CAs for want of demand. I can obviously issue certs on my own CA and try to bully people into installing it, but that hardly works for consumption by the world at large. (They kinda sorta sound like they want to, but seriously, they deliberately blocked it for now) Ref: https://github.com/letsencrypt/boulder/issues/597 Edit - skimming everything after posting it reveals: https://letsencrypt.org/upcoming-features/ posted:IDN Support Well, then! James Baud fucked around with this message at 05:41 on Apr 21, 2016 |
# ? Apr 21, 2016 05:23 |
|
wasn't there some thing about how chome wants to go from no-lock/lock to broken-lock/no-lock precisely because people don't look for positive security signals
|
# ? Apr 21, 2016 05:34 |
|
Shaggar posted:the steps to use the automated system are just as complex as setting up the certs yourself if not more so I installed let's encrypt with apt-get and filled out like two questions, one of which was my domain name, and it enabled SSL on my website.
|
# ? Apr 21, 2016 06:56 |
|
OSI bean dip posted:this is horrible because shaggar cannot see the forest from the trees here okay? OSI bean dip posted:this is horrible because shaggar
|
# ? Apr 21, 2016 06:59 |
|
ilu shaggar
|
# ? Apr 21, 2016 06:59 |
|
i'm glad i brought up lets encrypt but yeah in case anyone was wondering keep rear end is a p deece password manager if you can get past the insecure method of actually obtaining it. tho keep in mind what other posters said about "every nerd has their favourite password manager who gives a poo poo" and how keep rear end being open sores means things can be a big mess of plugins
|
# ? Apr 21, 2016 07:12 |
|
how do i encrypted web???
|
# ? Apr 21, 2016 07:25 |
|
the keepiss pricing looks pretty bad. $5 per month for the family plan with more options than the $65 one-time-payment thing, and licenses for all the apps, but you don't get "flexible sync options". weird??
|
# ? Apr 21, 2016 07:44 |
|
|
# ? Jun 3, 2024 17:57 |
|
atomicthumbs posted:the keepiss pricing looks pretty bad. $5 per month for the family plan with more options than the $65 one-time-payment thing, and licenses for all the apps, but you don't get "flexible sync options". weird?? keepass is free? i think you're talking about 1password
|
# ? Apr 21, 2016 07:48 |