|
the real punchline is that CA root gatekeeping has been terrible since Netscape and Microsoft created the industry, and there's no way to fix it we have EV at all because Microsoft had CA contracts that didn't let them revoke DV authority for anything short of winning a lawsuit, plus monopoly fear at that point
|
# ? Aug 19, 2017 23:39 |
|
|
# ? May 14, 2024 12:47 |
|
wait are you proposing rolling background checks for every new employee of a CA (like Verisign, Deutsche Telekom, or the government of Belgium) that are then published somewhere? plus a public registry of (unrolled) private company ownership? that is a bold suggestion, if so E: no, awful, don't edit when I say compose Subjunctive fucked around with this message at 23:49 on Aug 19, 2017 |
# ? Aug 19, 2017 23:41 |
|
mdl posted:surely the browser/ca forum is capable of vetting CAs, which, i would like to point out, account for far fewer heads total than a single CA has customers. you'd get more information if you didn't edit in your replies
|
# ? Aug 19, 2017 23:51 |
|
the cabforum can't audit poo poo, they have exactly zero staff and even web trust trivialities are a lot of hours
|
# ? Aug 19, 2017 23:53 |
|
Subjunctive posted:the real punchline is that CA root gatekeeping has been terrible since Netscape and Microsoft created the industry, and there's no way to fix it commercial pilots who crash a plane aren't generally given second chances. startcom/wosign flew their plane into the WTC of trust models. is the bar so low that nobody from CAB is even blinking at the notion that a closely affiliated company (and i am being generous) is allowed to simply "reapply"? Subjunctive posted:I've received a background check. the companies I've worked with explicitly don't maintain the database you're describing, and I've never had one that tried to find omissions in a presented employment history. they're also fine with "contractor/consultant" and don't demand a list of clients i don't know what to say. if the bar is this low and the people responsible for vetting CAs don't care, then the trust model for browsers is a total failure
|
# ? Aug 19, 2017 23:53 |
|
mdl posted:commercial pilots who crash a plane aren't generally given second chances. startcom/wosign flew their plane into the WTC of trust models. is the bar so low that nobody from CAB is even blinking at the notion that a closely affiliated company (and i am being generous) is allowed to simply "reapply"? if you have complaints about the trust model for CAs then go back to 2002 where there's people defending it
|
# ? Aug 20, 2017 00:01 |
|
anthonypants posted:there used to be a site at ismytwitterpasswordsecure.com and when you typed into the password field the screen turned red and called you a stupid idiot (but with nicer words) mdl posted:the trust model for browsers is a total failure
|
# ? Aug 20, 2017 00:01 |
|
Subjunctive posted:wait are you proposing rolling background checks for every new employee of a CA (like Verisign, Deutsche Telekom, or the government of Belgium) that are then published somewhere? plus a public registry of (unrolled) private company ownership? the majority of verisign, dt, or belgian government employees have no relation or access to anything concerning the fact that they can act as trusted CAs. i'm not making any specific argument for how to improve things, other than to point out that the policies as they stand are so weak that nothing is being offered that is not already being offered by let's encrypt/DV. Wiggly Wayne DDS posted:you don't seem to grasp that no one is giving them a second chance. leaving them to complain into the void on a bug tracker and postpone any of their lawyers bullshit by giving empty platitudes is a sound strategy and now they're following up on it, and people should be aware of this. why would you even give them platitudes? the policy for a company that has already been revoked should be to go pound sand quote:if you have complaints about the trust model for CAs then go back to 2002 where there's people defending it yeah man, we should never discuss anything again, because all the smart guys know that it's broken. and here we are 15 years later, where nothing has improved
|
# ? Aug 20, 2017 00:11 |
|
mdl posted:commercial pilots who crash a plane aren't generally given second chances. startcom/wosign flew their plane into the WTC of trust models. is the bar so low that nobody from CAB is even blinking at the notion that a closely affiliated company (and i am being generous) is allowed to simply "reapply"? how is ur reading comprehension this bad?
|
# ? Aug 20, 2017 00:12 |
|
mdl posted:the majority of verisign, dt, or belgian government employees have no relation or access to anything concerning the fact that they can act as trusted CAs.
|
# ? Aug 20, 2017 00:32 |
|
Wiggly Wayne DDS posted:do you have anything new to bring to the discussion, or do you want to just go through the same argument everyone from this thread has heard a thousand times over? Wiggly Wayne DDS posted:i'm glad them changing management again erasing all past attempts to hide changes in management
|
# ? Aug 20, 2017 00:42 |
|
lol
|
# ? Aug 20, 2017 00:47 |
|
so that's a no then
|
# ? Aug 20, 2017 00:51 |
|
Wiggly Wayne DDS posted:so that's a no then let it be known that Wiggly Wayne DDS, authority of good posting, has deemed a massive potential security risk for anyone using a mozilla product or a piece of software that depends on ca-certificates unworthy of discussion in the security thread
|
# ? Aug 20, 2017 00:55 |
|
mdl posted:let it be known that Wiggly Wayne DDS, authority of good posting, has deemed a massive potential security risk for anyone using a mozilla product or a piece of software that depends on ca-certificates unworthy of discussion in the security thread how do you not understand that "you're welcome to reapply" is code for "gently caress off and ask me in a way where I can say no without wasting my time"? mozilla isn't doing anything and you're chicken littleing over nothing. subjunctive literally said that but you're too busy hyperventilating to read sentences correctly.
|
# ? Aug 20, 2017 01:00 |
|
unfortunately i don't think that'd fit in the thread title
|
# ? Aug 20, 2017 01:01 |
|
cis autodrag posted:how do you not understand that "you're welcome to reapply" is code for "gently caress off and ask me in a way where I can say no without wasting my time"? mozilla isn't doing anything and you're chicken littleing over nothing. subjunctive literally said that but you're too busy hyperventilating to read sentences correctly.
|
# ? Aug 20, 2017 01:02 |
|
Wiggly Wayne DDS posted:unfortunately i don't think that'd fit in the thread title cis autodrag posted:Security Fuckup Megathread - v14.1 - you're too busy hyperventilating to read sentences correctly
|
# ? Aug 20, 2017 01:08 |
|
mdl posted:let it be known that Wiggly Wayne DDS, authority of good posting, has deemed a massive potential security risk for anyone using a mozilla product or a piece of software that depends on ca-certificates unworthy of discussion in the security thread
|
# ? Aug 20, 2017 01:18 |
|
lol if u don't use chrome anyways
|
# ? Aug 20, 2017 01:30 |
|
cis autodrag posted:how do you not understand that "you're welcome to reapply" is code for "gently caress off and ask me in a way where I can say no without wasting my time"? mozilla isn't doing anything and you're chicken littleing over nothing. subjunctive literally said that but you're too busy hyperventilating to read sentences correctly. yes. if they do nothing, there's no problem. subjunctive mentioned that 1990s-era microsoft monopoly concerns affected the language of the CAB policies. that's an interesting historical point, but if they currently require browser vendors to tiptoe around bad actors applying for re-inclusion, they should probably be amended
|
# ? Aug 20, 2017 01:36 |
|
FAT32 SHAMER posted:lol if u don't use chrome anyways firefox for life
|
# ? Aug 20, 2017 01:45 |
|
mdl posted:yes. if they do nothing, there's no problem. The CAB forum is just a mailing list for the browsers and CAs to communicate. There isn't anything required by the CAB forum from browsers. The browsers all maintain their root stores at their own discretion with their own policies. The CAB forum doesn't even really require anything from CAs. They publish documents just so that the browsers can have something to point at and say "Hey, why aren't you doing this thing that we all talked about?"
|
# ? Aug 20, 2017 05:01 |
|
that's pretty much how the internet works anyway wrt decision making in th IETF and RIRs and such
|
# ? Aug 20, 2017 06:41 |
|
eversion posted:you should have added more entropy to the passwords rather than the usernames we had users being brute forced using poo poo from their twitter timelines. i am not even joking.
|
# ? Aug 20, 2017 08:27 |
|
Shinku ABOOKEN posted:we had users being brute forced using poo poo from their twitter timelines. i am not even joking.
|
# ? Aug 20, 2017 09:37 |
|
anthonypants posted:why are they posting their password to their twitter guess what. our users are normies. theyre gonna have their interests in their passwords and theres nothing you can do to stop it. shoutout to fuckmanchester@123
|
# ? Aug 20, 2017 10:11 |
|
Shinku ABOOKEN posted:shoutout to fuckmanchester@123
|
# ? Aug 20, 2017 11:12 |
|
Lain Iwakura posted:so a friend is having fun with sprint today reason this exists: users putting a symbol on their 108-key computer keyboard in their password and then being unable to find it on their cell phone workaround: just use a 33 character password without symbols, it's good enough you're already well into won't be brute forced until the machine uprising territory anyway, what does it matter if an arbitrary requirement stops you from adding a few more orders of magnittude
|
# ? Aug 20, 2017 14:38 |
|
fisting by many posted:reason this exists: users putting a symbol on their 108-key computer keyboard in their password and then being unable to find it on their cell phone didn't the xkcd guy espouse this theory? ah well, the first line of defense in computer security is denying physical access anyway e: because why did my phone autocorrect "security" into "theory" syscall girl fucked around with this message at 16:39 on Aug 20, 2017 |
# ? Aug 20, 2017 14:42 |
|
If your account can get owned by someone calling customer service and asking really nicely, even though there's a note on your account that says "IDENTITY THEFT DO NOT ALLOW CHANGES OVER PHONE" , the password complexity really doesn't matter.
|
# ? Aug 20, 2017 16:04 |
|
Volmarias posted:If your account can get owned by someone calling customer service and asking really nicely, even though there's a note on your account that says "IDENTITY THEFT DO NOT ALLOW CHANGES OVER PHONE" , the password complexity really doesn't matter. well you see it's just really inconvenient to not help the customer who's calling on the phone right then and there, and they may hang up the phone unsatisfied, so youre better off just changing some personal details including the email address and password and everybody's happy
|
# ? Aug 20, 2017 16:07 |
|
Volmarias posted:If your account can get owned by someone calling customer service and asking really nicely, even though there's a note on your account that says "IDENTITY THEFT DO NOT ALLOW CHANGES OVER PHONE" , the password complexity really doesn't matter. You can set up a verbal password on your cell provider so any changes require that password (or going into a store and presenting a physical ID). I have this set up on all my bank accounts too.
|
# ? Aug 20, 2017 16:25 |
|
maskenfreiheit posted:You can set up a verbal password on your cell provider so any changes require that password (or going into a store and presenting a physical ID). 100% of the times I've encountered this in person or on the phone I've been able to convince the dipshit to bypass it with a combination of whining, yelling, and saccharine begging. until customer security is more important than customer retention (never), this will always just be more security theatre.
|
# ? Aug 20, 2017 17:13 |
|
syscall girl posted:didn't the xkcd guy espouse this theory? it works if the words are actually independently chosen. "our house is a very very very fine house" does not count
|
# ? Aug 20, 2017 17:20 |
|
correct battery horse staple oh no! my brainwallet! how did they figure out my unhackable password?
|
# ? Aug 20, 2017 19:13 |
|
teamdest posted:100% of the times I've encountered this in person or on the phone I've been able to convince the dipshit to bypass it with a combination of whining, yelling, and saccharine begging. until customer security is more important than customer retention (never), this will always just be more security theatre. "Look man the CEO is gonna be here in five minutes and I need to get these files for my report downloaded or my rear end is fried. I already gave you the right username and my first and last name match the account info do me a solid here and reset this; it's not my fault your site locked me out after I put in my password with a single typo..." rjmccall posted:it works if the words are actually independently chosen. "our house is a very very very fine house" does not count Can't wait to have a password manager implanted in a chip in my arm that I unlock with a specific set of hand gestures along with a voice password and then find some way to get it to autotype using my nerve endings, let's get this techno future going already. Make the wrong gesture or give the wrong voice password and the chip fries itself.
|
# ? Aug 20, 2017 19:15 |
|
Mo_Steel posted:Can't wait to have a password manager implanted in a chip in my arm
|
# ? Aug 20, 2017 19:36 |
|
teamdest posted:100% of the times I've encountered this in person or on the phone I've been able to convince the dipshit to bypass it with a combination of whining, yelling, and saccharine begging. until customer security is more important than customer retention (never), this will always just be more security theatre. that's fine tbh... the big thing is i have it in place and if they give away my $ without it they're 100% liable and possibly getting slapped by the ftc for deceptive practices. (esp. important for retirement accts)
|
# ? Aug 20, 2017 19:49 |
|
|
# ? May 14, 2024 12:47 |
|
maskenfreiheit posted:that's fine tbh... the big thing is i have it in place and if they give away my $ without it they're 100% liable and possibly getting slapped by the ftc for deceptive practices. Can you point to some past FTC enforcement actions against companies who customer service reps allow account changes without suffient authorization?
|
# ? Aug 20, 2017 19:52 |