Igorette
Why a free automated certificate authority is not the solution
The answer is simple: It's a certificate authority.

The certificate authority system is inherently flawed, this was not only proven by the fact governments as well as criminals could take over broadly accepted certificate authorities in the past, or that these takeovers had to be patched by software updates of a myriad of browsers, operating systems and other software.

It is flawed because it has that huge attack vector, there are over over 50 organizations that are trusted by your browser http://ur1.ca/iu8qn and they gave out the privilege to issue certificates for any domain to hundreds of other organizations http://ur1.ca/iu8qo Remember this model is about trust. Do you trust all these or even the 50 root CAs? Did you verify they properly handle the power they've obtained? I did not, it's too much work.

Adding just yet another organization that can issue certificates for any domain only... http://ur1.ca/iu8qu
Michael MD
the thing I don't get is why people are expecting CAs to be able to have answers for stuff not related tp checks for domains/certificates/ip matches from a remote server to reduce the risk of mitm.

they can't tell anything about the content on a website at that moment or answer other types of trust-related questions only the user can make for themselves. That would be impossible.

when people see anything saying the word "trusted" they really need to also ask what?,by whom? and what for?

only then can the user really make those decisions that only the user knows how to answer!
Igorette
Why a free automated certificate authority is not the solution
The answer is simple: It's a certificate authority.

The certificate authority system is inherently flawed, this was not only proven by the fact governments as well as criminals could take over broadly accepted certificate authorities in the past, or that these takeovers had to be patched by software updates of a myriad of browsers, operating systems and other software.

It is flawed because it has that huge attack vector, there are over over 50 organizations that are trusted by your browser and they gave out the privilege to issue certificates for any domain to hundreds of other organizations. Remember this model is about trust. Do you trust all these or even the 50 root CAs? Did you verify they properly handle the power they've obtained? I did not, it's too much work.

Adding just yet another organization that can issue certificates for any domain only strengthens that model. It ensures future revenues for the companies providing you the nice little green icons in your browser, called "extended validation". I will leave looking up the prices for such a EV certificate and the estimate of how much real man work goes into that as an exercise for the reader.

There's hope though. For a few years now there's a new standard in the making, called "DNS-based Authentication of Named Entities", DANE for short. It's based on DNSSEC, an effort to prevent forged and not authoritative answers in the DNS system. In short DNSSEC guarantee's that the IP you're connecting to is controlled by the owner of the domain and DANE guarantees that there's no middle-man in your connection to the webserver listening on that IP.

DNSSEC reduces the number of entities you have to trust to effectively one, IANA. IANA does contract third parties to operate the root zone, currently this is VeriSign. Every signature can be chased to that single trusted party. To forge a domain you would need to compromise the root zones key, which is guarded by high standards, much higher than the ones of your average certificate authority. Also if you compromise at that level, you need to mirror the infrastructure of the whole top level domain your target domain is part of. This is feasible but also visible to monitoring systems. Attacking a top level domain infrastructure directly is also possible, the effect is greatly reduced though, only that single top level domain is compromised. You can't change the keys here either, as you would need to update the signatures in the root zone. And again an attack is more visible here.

Whether this is really greatly reducing the attack vector is debatable, what it objectively reduces is the damage you can make. Remember to compromise the current system on a whole you just need one of the hundreds of little certificate authorities.

You can activate DANE validation today through an excellent browser extension provided by the Czech domain registry. After you have installed it you can see that all my sites already deploy it, it's certainly possible.

I can understand if companies that benefit from the current system embark in such a "free" registry. I can understand if the EFF supports such a system as a short term measure, they don't directly influence any of the major software systems that would need to be adapted.

What makes me angry is that Mozilla is spending a lot of money to support it, while completely neglecting DANE support. There's no real progress for years now. They support the old broken system while they really could change something. If a major browser vendor like Mozilla shipped DANE support, across all its products, it would boost adoption of it a lot.

#mozilla #ssl #dns #dnssec #dane #letsencrypt

via Jonne Haß - link
#mozilla #ssl #dns #dane #letsencrypt #dnssec
Igorette
Top 10 All-Time submissions for /r/ImaginaryHorrors. - http://imgur.com/a/6Qbo4
Igorette
New ttrss-android version seems a little unstable
Igorette
New ttrss-android version seems a little unstable
Igorette
This birthday card made me say "what the fuck?" - http://i.imgur.com/XW0U4Q3.jpg
Igorette
And have an A1 day, bitch.
Igorette
Also a good BOFH excuse generator
Jargon Generator - http://shinytoylabs.com/jargon/#
#
Igorette
Kabarettist Georg Schramm über Politik: „Mein Zorn ist echt“ - taz.de - http://www.taz.de/Kabarettist-Georg-Schramm-ueber-Politik/!122002/
Igorette
"What platform do you use to run your infrastructure?"
"I use cocaine"
https://github.com/cocaine/cocaine-core
Igorette
Tweet von @acarvin : Whenever you hear it's a "pro-Morsi vs. anti-Morsi" dialectic, remember this venn diagram. #egypt opegypt.wordpress.com/2013/08/02/mainstream-media-likes-simple-labels/
#egypt
Igorette
Hyperboria: Hyperboria

Hyperboria is a global decentralized network of "nodes" running cjdns software. The goal of Hyperboria is to provide an alternative to the internet with the principles of security, scalability and decentralization at the core. Anyone can participate in the network by locating a peer that is already connected.
Igorette
Oversight: Thank you for volunteering, citizen.
Igorette
What’s stopping us from eating insects? | Anthropology in Practice, Scientific American Blog Network - http://blogs.scientificamerican.com/anthropology-in-practice/2013/07/24/whats-stopping-us-from-eating-insects/
Igorette
Rt: ˜"Heroic effort at great personal cost"€™: Edward Snowden nominated for Nobel Peace Prize

A Swedish sociology professor has nominated Edward Snowden for the Nobel Peace Prize. He says the NSA whistleblower could help "save the prize from the disrepute incurred by the hasty and ill-conceived decision"€ to give the 2009 award to Barack Obama.
Igorette
Barrett Brown, political prisoner of the information revolution | Kevin M Gallagher - http://m.guardian.co.uk/commentisfree/2013/jul/13/barrett-brown-political-prisoner-information-revolution
Via @ioerror
Igorette
I'm ready to leave Google services. But what do I do with the Android app market?
Have not enough confidence in Aptoide and Fdroid in providing malware free apps.

Tech: Google Latitude and the Squandered Potential of Google+ | TIME.com (Jared Newman)

Google keeps demolishing good services and making Google+ more bloated.
Igorette
Intro from Continuum.S01E01

"Twenty years ago
when the corporations bailed
out our failed governments,
they sold it to us
as salvation...
Now we see
that we paid for that rescue
with our freedoms.
We have awaken to the truth
that we have become slaves
to the Corporate Congress...
Today that all changes.
Let the word go forth
from this time and place,
to friend and foe alike,
that we have passed the torch
to a new generation
unwilling to permit the undoing
of human rights and dignities.
And let every corporation know,
whether it wishes us
well or ill,
that we shall pay any price
in order to assure
the survival and the success
of liberty."

"Don't move!
Hands where we can see them!!
Stay where you are!
You're under arrest."