Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

An Interactive Graph of the Certificate Authority Ecosystem

cratermoon Re:sub-CA hell (39 comments)

No, I'm fully aware we don't trust the CAs with our personal data. We're trusting the CAs to vouch for the organizations to whom they issue certificates. But now there are hordes of CAs, some of whom may not be particularly trustworthy, but the browser makers don't descriminate (much).

As a result, we have CAs that we're supposed to trust because our browsers accept them, but those CAs are passing out SSL certs like candy to anyone with a few bucks.

While we're not directly giving our personal data to the CAs, we're trusting the organizations they vouch for on the basis of the supposed trustworthiness of the CAs, when in fact most of them are utterly opaque and unknown to us, thus indirectly trusting them to protect our personal data.

Again I say, anyone on the internet should look at the diagram, look at the list of signing authorities their browsers trust, and ask themselves, "who the hell are all these people and why do I trust them?"

about a year and a half ago
top

An Interactive Graph of the Certificate Authority Ecosystem

cratermoon Re:sub-CA hell (39 comments)

OH I definitely agree that the system is broken. Just looking at the site should make anyone on the internet ask themselves, "who the hell all these CAs are and do we really trust them with our most personal data"?

Yes, I think that encrypting your traffic securely is the right thing to do, and using public-private key pairs with cryptographically strong algorithms is the right way to do it, the trust model was broken the first day that money started to change hands as a surrogate for "trust"

about a year and a half ago
top

An Interactive Graph of the Certificate Authority Ecosystem

cratermoon sub-CA hell (39 comments)

DFN-Verein "creates a unique sub-CA for each institution for which it issues certificates"

I feel sorry for the technical folks who have to implement and maintain such a fucked up idea as per-institutional sub-CAs.

about a year and a half ago
top

Blizzard Sued Over Battle.net Authentication

cratermoon Re:This is ridiculous (217 comments)

completely unnecessary if you use a good password.

That's a dangerously incorrect assertion to make. People's battle.net accounts don't get compromised because a malicious party cracked a password. Keyloggers, phishing, social engineering, and just plain fraud are all far more common avenues for password leakage, both in battle.net and overall.

The days when a hacker could bang on the front door of a service trying username/password combinations until finding one that worked are long gone. The reason Blizzard introduced authenticators was because their own experience indicated that no matter how tightly locked the servers, or how strong the password requirements, with the client software and hardware out of their control, passwords were still getting out. So they went with the next best convenient security practice: something you know, and something you have.

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:Micro-ISVs (141 comments)

I can't answer that right now, I don't have a tinfoil hat handy. Sorry.

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:A lot of apps use SSL (141 comments)

Good answer. To be fair to the parent post, the certificate authorities *do* have some work to do in cleaning their own houses. Stolen or compromised certificates do exist, and while we can revoke the ones we know about, there's the ones we don't know about, and there's the clients that don't handle revocation properly. It's not clear that the CA houses are doing their jobs well enough.

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:A lot of apps use SSL (141 comments)

Next time say, "I'm sorry, I'm a professional software developer, and I have to follow certain principles, same as a doctor or lawyer must follow their respective professional codes. Please contact me when your server side is properly configured and I will be able to complete the work."

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:A lot of apps use SSL (141 comments)

Probably no shock that it's a PHP developer:

$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:A lot of apps use SSL (141 comments)

That's not wrong, but it still doesn't explain to me why I, as a user, should trust both application A and site B that have agreed to trust each other with a self-signed certificate. The reason was have the CA model is to introduce a trusted third-party* that can verify for us that everything is on the up-and-up. The user should not be in the position of having to trust unknown parties.

*Yes I know the CA companies have problems. Maybe the model is so broken by nature that it doesn't matter, but it's still true that the self-signed model bypasses it.

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:A lot of apps use SSL (141 comments)

Defrauding unsuspecting third parties and exposing them to identity theft is still a crime, or at least a civil liability, even if you have a family. Participating in that kind of thing is unethical at best.

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:Micro-ISVs (141 comments)

Well said. If the company doesn't start out with enough money to purchase the things necessary, it's not doing it right. To attempt a real-world analogy, would you put your money in a bank that delayed purchasing a vault until it had enough of the customer's money to afford one?

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:Micro-ISVs (141 comments)

They might be, but then who in their right mind would trust that kind of party with their money and PII? In choosing how to spend their limited cash, they forgo proper security precautions, and they want users to trust them not to misuse or misplace sensitive information?

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:A lot of apps use SSL (141 comments)

it does not delegate trust to some 3rd party that might screw up and cause things to have be changed, or risk compromise

Instead, the company that issues the self-signed certificate is to be trusted not to screw up? "Just take our certificate, it's fine, trust us".

If Alice and Bob trust each other, this is OK, but what if Bob is bumbling idiot? What about when Alice and Bob, who trust each other, tell Mallory to trust them to trust each other, and Carol mistakenly trusts Mallory?

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:A lot of apps use SSL (141 comments)

Translation: I just wanted to take the money and run. Making money, that was the important thing. Yeah, money. Did I mention I needed the money?

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:A lot of apps use SSL (141 comments)

Let me tell you the story about the guy who wanted to use oauth2 bearer tokens over an unsecured connection.

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:A lot of apps use SSL (141 comments)

à_à
This is why we can't have nice things.

about 2 years ago
top

Poor SSL Implementations Leave Many Android Apps Vulnerable

cratermoon Re:User Confidence (141 comments)

I would not use $RANDOM_SHOPPING_BANKING_APP, but I would visit a bank website using chrome, firefox, or the built-in android browsers. Those three programs, while undoubtedly not flawless, at least have enough respectability and history for me to trust them as well as anything on the internet. Admittedly, that's not much trust, but it's something.

about 2 years ago

Submissions

top

Skype & Silver Lake: Evil?

cratermoon cratermoon writes  |  more than 3 years ago

cratermoon (765155) writes "Former Skype guy Yee Lee finds out that for people working at companies controlled by private equity firm Silver Lake, 'vested' doesn't mean what you think it means, and gets no money from the stock options he thought he could exercise. 'Skype spokesman Brian O'Shaughnessy said, "You've got to be in it to win it. The company chose to include that clause in the contract in order to retain the best and the brightest people to build great products. This individual chose to leave, therefore he doesn't get that benefit."'

Fortune also has the story: http://finance.fortune.cnn.com/2011/06/24/skype-vesting_controversy/"

Link to Original Source

Journals

cratermoon has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>