×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Google Proposes To Warn People About Non-SSL Web Sites

heypete Re:Stupid (391 comments)

And if you do pay the $60, you can only manage a single legal entity. Which means, if you are the certificate manager of some organization, you can either get certificates in the name of that organizationation (after completing the paperwork and paying the additional $60), or for your own private sites, but not for both at once. Yes, after completing the paperwork for getting certificates for your organization, you lose the right to get certificates for yourself. Crazy, but true!

Huh. I didn't know that, as I only have ever done the individual verification. It's not uncommon for someone to wear many hats (i.e., to be affiliated with several organizations). It'd certainly be nice if their system allowed for a single individual account to switch between different "identities", so that one could issue certs for themselves or any number of organizations with which they're affiliated and which they've validated with StartSSL.

Have you suggested such an improvement to them?

Oddly enough, if you don't pay anything at all ("class 1 certificates"), you can get certificates for several associations and yourself at once. Of course, then you can't get wildcards or SAN certificates, so you are forced to use SNI (more hassle to set up, and might not work with exotic browsers).

Technically, yes, but policy-wise, no: Class 1 certs are not intended for commercial use.

Wow, a place where beer is even more expensive than here in Luxembourg! But seriously, I guess the $9/year is for plain certificates, no wildcard and non SAN? In that case it would compete with StartSSL's free offering, rather than their $60 plan. If it actually does include wildcard certificates, I would be interested in details.

It's hard to directly compare the two offerings, as StartSSL charges for validation but you can issue numerous certificates at no additional cost. Other CAs charge on a per-cert basis.

As you suspected, the $9 offering from PositiveSSL is for a single, non-wildcard, non-SAN certificate. NameCheap also sells Comodo PositiveSSL multi-domain certs for $30/year for up to 100 domains, which is quite a reasonable price. Of course, those certs are domain-validated only. Organization-validated multi-domain certs start at $90/year. That's cheaper than StartSSL, but only gets you a single cert with multiple SANs. If you needed more than one, StartSSL is the more economical choice. Wildcard certs are also available, with Comodo wildcards costing $94/year.

yesterday
top

Google Proposes To Warn People About Non-SSL Web Sites

heypete Re: Stupid (391 comments)

Switzerland. The trains are great but the beer's bloody expensive.

yesterday
top

Google Proposes To Warn People About Non-SSL Web Sites

heypete Re: Stupid (391 comments)

Did you include the necessary intermediate certificates in your server config? If you don't then browsers can't verify that the cert is legit. IE tries to be smart and can download many (but not all) intermediates automatically, but that's not something you should rely on.

I have never had any issues with PositiveSSL using any browser, so long as the intermediates are sent by the server.

yesterday
top

Google Proposes To Warn People About Non-SSL Web Sites

heypete Re: Stupid (391 comments)

Yeah. Beer in Switzerland isn't cheap. :/

yesterday
top

Google Proposes To Warn People About Non-SSL Web Sites

heypete Re:OK (391 comments)

While I think you should use HTTPS, it's also quite easy to strip away, anyone in the "man in the middle" position can do this, so no problem for the NSA, no problem for an ISP, no problem for a decent hacker (WiFi anyways), however it is "better than nothing".

Which seems to be what we have to settle for these days BTN "better than nothing".

It's difficult to strip HTTPS from sites that use HSTS. Considering that enabling HSTS is literally a one-line addition to a server's config file and prevents SSL stripping attacks, it'd be silly not to use it.

Assuming the client can access the authentic HTTPS-secured, HSTS-enabled site at least once, their browser will cache the "HTTPS is required" bit for as long as the site requests. Most deployment guides suggest HSTS cache times of 6-12 months, which would make an attackers job much more difficult.

Adding browser support for DANE would be even better: HSTS allows a server to instruct a browser to only use HTTPS on that site, while DANE allows the server to specify (via a valid DNSSEC-signed record) which HTTPS certificate/CA (including self-signed certs) is valid for that site. Using both methods provides a high degree of assurance that one is securely visiting the authentic site and that no tampering is taking place.

2 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

heypete Re: Stupid (391 comments)

Also to rent an ip address isn't free.

IP-based SSL hosting hasn't been necessary since the development of SNI nearly a decade ago.

Essentially all modern browsers (IE 7+, Firefox 2.0+, Chrome 6+ on XP [all versions of Chrome on Vista+ support SNI], Safari in iOS 4+, Android 3+, WP 7+, etc.) and servers support SNI.

Several web hosts offer SNI-based SSL/TLS hosting at no additional charge.

2 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

heypete Re:Stupid (391 comments)

CPU and power increase for encryption is negligible for most sites.
The real cost is getting a certificate from a site that the browser will recognize.
Those are expensive especially if you want a site for a hobbie or a supplemental income.

StartSSL offers completely free-of-cost certificates that are widely recognized by browsers to individuals and non-commercial sites. $60/year gets you an ID-verified account and the ability to offer unlimited certificates (they only charge for the validation, certificates are free). A second $60 ($120 total) gets your organization verified, again with the ability to issue unlimited certs.

Let's Encrypt, run by the EFF, will be offering free certificates (starting in 2015) with an easy automatic validation and installation system that makes the technical side of deploying certs super easy.

If, for some reason, that's not satisfactory, Comodo resellers like NameCheap offer PositiveSSL certs for less than $9/year. That's less than a beer at the local bar.

The financial cost of getting a certificate is essentially negligible.

2 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

heypete Re:So perhaps /. will finally fix its shit (391 comments)

Really Why? what content on Slashdot justify's the need for encrypted content? I really don't get this huge push for SSL everywhere. give me SSL when I need it, I don't want SSL for accessing a forum or a news site or just generally browsing the web.

Exactly. What's the benefit?

There's a time and place for encryption, and Slashdot ain't it.

Some folks at Belgacom may disagree.

Remember, SSL/TLS doesn't just protect the privacy of communications, it also protects the integrity of those communications and makes it much more difficult for an adversary to modify the traffic to insert hostile content.

2 days ago
top

Launching 2015: a New Certificate Authority To Encrypt the Entire Web

heypete Re:Shared hosting... (212 comments)

SNI is now supported by all the major players (IE was the last hold out) but... I'm pretty sure the current free cert providers don't support it.

SNI requres support from (a) the browser, and is near-universally supported by all browsers these days and (b) the web server, with many hosts supporting it already. If not, they should.

The certificate authority is not involved with SNI at all.

about a month ago
top

British Spies Are Free To Target Lawyers and Journalists

heypete Re:Art Of War - Chapter 13 - The use of spies (184 comments)

If fighting is sure to result in victory, then you must fight!

Sun Tzu said that, and I'd say he knows a little bit more about fighting than you do, pal, because he invented it, and then he perfected it so that no living man could best him in the ring of honor.

Then, he used his fight money to buy two of every animal on earth, and then he herded them onto a boat.

And then he beat the crap out of every single one.

And from that day forward any time a bunch of animals are together in one place it's called a 'zoo'!

OMG what are you on and do you have enough to share?

It's from Team Fortress 2's "Meet the Soldier" trailer.

about a month and a half ago
top

VeraCrypt Is the New TrueCrypt -- and It's Better

heypete "Slightly slower"? (220 comments)

From the summary: "While this makes VeraCrypt slightly slower at opening encrypted partitions..."

On my 2.4GHz, 4-core, 8-thread i7-3630QM mounting an encrypted partition using VeraCrypt takes ~18 seconds. It takes the VeraCrypt bootloader more than 40 seconds to verify my password and proceed with booting.

Although one need only enter the boot password once at boot time, it's still a bit of a pain. A 1-5 second processing delay is reasonable, but more than 40 seconds? Either way, a few thousand iterations combined with a strong password makes brute-force guessing impractical so why bother with obscenely high iteration counts?

I'd much rather that VeraCrypt (or other similar software) allow one to set the number of iterations so one could set the desired delay time based on their own hardware and threat model, and have the iteration count written to the disk so the software knows how many iterations to use. For me, I use such software to protect against theft by ordinary criminals: they're not going to bother decrypting the drive, so a second or two of iterating is fine. Those defending against more well-funded adversaries would be better served with more iterations.

about 2 months ago
top

Security Collapse In the HTTPS Market

heypete Re:If there's a systemic problem (185 comments)

If there's a single systemic problem with HTTPS, it's that we're still largely relying on Certificate Authorities which charge a lot of money. The expense and complexity discourages people from using SSL more ubiquitously.

Cost is an issue if you're buying VeriSign certs for hundreds of dollars, but why waste your money? (Answer: nobody got fired for buying VeriSign, and big companies think customers care about the "trust seals"). Other CAs offer OV or EV certs for less than $200/year.

DV certs are incredibly cheap. StartSSL offers DV certs for non-commercial purposes free-of-charge. For paid certs, they only charge for what costs them money: ndividuals can get their ID verified for $60/year and issue unlimited Class 2 certs. Organizations pay $120 (one individual verification, plus the organization verification) and can issue unlimited certs. Gandi offers DV certs (they're a Comodo reseller) for $16/year. NameCheap (a reseller of several CAs) has even lower prices: Comodo certs are $9/year, while RapidSSL certs are $10.95.

I hardly consider $9/year to be a showstopper for even the most cash-strapped business or small organization.

That said, you do have a point in regards to complexity: generating certs using command-line tools is not something the typical user can be expected to do, particularly with subtleties like adding the right flag for SHA2 signatures, configuring their server with good ciphersuites, etc. Heck, I routinely see professionally-managed websites with SSL cert chains missing the intermediate cert. Security is complex and can only be simplified so much, but it's still an issue.

about 3 months ago
top

Satoshi Nakamoto's Email Address Compromised

heypete Re:WRONG! (65 comments)

What is the alternative? Phone calls?

Several email services (e.g. Gmail, Yahoo, etc.) do just that: they can send voice calls or SMS messages to a phone number you've registered with them prior to the loss of your account.

Due to the importance of email addresses when it comes to authentication (e.g. password resets for non-email services are nearly always sent to one's email address) it makes sense to have email services be secure from compromise (e.g. 2FA) and recoverable in a secure manner (e.g. phone-based validation).

Domain names are also a "high-stakes" thing and it makes sense to have a high degree of security when allowing password resets at registrars: I wouldn't mind my domain registrar sending me a letter by post to my address on file with them if I were to ever request a password reset from them.

about 3 months ago
top

AT&T Says 10Mbps Is Too Fast For "Broadband," 4Mbps Is Enough

heypete Re: We really need (533 comments)

I'm curious, how's the performance of YouTube and Netflix over there. Do you notice a bottleneck most likely traced at the trans-Atlantic fiber pairings, or is all content cached on local servers too?

Google has many datacenters, including three in Europe. Alas, due to Google not providing reverse DNS on a lot of their router hops I'm not sure quite where the traces end up, but they're only ~30ms away from Bern, so the connection is definitely routed to their European facilities.

As for Netflix, their European service seems to be run from the Amazon AWS facility in Ireland, so there's no transatlantic links to cross. I imagine they also offer their CDN equipment to European ISPs, but they don't offer Netflix in Switzerland yet, so I don't know if that's the case here. I subscribe to the US Netflix and use Unlocator to trick their location-detection system into thinking I'm in the US, so the videos I watch do cross the Atlantic. There's maybe 10 seconds of lower-resolution video when streams from US Netflix first start, but after that things are in HD quality for the duration. No issues otherwise.

about 3 months ago
top

AT&T Says 10Mbps Is Too Fast For "Broadband," 4Mbps Is Enough

heypete Re:We really need (533 comments)

American expat in Switzerland here. Using Speedtest.net I get 246.08/15.21 Mbps. I pay the cable company the equivalent of $98 USD/month for 250/15 internet service (no data caps) and cable TV (my wife likes watching US sports, so we have the "all-inclusive" TV package that includes some US sports channels). I originally had the 35/5 plan, but upgraded to the 150/10. They discontinued that plan and switched me to the 250/15 plan, which was only $5/month more.

If I wasn't satisfied with them, Swisscom (major telco) and the electric company each offer fiber-to-the-home, with up to 1000/100 speeds and no caps. There's other options for DSL too, but not nearly as fast.

Comcast, a major US ISP, has a comparably-priced plan that goes from $89/month for the first year to $119/month for the second year and then up to $148/month thereafter. They offer a bunch of TV channels and 25 Mbps internet, plus data caps. That's absurdly awful.

As an American, I find it ridiculous that wholesale bandwidth in the US (e.g. connectivity in a datacenter) is dirt cheap and fast (as an example, Hurricane Electric offers 10GigE transit for $0.45/Mbps) but that retail bandwidth available to end-users is so expensive, slow, and limited by data caps and the like. Things really need to change.

about 3 months ago
top

Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted

heypete Re:So 1024 Bits Not Enough Now? (67 comments)

Symmetric and asymmetric keys are different things and have different key lengths. One cannot directly compare key sizes between two wholly different classes of ciphers. There are numerous reasons, mostly involving arcane mathematics, why asymmetric ciphers require longer key lengths than symmetric ciphers to offer similar levels of protection.

For example, a 1024-bit RSA key (RSA is an asymmetric cipher) is essentially equivalent to an 80-bit symmetric key (AES, 3DES, etc. are symmetric ciphers). SHA1, a hashing algorithm, provides less than 80 bits of security; those wishing stronger signatures are switching to SHA-256 (which offers 128 bits of security) and SHA-512 (which offers 256 bits).

A 2048-bit RSA key, such as those used by most CAs and web servers these days, has the same strength as a 112-bit symmetric key. NIST says they should be good enough until around 2030.

3072-bit RSA keys offer the same strength as a 128-bit symmetric key. A whopping 15,360-bit RSA key would be needed for 256-bit security; the same level of security could be achieved with a 512-bit elliptic curve key, which would be much, much faster than such a large RSA key.

about 3 months ago
top

UCLA, CIsco & More Launch Consortium To Replace TCP/IP

heypete Re:Great idea at the concept stage. (254 comments)

Is it wrong that I don't want my home devices to be reachable from the outside unsolicited?

Use a stateful firewall? NAT is not a firewall.

Just because something has a globally unique IP address doesn't mean that it's globally reachable.

about 3 months ago
top

Apple Denies Systems Breach In Photo Leak

heypete Re:Seemed pretty obvious this was the case (311 comments)

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Who says you need to tell the truth on those questions?

Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."

Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.

about 4 months ago
top

Plan Would Give Government Virtual Veto Over Internet Governance

heypete Re:Does it matter? (65 comments)

Of course this is about power shifting towards governments in general. This is to be expected - after all, we can't just have random people running the internet and governments happen to be the very things that represent their countries internationally

(Emphasis mine.)

Why not? That's basically what Jon Postel did: he basically singlehandedly administered the DNS root and was IANA.

Sure, things are different now, but we certainly have had random people running the internet. It worked then, why not now?

about 4 months ago

Submissions

heypete hasn't submitted any stories.

Journals

heypete has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?