Slashdot Mirror

HTML 5.0 draft (before W3C got into their stupid versioning) contained some of your request already.

1-2) ISO date format needs to be forced upon everybody. like the metric system. However, the spec doesn't require the browser display with it. Browsers are free to display the date in a localized format while submitting the proper ISO format. This wouldn't be much different than how Options display different values. Perhaps the spec should mention this so nobody fears doing this...

3) HTML5 is good enough already; doubt you'll get them going further anytime soon. I can imagine from my experience with them that is how it'll go. I agree with you that it would be convenient.

5) Initially, integer didn't suggest a incremental button (that I recall) but later the spec showed an example. The problem with presenting suggestions or screenshots of implementations is that every literal minded developer will copy it. The CSS groups are slow as hell and not in sync with HTML5 like it should be; could be how they create lots of tiny CSS working groups with narrow focuses and that doesn't respond to HTML5's requirements well enough yet. HTML5 tries to define appearances in CSS but that becomes a chicken/egg problem. Turning on the incremental buttons needs to be CSS... a slider presentation would also make sense (there is a big bias towards minimalism. Yet METER is creating quite the CSS challenge for them... which will be much more complex if they just begin to address all the requests out there for it.)

6) Would be nice; however almost everything has either 2 decimals or 0. Just a few have 3. So an integer with step=0.01 would work well enough. Don't expect that to happen. Currency conversion or selection won't happen; that is too complex - you implement it. It would need to know what currencies you support so then you are somehow using a bunch of option tags or creating some odd list attribute.

7) Country selector would also be nice. possible issues are related to constantly changing flags and countries in less stable places. If you implement it then you are in charge of handling those situations. You can do a Select with country flags already before HTML5.

8) Credit cards - update related issues long term. similar issues as country listings but worse. Perhaps you can gain traction with the working group if you team up with a browser and aim towards CHIP and RFID support --- maybe we could finally get an encryption input !! It's not a new issue and they never handled the 2-way communication that is involved with an encryption input. (nobody even touches the cert authentication features in the browsers already except http://startssl.com/

9) HTML5. has it. no validation possible. But it SHOULD use the proper keypad on a phone. I investigated this; it's crazy to go global with it which is why it was left open. Implementing is way too much work. With VOIP it seems that it would be pointless long term because any kind of phone number could be used anywhere; restricting this will become an issue in addition to keeping up with global changes in format. The only standard is the international prefix... except I found a few places where that didn't even apply within their country.

10) HTML5 did it already. Has the best RegEx for email too- it's in the spec. check it out!

11) HTML5 doesn't handle editors; however W3C is trying to standardize kludges. the groundwork on roles helps slightly but yes, it's all kludges. There are so many options on this one that it is highly unlikely to standardize. They really don't like taking something with a million options and standardizing on 1 simple solution.

12-14) Yes, that would be nice. However they have added groundwork to make that much easier for you to do in HTML5. drag-n-drop files; local file access; AJAX file upload. The old "accept" attribute does work even though it's use is optional.

15) never. same as 11. but 11, 12-14 related features make it easier to implement (because

Even without Lets Encrypt you can find free certs.

Not necessary. Startcom, a company in Israel, is happy to generate and store a key that you can use to certify that you are you, for free. I think this also demonstrates the insane brokenness of the certificate authority system.

Sure, they offer the option (by default, which is annoying) for them to generate a private key for you (they claim not to store it) but you're welcome to generate your own private key and CSR and submit it for signing -- that way they never see your private key.

Not necessary. Startcom, a company in Israel, is happy to generate and store a key that you can use to certify that you are you, for free. I think this also demonstrates the insane brokenness of the certificate authority system.

Sure, they offer the option (by default, which is annoying) for them to generate a private key for you (they claim not to store it) but you're welcome to generate your own private key and CSR and submit it for signing -- that way they never see your private key.

Not necessary. Startcom, a company in Israel, is happy to generate and store a key that you can use to certify that you are you, for free. I think this also demonstrates the insane brokenness of the certificate authority system.

StartSSL certs are not free to commercial entities.

Unfortunately, you are factually wrong. Their Class 1 certs used to be free for commercial purposes up until 2012, but that policy changed back then. See StartCom Certificate Policy & Practice Statements (warning: PDF) section 3.1.2 "Classes of digital X.509 Certificates" paragraph 1. Quoting from there (emphasis mine):

Class 1 Certificates provide modest assurances that the email originated from a sender with the specified email address or that the domain address belongs to the respective server address. These certificates provide no proof of the identity of the subscriber or of the organization.

Class 1 certificates are limited to client and server certificates, whereas the later is restricted in its usage for non-commercial purpose only. Subscribers MUST upgrade to Class 2 or higher level for any domain and site of commercial nature, when using high-profile brands and names or if involved in obtaining or relaying sensitive information such as health records, financial details, personal information etc.

StartSSL are free for commercial use.

No, they are not, if you're referring to their free Class 1 certificates. They used to be up until 2012, but that policy changed back then. Commercially using their Class 1 certificates is prohibited by StartCom. See StartCom Certificate Policy & Practice Statements (warning: PDF) section 3.1.2 "Classes of digital X.509 Certificates" paragraph 1. Quoting from there (emphasis mine):

Class 1 Certificates provide modest assurances that the email originated from a sender with the specified email address or that the domain address belongs to the respective server address. These certificates provide no proof of the identity of the subscriber or of the organization.

Class 1 certificates are limited to client and server certificates, whereas the later is restricted in its usage for non-commercial purpose only. Subscribers MUST upgrade to Class 2 or higher level for any domain and site of commercial nature, when using high-profile brands and names or if involved in obtaining or relaying sensitive information such as health records, financial details, personal information etc.

No you just get one for free.

But if you sync to the cloud, that is, transmit your incriminating video from you registered phone through a cell provider who has your credit card information to a storage provider who also has your credit card information, the cops can show up at your door, follow your car, and get "in your face" until they find something to hang you with.

http://www.freenas.org/downloa...
https://owncloud.org/install/
https://play.google.com/store/...
http://portforward.com/english...
http://www.startssl.com/

Or:
https://www.getsync.com/featur...
https://play.google.com/store/...

Either way, secured, real-time, SSL'd upload to your own server. No cloud vendors, and no credit cards.

I usually figure out that a cert has expired when something breaks. For example, I like to use free certs from StartSSL on Exchange Servers. When they expire, people get warnings when accessing OWA, or smartphones stop connecting.

If it happens to be on an SBS Server it can really be a pain, however, since it will stop working as a Terminal Services Gateway, making it difficult to log back on and replace the cert.

Firefox added a warning against all self signed certs

It makes sense: encryption without authentication is useless, as the browser gets a secure channel to talk with an unidentified peer. It can be your server, it can also be a man in the middle, there is no way to tell.

You can get a properly signed SSL certificate for free from STARTSSL, therefore there is no excuse for your broken setup.

StartSSL offers free SSL certificates: https://www.startssl.com/

I have a personal website that doesn't do too much and I'd put https on it if I didnt have to pay for a key.

You don't have to.

They can't inject into secure traffic. HTTPS solves this problem too.

Install CGIproxy on your webhost with an SSL cert (Free from StartSSL) and use it for all your web browsing cover ISP spying on non-https supporting websites (such as slashdot)

If you don't mind your ISP knowing the domain of the https sites you visit, you can still go to them directly.

If your webhost is your own server however there is no additional risks routing everything through CGIproxy.
Shared webhost space is an additional risk, since they would have the ability to see your unencrypted traffic if they desired.

Of course there is no encryption between the webhost and the non-ssl websites you visit, but since that is/was true when visiting them directly anyways this only turns a very sucky situation into a slightly less sucky one - a net improvement over all.

But all the ISP will see is that 100% of your web traffic is to a single IP and fully encrypted, and you apparently don't use the rest of the internet in your web browser.

See SNI and StartSSL

StartSSL still give out free certificates to individuals right?

Yes, as long as you don't change your certificate after the key is lost as a result of HeartBleed. If you want your users to be secure, then you need to pony up $25. How that isn't a violation of the Mozilla policies is beyond me. I can give StartSSL clear proof that a private key has been disclosed, and they won't revoke it unless somebody pays them to do it.

Yes. I use StartSSL for my personal server and it works great. You would need to pay for a Class 2 cert to register it for an organization.
https://www.startssl.com/?app=25#2
https://www.startssl.com/?app=25#90

Yes. I use StartSSL for my personal server and it works great. You would need to pay for a Class 2 cert to register it for an organization.
https://www.startssl.com/?app=25#2
https://www.startssl.com/?app=25#90

I was just using https://www.ssllabs.com/ to check out some financial sites:

amhfcu.org : F, supports insecure SSL 2.0
tdbank.com - A-

republictt.com/ - not the local bank.. apparently uses java.. .ugh..
republicbank.com - powered/provided by intuit - A-

sjfcu.online-cu.com - B - due to not supporting TLS 1.2. (used by likely a few cu)

bankofamerica.com - inconsistent - B, A-
wellsfargo.com - B - due to not supporting TLS 1.2
paypal.com - A- uses mixed content on home page.. really?

secure.ally.com - B - TLS 1.2 capped
https://www.chase.com/ - A-

hsbc.com -asks for login name on insecure website.. otherwise a B

I'm not impressed. My ~$10 a month Dreamhost account can get me a B rating (with SSL kindly provided by https://www.startssl.com/ for free). And if they were running a newer version of Debian, I think it would be an A.

As an example, NameCheap, an American registrar and host, sells Comodo certs for $9/year. GeoTrust are $10.95/year, while Thawte certs are $40/year. Prices drop by a few dollars for multi-year purchases. Gandi, a French registrar and host, offers Comodo certs for $16/year, again with discounts for multi-year purchases.

StartSSL offers domain-validated certs completely free of cost for non-commercial uses. Commercial users are expected to undergo validation (they validate both the person requesting the certificate as well as the organization) which costs about $100/year but entitles them to issue an infinite number of certificates for systems they control (i.e., no issuing certs for your friends, but issuing certs for your work servers is fine). In short, they charge money for what costs them money: signing a cert is essentially free, while validating identity is expensive.

There's plenty of options for cheap certificates, particularly if you buy from a reseller rather than from the CA itself.

StartSSL offers free-of-charge domain-validated certificates that are widely trusted. Other CAs like GoDaddy and Comodo offer (often through resellers) domain-validated certs that cost less than $20/year. Thawte DV certs from resellers cost about $30/year. The cost (or lack thereof) for such certs is probably the least important reason why people aren't using HTTPS more.

EV certs are well within the budget for even small businesses, and usually cost around $150/year. Again, hardly unreasonable.

It'd be nice to see more hosting companies implement Server Name Indication (SNI) so that clients can implement SSL/TLS without needing to waste a dedicated IP address. This really should be the default.

Server SSL certificates (that are recognized by existing browsers and operating systems without having to install a root certificate manually) are free (from startssl.com, among others), so there really is no excuse to be using self-signed certificate any more.

A cert from BigNameInternetCompany costs next to nothing (although it might just be worth that much as well).

Or even absolutely nothing (though I cannot verify whether these are accepted by gmail)

A cert from BigNameInternetCompany costs next to nothing

In fact it costs nothing from StartSSL, like several commenters have pointed out, but people forget that the commercial x.509 PKI is for convenience, not security.

A self-signed cert is highly secure as long as you can verify through independent means that it is in fact the same cert installed on your server, and as long as the private key has not been compromised. In fact this is really the only way you can really get this level of security from even a commercial cert --- to verify independently that it is in fact the cert you think it is, and you have not been subject to a man-in-the-middle-attack.

It's not as though Google previously made any effort to verify the authenticity of those self-signed certs, or if accepting those self-signed certs as they did before would give their users anything but a false sense of security. Surely it is not a money issue for the "small guy". Commercial certs can be had, if not free from the one provider I already mentioned, for a very minimal price from many different providers, on the order of what the "small guy" is already paying for his domain registration. Why is it that the "small guy" always seems to choose the most expensive, heavily advertised vendors of some service or product and then proceed to complain about the price?

I have to agree (mostly) with Frosty here. No, the mainstream commercial PKI is not the most highly secure thing in the world, but you're trying to authenticate your server to a big commercial company---you need a commercial cert. And if you're trusting such a big commercial company as Google, then you may as well trust the whole commercial PKI, because you're extending your trust far and wide in either case, which there is nothing wrong with, as long as you be mindful of what you are entrusting to the "big boys."

You're right, they're not cheap. Actually they're free.

Free, trusted, certificates from https://www.startssl.com/ - no excuse at all for using self signed, at least until DANE/TLSA is deployed.

Will it work with STARTSSL free personal certs?

http://www.startssl.com/?app=1

If they offer a valid certificate chain, it should.

Will it work with STARTSSL free personal certs?

http://www.startssl.com/?app=1

Do STARTSSL certs work? They are free.

http://www.startssl.com/?app=1

Stupid IPv4 addresses and old clients like XP (and others) can make SSL a pain in the ass.

Free Class-1 SSL certificates are available from StartSSL
https://www.startssl.com/

Class-1 does not show the "Super secure secret key" icons with organization name because they are only email-verified, and you must used a personal name, but for small personal "hobby" websites they are still a lot better than a self signed certificate.

Class-2 certs are what supposedly need "verified", and show all the high security flags.
In practice however this verification is typically lacking depending on which cert authority you go with.

As we all know, the chain of trust method currently in place has lots of problems, especially so with how self-signed certificates are handled in most web browsers.
It is quite pitiful how a non-SSL website is shown as more secure than a self-signed certificate :/

They really need to change that, showing non-SSL as the bottom level, with self-signed certs one step above as "encrypted but not verified or authenticated with anyone", and then the class level certs above that. I suspect however this is due to pressure from the certificate authorities themselves, and since money is involved it will not be changed any time soon.

FYI: the https://cert.startcom.org/ site is, as far as I know, somewhat deprecated. The more up-to-date URL is https://www.startssl.com/

Cert price all depends on the type of cert. You're talking about a standard SSL cert, which in the case I outlined would have actually been OK but it would have required some extra setup (dynamic subdomains) and the client just didn't want to deal with it. Justa heads up in certain situations (eg: corporate certs + internationalized domains + multiple sub domains + weird proprietary auth crap for odd protocols + a badge that says the cert passes some standards body tests....) the cheapest possible cert will run well over $1,000.

BTW I really recommend StartSSL https://www.startssl.com/ if you are using standard certs. The prices (free for personal certs/low end schemes, unlimited plans for more robust and corporate certs). Service and support is also pretty good.

$1000?

That's what? Somewhere between 5 and 10 hours of developer time in the US and Europe - counting all overhead costs? And 10 hours is a CHEAP and presumably not very good developer, FWIW....

What the fuck is it with companies not willing to spend a few thousand dollars on buying an industry-standard solution that works, but are willing to throw hundreds of man-hours that cost a helluva lot more money at creating their own crappy solution?

Cert price all depends on the type of cert. You're talking about a standard SSL cert, which in the case I outlined would have actually been OK but it would have required some extra setup (dynamic subdomains) and the client just didn't want to deal with it. Justa heads up in certain situations (eg: corporate certs + internationalized domains + multiple sub domains + weird proprietary auth crap for odd protocols + a badge that says the cert passes some standards body tests....) the cheapest possible cert will run well over $1,000.

BTW I really recommend StartSSL https://www.startssl.com/ if you are using standard certs. The prices (free for personal certs/low end schemes, unlimited plans for more robust and corporate certs). Service and support is also pretty good.

StartSSL provides free SSL certificates.

Have you seen how much that costs?

StartSSL provides class 1 certificates at no cost!

Which might be way beyond GP's budget. Anyway, StartSSL's server appears to be down (slashdotted?).

Have you seen how much that costs?

StartSSL provides class 1 certificates at no cost!

You can get SSL for free at https://www.startssl.com/ so it isn't a matter of price. An IPv4-address could be a bit more expensive at your provider though.

SPDY is mostly useful for large sites which want to speed up loading of their site because they already fixed everything else they can fix.

Like Facebook, Yahoo and Gmail and so on.

You can get them free already : http://www.startssl.com/?app=1

"The StartSSL Free (Class 1) certificates are domain or email validated and mostly referred to as the free certificates. Because the checks are performed mostly by electronic means, they require only minimal human intervention from our side. The validations are here to make sure, that the subscriber is the owner of the domain name, resp. email account. You may find additional information on this subject in our CA policy."

And a how many minute job to earn money to buy the certificate from a CA to sign your signature?

$60, and about an hour of back-and-forth emails in identity verification for a class 2 identity cert. Surprisingly cheap and easy.

You might not think so if you were a start-up in India.

And a how many minute job to earn money to buy the certificate from a CA to sign your signature?

$60, and about an hour of back-and-forth emails in identity verification for a class 2 identity cert. Surprisingly cheap and easy.

Highly profitable ? Hmm... well, there are also free certificates:

https://www.startssl.com/

Obviously you can pay for extra features, but it is still the cheapest choice for a lot of the extras.

I got a free cert from startsll quite easily.

I know it's credential chain is not big/cool/long or anything useful to busyness men in a meeting room, but for creating a secure tunnel between a server and a browser I believe it's quite good enough. It definitely is better than teaching the merits of public key crypto to every visitor of your domain. Oh and yes their UI royally sucks..

In general:
if you want customer assurance go with the big names/pricetags
if you just want a tunnel go with the first dude who is trusted by the browsers and will give it to you for free or almost free.
if only you and your pals are going to use it sign something yourself and get out of the trouble of manouvering around buggy cert UIs.

Verification is an issue for those that do check URLs. And verification is already free with certs from StartSSL.

And be sure to set up sieve in Dovecot and the filter plugin in Roundcube. That way you can properly create filtering rules from within the webmail client. Go to http://startssl.com/ for certificates for HTTPS and TLS (on smtp and imap). I'm not using postfix, but exim with sa-exim to do greylisting based upon the spamscore (although postfix may be able to do something similar).

1) Stop selling the idea that certificates "verify" who you're talking to. They don't. They never did. As soon as I compromise your server -- easily done, as history shows -- I have your certificate. If it is remote across your network, a little more work, but still, soon I'll have it. Now you have still encryption of the intermediate channel, but the wrong person is catching the data.

... and certificates don't cure AIDS either. But that's not what they're supposed to be used for.

Certificates are meant to secure the communication channel, in order to make sure no unauthorized third party taps in the middle. If the end points are compromised (server or client workstation), all bets are off.

That's why organization that care (such as some banks) make damn sure that their servers are secure, and cannot be compromised. A bank however has no jurisdiction on the path from its customers to its servers, so it cannot make sure that no router at an ISP or Wifi access point at a coffee shop is compromised. That's where SSL and certificates come in: making sure that the communication is secure, even if some nodes on the route are compromised. However, it doesn't protect against compromise of end points, and never was meant to.

3) Stop "allowing" certificates at all. We can easily make them at zero cost, and we should. The whole "Verisign" thing is a complete and utter scam, and always has been, one with the collusion of the browser makers with the fake warnings and "scare the user" policies. Giving ownership of the encrypted data channel to profit making operations was a stupid, stupid move, and has served only to cripple e-commerce from the day it began -- it's one more useless and endless cost for the small entrepreneur to have to absorb, and therefore in the end, the consumer.

You can get cheap certificates at startssl.com . Basic one-site certificates (no wildcard, no subject alt names) are free, anything more fancy costs 59.90$ per identified user (but unlimited number of certificates... great for hobby hosting operators!)

Further, it has evolved into a higher stakes / cost game of buying that little green verification bar in some browsers. Scams upon scams.

... and even that, you can get from startssl.com (if you feel you need it), but it's more expensive.

That is false, i use nephthys in my company and have no problem with any windows (xp, vista and 7), just map a network drive using the webdav url (using http(s):// url, not webdav:// ) and works fine...
macosx and linux (kde dolphin at least) too works fine, but they use the webdav:// format url

i later moved to https and to work i only had to get a valid certificate (get one free in startssl.com)

nephthys dont use authentication, so maybe if there is a problem, it lies in the auth part of windows

The above is all I want. To summarize:
Signed TLS is terrific.
Self-signed TLS is less so.
Plain http is terrible.
My entire complaint is that browsers are currently not reflecting this. They are reversing the last two.

That is not how I (or peple in the security community) see it.

* http is fine for things that need no transport security, if your service should have transport level security then do not provide the service over http

* https with a properly signed certificate is for things that do need transport security

* self signed certificates are intended for testing only. If they are uses in live environments then users must be warned about the possible dangers of accepting one. If you provide your users with a self-signed certificate you should also provide them with a method of verifying that certificate (for instance with a copy of the fingerprint distributed by some other secure method.

Modern browsers are correctly reflecting this view of things (older browsers (pre 2000 IIRC) didn't, which you probably remember).

If you maintain that plain http is equal or better than self-signed TLS then we have nothing more to disuss.

I do not maintain, nor have I stated at all, the plain http is equal or better than self-signed TLS. I have said that self-signed TLS, if accepted without stark enough warning that the certificate needs to be properly verified by the user because the browser was unable to do so with the information it has previously been given (the trusted CAs list), gives users a false sense of security. They will likely think they are as protected as with TLS with a valid trust chain, but they won't be.

If your service needs or recommends transport level security then why not simply not provide a plain channel as an alternative, redirecting any initial requests over http to the https service, and people will not choose http over https because they will not have the option to. Or indeed pony up $9.99/yr for a cert from a commonly trusted CA. Or wait for https://www.startssl.com/?app=39 to fix their problems (and release an honest account of what happened and why and what is in place to remove the risk of repetition) and get one for free. Giving users another OK button to be trained to click without thinking is not the answer.

I created a certificate through them a while back, for testing something; I forget what. I had forgotten about them until I got an email on the 16th:

This mail is intended for the person who owns a digital certificate issued by the StartSSLâ Certification Authority (http://www.startssl.com/).

The client certificate for _______@gmail.com and serial number XXXXX (YYYYY) is about to expire within the next two weeks. Please log into the StartSSL Control Panel at https://www.startssl.com/?app=12 and get a new certificate for this purpose. Failing to update your client certificate might result in the loss of your account.

Should you have lost the client certificate which was previously issued to you, please register once again - login without the client certificate installed into your browser will not work in that case.

-- Best Regards StartCom Ltd. StartSSLâ Certification Authority

Not sure offhand whether my certificate is legitimately expiring (don't recall the details on it; it was for a one-shot test of something), or whether this is some sort of phishing attempt. The email was sent on 16 Jun at 5:34pm - after startssl went down.

Before the FUD starts flying, here's the message on the StartSSL page.

Due to an attack on our systems and a security breach that occurred at the 15th of June, issuance of digital certificates and related services have been temporarily suspended as a defensive measure. Our services will be gradually reinstated as the situation allows.

Subscribers and holders of valid certificates are not affected in any form.

Visitors to web sites and other parties relying on valid certificates are not affected.

We apologize for the temporary inconvenience and thank you for your understanding.

I've used their services for years now. Never had a problem, though their web application is truly awful - I've always wondered how fragile it might be. Hope they can pick themselves up and get back to business.

Is this why StartSSL is down as seen here?

I am wondering if this is why one of my sites is now showing the "untrusted site" screen in firefox?

Error code:
blah.com uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)