Slashdot Mirror
Extended Validation SSL, More Secure or Just a Racket?
Nalfeshnee writes "The Register is reporting on the new 'Extended Validation SSL' cert currently being touted by Verisign. Vista and IE7 will be using this but not, apparently, Firefox anytime soon. For this the Verisign Product Marketing Director Tim Callan squarely blames the Firefox dev team for 'not keeping up' with their new technology. However, the whole thing just seems to be a way for Verisign to enjoy ridiculous markup on selling 'more secure' certs."
I'm colorblind. Would I ever notice the difference?
Has anyone found an effective way of cracking regular SSL? Is not the whole point of SSL to just slow down the decryption to a point where even if decrypted the data is old enough to be useless?
I mean hell if SSL is weak encryption and we need stronger encryption should I not SUE verisign right now for providing a false sense of saftey?
Hey Verisign, it's called "open source". If you'd like the feature added submit a patch and they'll consider it. Until then the people working on it will finish when they can. Thanks.
Developers: We can use your help.
I think I remember reading about this either on firefox dev blogs or mailinglists or IRC. IIRC, the upshot was that verisign should be doing "extended validation" type things on all their clients. The validation they have now is really pretty shoddy, shoddy enough that they'd be risking getting kicked out if they weren't so big and so many websites would break. But that's just my memory, which could be bad, you'd have to look into it yourself.
There are 11 types of people in the world: those who can count in binary, and those who can't.
Definitely sounds like a racket to me. If you get the green bar by paying Verisign 150%, how does that differ from today's security certificates? Other than having to pay more money, and only being able to be verified by Verisign, that is. (Doesn't sound racket-y at all. Or was that rickety?) While they make it sound like the Green Bar is an excellent method of knowing that Amazon is really Amazon, I think it's actually a reverse attempt. By getting Amazon to use this spiffy new green bar, Verisign is attempting to legitimize their new technology in the eyes of the consumer. Little will actually change for the consumer, as he already knows when he's surfing Amazon.
The only place it would supposedly help is with Phishing. But since Phishing sites can't get certificates anyway, what does this help? If the lock isn't good enough, just change the URL Bar green for every VERIFIED certificate received. That will have the EXACT same effect.
Javascript + Nintendo DSi = DSiCade
It just seems funny with the release of 2.0 and now here verisign is blaming the dev team at mozilla. Kind of odd you know fox or verisign didn't speak more closely.
_-^ D3\/1|_ ^-_ in me
[Fuck Beta]
o0t!
1. That a commitment to Linux, not their own distro.
2. The story was already posted here.
Now go troll somewhere else.
Javascript + Nintendo DSi = DSiCade
Err, excuse me.. isn't the verification of the identity of the applicant of the certificate exactly what the CAs are meant to be doing anyway?
I thought that that is why we had these 'trusted' third-parties, to vouch for the identity of the certificate owner - that is the fundamental basis of PKI and certificates. If they weren't doing that before (which they clearly weren't doing properly), what the hell were they doing?
So, we're paying them extra to get a 'fixed' version of something that they caused to be broken in the first place because they couldn't do their job properly. WHy should paying an extra 50% on top of their fees all of a sudden make us able to trust them now?
So, a product is proposed by Verisign (the guys who tried to shove their shoddy SiteFinder search engine down your throat by abusing their monopoly) and Microsoft (the guys who have been shoving their shoddy DOS and Windows down your throat for decades by abusing their monopoly).
You know what? I'm quite sure it's a shoddy product they're trying to shove down people's throat for some reason...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
http://www.verisign.com/ssl/ssl-information-center /faq/high-assurance-ssl.html
This seems to be composed of two parts:
This is coming from the people who stole DNS, and sell certificates for hundreds of dollars which take milliseconds to make....
Now we're supposed to get a more "trustworthy" cert and make our address bar green?
Fuck you Verisign.
Tom
Someday, I'll have a real sig.
Nobody uses SSL to verify that a site is who they say it is - when was the last time 99% of users looked at a website's certificate?
SSL is still good for keeping the data encrypted between client and server. You don't need some super-duper certificate for that.
Anti-phishing blacklists will be what works well for end-users. Being told explicitly that they're on a dangerous website is far more effective than 'hmm, well the location bar is in green!'. They won't even look.
IE 7 will have different icons on the location bar to indicate that a site has the "higher" level of "security" (translation: "bought the new certificate").
I'm guessing the certificate security itself isn't changed. What they're saying is they're just going to do more research on a company before they hand out certificates. Right now you fill in a form, fax it in, and *presto* you get certs. Now, I guess someone will actually call and check before issuing.
They could do this now with regular SSL, but they couldn't charge more money... too much competition out there.
The thing is, the encryption of SSL is not at issue; it's just a new product to market.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
See this blog post from about a year ago on this topic.
The only way to judge whether this is legitimate is to see whether sites that do fraudulent things (get traffic from mistyped domain names, send out "renewal" requests to non-customers, etc) are able to get these certificates. If Verisign is able to make sure that sites that do these things or have a history of doing them can't get certificates, then maybe they'll mean more than current SSL certificates.
Of course, there are technical issues with a PKI system without trusted root certificates, so it might not work even then.
"More secure or just a racket?"
C'mon, ScuttleMonkey, are you trying to get a job as a pollster for Karl Rove?
"Would you be more likely or less likely to vote for John McCain for president if you knew he had fathered an illegitimate black child?"
The plan was for all the browsers to implement the color bar scheme, based on IE's implementation. There were optimistic announcements by all involved, but no final standard has emerged. VeriSign and other SSL certificate authorities are preparing to start selling these in January. It's not clear to me if Firefox/Mozilla has actually opted out or is just moving more slowly than MSFT in incorporating the changes in the browser. Mozilla tends to be deliberate about SSL-related changes in the browser.
RichM
Data Center Knowledge
..."but our Verisign certificate goes up to 11!"
Gentoo Linux - another day, another USE flag.
#1. In order to issue the new certificates, the Certificate Authorities (CA's) will be "required" to follow "industry standard" practices in "verifying" whomever applies for a new certificate.
... the same as they are today.
#2. This additional "verification" is what will cost the additional money.
#3. Any business that does not pay the additional fees to be "verified" by "industry standard" practices will be
#4. Phishing depends upon a person making a single error in judgment, one time. This will not stop phishing.
This will not stop anything. This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already. Imagine trying to run a business like that.
Boss - "I paid you last week, but you barely did any work. I'm going to fire you."
Employee - "If you give me a 50% raise, I'll perform the work to industry standards."
Boss - "Okay, that sounds like a good deal to me."
One snarl-up for Mozilla may have been working out an alternative to the rest of Microsoft's site-rating system. As well as getting dishing out green address bars, servers at Redmond will blacklist dodgy and suspect sites, which can look forward to red and amber flashing up.
I don't feel all paranoid about this, and I think the technology is a good concept, but dang, do we want any for profit company to be the one in charge of maintaining these lists? And what's the appeal process, if my online store got listed red or amber for even a couple weeks at the wrong time, that's a serious hit to my business. Now, like I said, I'm not really concerned that MS is going to go off and start red flagging sites they have a grudge against, I generally trust them, but do we even want to give any for-profit the temptation? (I wouldn't want to take this responsibility on as part of my company, I'd much rather start a specific organization for it which was completely transparent and accountable)
Verison is involved.
Everything Verisign does is a racket.
Therefore, it's a racket.
Q.E.D.
To spur "enterprise Linux," Big Bang, the distributed two-phase commit.
shoving their shoddy DOS ... down your throat ... abusing their monopoly
Right! Because DOS was definitely the only O/S upon which big business was doing business, say, back in the 1980's.
And then there were those enormous numbers of consumers using DOS instead of Apple II machines or Ataris or Amigas... Shoved down their throats? Come on. If you're going to rant about MS market share, at least skip over the part when it was anything but a sure thing, before all of the other platform makers wheezed and missed the opportunity to take over the business desktop market (when they already owned the back office corporate computing market!) when it was anything but settled in one popular direction.
Don't disappoint your bird dog. Go to the range.
In a world where even PayPal can't get it right (and nobody cares) what does it matter?
"Oh, it's an https site. It's encrypted. Cool". Next.
Some time when you're really bored look at the low level ssl stuff (with openssl or something) and notice all the errors. The browsers ignore so many of these I think it's all a big joke.
Need Mercedes parts ?
Has anyone actually been able to find the specification for "high assurance" certificates? Apparently this is being closely held. The spec comes from something called the "CA Browser Forum", which is invitation-only and doesn't seem to have a web site. A standard was supposed to be issued in August, but apparently agreement wasn't reached until a meeting in September. There are many press releases, but no hard data.
So that's why it's not in Mozilla.
It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying Party Agreement.
The way it's supposed to work is that the certificate issuer bears financial responsibility for misidentification of the certificate owner. Some certificates from Verisign have a Relying Party Agreement that does provide a financial guarantee to the party relying on the certificate - $100 for a class 1 cert, $5000 for a class 2 cert, and $100,000 for a class 3 cert. Most of the other issuers have relying party agreements which promise nothing and deliver less.
So what's happening is that, soon, you'll be able to tell the difference between the crap certificates and the good ones. Before you buy. The idea is that if you put your credit card into a site that showed a green toolbar in IE, and it wasn't really the company it should have been, you can collect from the certificate issuer. This puts certificate issuers on the hook for phishing losses.
Unfortunately, the rules and the Relying Party Agreements for the new certificates haven't yet appeared, so we can't tell if the rules are tough enough to make this work. Since they're being drafted by the certificate issuers, there will probably be some loophole that lets them off the hook.
What do you bet the implementation is designed so that the browser will only accept 'enhanced SSL' certificates that have been signed by Verisign ?
Does anyone believe that a system designed by Microsoft and Verisign will be inclusive ?
Has anybody seen a RFC for this yet ?
Honestly, I believe that there should be a WC3 conference to contribute a single CA that makes its way onto all browsers. Give the WC3 CA site an automated system for generating certs, including an open API and then combine DNS registration protocals with the CA gen protocals. Publicly open the API, and charge small, if anything. This service is an easy one to implement. The real issue is getting browsers to add it to its automatically trusted CA list. I can create SSL at home, but I can't get browsers to add my home web onto the trusted CA list by default.
Development notes at http://devscribbles.blogspot.com
"See only we are secure"
phffft
---- Booth was a patriot ----
... is that they are a commercial venture. They will sign just about anything as long as they are paid. I have seen more than one piece of malware signed by Thawte. The whole model of third party commercial CAs is badly flawed in concept. One only needs to pay a CA like Verisign or Thawte to appear legitimate to the average user and then proceed with whatever nefarious purpose one desires.
I trust a self-signed certificate more than one signed by Thawte or Verisign. (I do trust Entrust though, as they are Canadian)
Extended Validation SSL? Is it 256 bit? I think not (what would be the point?). 128 bit SSL is 128 bit SSL regardless of who signs it and how. You must trust the server you are dealing with in the first place, SSL is merely there to make your cummunications with that server private (all the more so if self-signed).
I expect that this "Extended Validation" is an implicit admission that up till now they have been signing pretty much anything as long as they get paid. Even so, it is not up to a CA to assure users that a particular site or application is not nefarious in purpose.
The signing CA model is flawed and very misleading to the average user. I say it does more harm than good.
I mean... since they don't do any verification anyway... and the customer service is terrible... why does it cost hundreds of dollars?
Peace
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Conducting business on the Internet in a secure manner requires two things, trust and privacy. Certificates were SUPPOSED to provide both of these, however free certs have really undermined this because companies offering free certs certainly cannot afford to do a good job of verifying the identity of the applicant. Extended Validation SSL means that the CA agrees to abide very stringent identity verification regulations before issuing a certificate to an individual/company. Guess what? Abiding by these regulations is going to cost money, therefore the cert is going to cost more. Duh.
I look forward to my browser (come on Firefox devs!) distinguishing between Extended Validation certs and "traditional" certs.
However, they feel just as dumb as everyone else after they've been suckered into paying an extra $1000 for a Verisign Super-duper Whiz-Bang Mega-Ultra Cert.
To be honest there is a difference between a cert from a real CA and some $10 cert from some outfit that doesn't care anything more about your true identity than whether your credit card payment goes through. Google for "high assurance" vs "low assurance".
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Wooosh!
Mozilla.org should get into the SSL certificate reselling business and set the location bar to green when one of the mozilla signed certs is present. Verisign could then have the option of paying a royalty to mozilla.org for each extended certificate if they want green URL bars too.
Have you audited any of the dozens of CA certificated that ship with your OS?
Do you fetch a new CRL for each of them whenever you access a site using SSL?
whooosh! :)
welcome to the world of the meta-joke
Perhaps this is also an answer to the efforts of the StartCom CA. At this article there is a nice explanation about this...Which doesn't mean, that StartCom can't provide the necessary extensions in the future. With 43 % of market share in Germany and other European countries, Firefox is far away from suffering on the hands of Verisign and MS!
The third type would be those built so low to the ground that the jokes go whizzing over their heads at near-supersonic speeds...
Presumably you are saying that something just flew over my head? Or are you saying it flew over the head of the parent? If you are saying something flew over my head, then I would love to hear what it is supposed to be that I missed.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Yeah, the "real" CA's require that you fax in something on, wait for it, letterhead. oooooh safety......
This comment is guaranteed*
*not guaranteed
I'm wondering that too. Maybe the joke is that the author can't count in binary either.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Sadly, CACert's root certificate is still not included with Mozilla, although a number of distributions include it.
I am TheRaven on Soylent News
Nuts...I'm out of mod points!
The first paragraph of the parent post is, IMHO, both +5 Funny and +5 Insightful.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
...as a Certificate Authority to ensure that any sites they issue certificates to are trustworthy. All PKI systems are based on this kind of trust model. If there is any lack of trust/confidence in online ssl-encrypted commerce, it is their fault. Merely because they have been ignoring their role as a trust arbitrator and giving out certs to anyone, they decide now to actually do their part, charge more, and have Microsoft put a flashy "green for go" interface on it.
Then, of course, you must slam Firefox for "losing the browser war" by not keeping up by making their URLs turn green. You know, (speculation alert) you can probably bet Microsoft patented the green url indicator anyway, locking Firefox out.
So far nobody has mentioned InfoCard/CardSpace. I think you will find that one of the major pushes for the new extended certificates is to improve the user experience with respect to security. Presently anyone can get an ordinary SSL certificate - a phishing site can easily obtain an existing SSL certificate that will allow them to fool more average joe users that no certificate at all. With an extended certificate a company's name, location and logo are also included as part of the certificate so it should be much easier for uneducated users to make the connection between the certificate and the organization whose site they are visiting and more difficult for the phishing sites to do so. So the new certificates provide a better way for websites to prove their identity to users and aim to provide a consistent way of presenting this information to users so that they can make a choice as to whether or not they trust a site.
For details see the section titled Improved User Confidence in the Identity of Web Applications in Introducing Windows CardSpace: http://msdn.microsoft.com/library/en-us/dnlong/htm l/introinfocard.asp/
CardSpace is a Good Thing. Check out Kim Cameron's blog http://www.identityblog.com/ for ongoing coverage. Microsoft is doing everyone a big favor in the identity space - they fully acknowledge their mistakes of the past (e.g. Passport) and are very open in terms of what they are doing and how they are doing it. Further, the specifications behind all of this are unencumbered (see http://www.identityblog.com/?p=574/.
It has nothing at all to do with cracking SSL. It has to do with easily getting a certificate bound to an identity and making sure that the user doesn't compromise his private keys thereafter.
You can change procedures for verifying the identity of a person before issuing a cert, that will make it certain that less certificates get issued by the highly trusted CAs. It will help cut down on simple phishing schemes. But it will also turn a lot of businesses to using certs with less stringent requirements, with businesses turning to the CA that has the least hassle and customers getting used to accepting them. For an admin, a tree structured heirarchy gets you into central planning and breadlines when you are trying to get a suite of servers up and running. You may have 15 days to setup 100 servers, and a CA with a 30 day turnaround. This can make things so painful, that the only thing you use a "real certified cert" for is for your external IP addresses.
A good reputation system that understands that reputation can be context dependent and tweaked by the community might be a better fit for the internet.
The technical problems with X509 certs run so much deeper than any of this however.
1) There are no ultimate roots that all users can trust, making a universal set of root CAs problematic. Do you trust the root CA of every country you deal with? As an example: The DoD won't accept anything other than a highly cleared US Government entity, while those outside the US might not trust such an entity for any purposes whatsoever. One of the first acts of setting up a web browser in some military environments is to remove all of the civilian CAs from the "trusted" list.
2) SSL certificates are generally issued as software files, servers generally need to be rebooted unattended, it is bad to have passwords on the filesystem, and finally if a web server gets compromised there is a chance that the software certificate store (with private key material) is now floating around on the internet. These things conspire to ensure that no matter how carefully you identified the identity of the certificate owner, that over the lifetime of the certificate it's very likely that the private key information has been made available to somebody other than the owner. (Ex: import your client software cert into IE at a workstation that you login to, but somebody else administers).
3) Using the common name in the certificate to map to the issued DNS name is a bad hack that attempts to fix the insecurity of the DNS system. Assuming the approach of requiring the hostname to match is used, the certificate securely binds the DNS name to an endorsement from the signing entity; assuming that the owner manages to keep the private key material a secret. A passphrase wont really stand up to a long offline attack once the software cert (PKCS12 or JKS file) ends up in a hacker's database of "certificates that somebody would trust". Using an email address in the common name for client certs has similar problems.
4) You REALLY NEED TO GO TO HARDWARE TOKENS (like smartcards) if you want X509 certs to have anything resembling security. This is ESPECIALLY true with client side certificates. This is because it prevents the user from accidentally spilling the beans - over a period of years over which the cert will be valid. In this case, the hardware token has a set of root CAs that it trusts, with the user generally being limited in managing these trusts for himself. And the user cannot have the private key material permanently compromised because the key material is never exported out of the hardware token to perform computations (into the server's memory, etc.).
5) Certificate Revocation: I have yet to see many using it correctly on a large scale. If you trust ALL of the certificates issued by a CA, then you should check the CRL to make sure that the certificate you are accepting is not revoked (in spite of being valid and not yet expired). A lot of people don't bother keeping updated CRLs
Does anyone know why CACert's root isn't included in Firefox?
Seems like that would be a no-brainer; I can't believe Firefox is really interested in perpetuating the Verisign monopoly. (Or is Verisign a donor?)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Will someone please inform the author and Verisign that Firefox is BETTER then IE7.
How often is sensitive information is stolen during transmission? I always hear about hackers stealing information of past customers. So, what does the new SSL has to do with better security?
\
Or a seperate certificate store, if they're worried about interoperability issues.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
"Technology?" Give me a break. They're looking at what authority signed the cert, and if the web browser has been told to dogmatically trust that authority more than others, then it turns something green.
Actually, it's not a bad idea. There are degrees of trust, and showing it to the user is fine. But you bet your ass this is mostly just a cashgrab from Verisign.
Good news. There's a way to do this, that will absolutely embarrass MSIE, making its version of https look completely insecure by comparison, and screw Verisign over, in the process.
Support an OpenPGP-based cert model (perhaps using GNU TLS library, perhaps not). Suddenly, you can have certs that are signed by multiple authorities, including users themselves, and display a whole spectrum of trust metrics. Equifax can make mistakes and issue an incorrect cert to a bank, but can three CAs all make the same mistake, without a conspiracy? And what if you get the bank's fingerprint on your snailmail statements, or there's a sign showing the fingerprint when you walk into it, and thus you can cert it yourself? What if you haven't ever been to the bank (ok, I can't imagine that) but you have 3 friends who have, and you have certified them, and told your computer they are each marginally trusted, and they all certify the bank? Three friends are sure as hell a lot more trustworthy than some faceless corporation named Verisign, whose identification policies you don't even know, whose private key storage policy you don't even know, and in fact doesn't have a single employee you have even met, assuming they have any employees at all and aren't a robot in the basement of a building at the NSA.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
There should be a mechanism for encrypting web data that doesn't rely on paying a third party for a service only tangentially related to encryption.
There is. You can still get cheap SSL certificates. But if you're accepting payments, plan on getting one that clearly identifies who you are.
If you accept payments through a web site without disclosing who you are, you're a criminal. (California Business and Professions code section 17538, other provisions in other jurisdictions.) And soon, browsers are going to put up a big red flag that will make your customers go away.
It's purely a money-making scam by Verisign (and other CAs). The only thing high-assurance about "high-assurance" certs is the assurance that you'll be charged more money for them. See the Defcon talk Phishing Tips and Techniques - Tackle, Rigging, and How and When to Phish for a discussion of why "high-assurance" certs are worthless except to the companies issuing them.
My address bar was WHITE when I read this article. I don't think ./ is a very secure site for firefox to be going to. Actually though, if verisign wanted you to only trust websites that are green, what could this be saying about them. I think that they're leprichauns (green people) that only want you to trust leprichauns instead of trusting the white people who use firefox. They're teaching racism against color, I tell you. We'd better watch out for them. But don't trust what I'm saying, after all, I'm white, not green. And besides, I use Mozilla products. Horrible person I am.
Okay, I admittedly have a relatively limited understanding of the technical details, but it's my understanding that the OpenPGP standard does essentially the same thing as the SSL encryption and authentication, but with an explicit "web of trust" model rather than a centralized "Verisign says they're okay" sort of model used by SSL.
Since Verisign et al don't seem to REALLY be verifying identities any more (unless now you pay extra for the "special" certificates), why keep paying them at all? Wouldn't it be possible to do a mod_pgp (or "mod_gnupg" or whatever) modules for Apache and an extension for firefox to use OpenPGP encryption instead of (or in addition to) SSL?
Anybody with better technical understanding want to comment?...
Hacker Public Radio is our Friend
The (binary) 11 types of people are: Those who can count, and those who can't.
Hacker Public Radio is our Friend
The employee just can't be allowed to get away with that sloppy approach!
Phishing sites with SSL certs
In-depth look at one SSL phishing attack
I've never had the nerve to try this but the phone call would make a really funny transcript.
The right way to verify a cert is to phone the establishment the cert is supposed to be for, and have them verify the thumbprint.
Imagine trying that. Just imagine it.
This is stupid. You're paying EXTRA to have someone do the verification they were supposed to be doing already.
ROTFL...
You mean like pay a mailing/shipping company insurance for them to do their own job?
Or paying extra for an extended warranty? (To guard against stuff that shouldn't be crappy in the first place)
Or paying a credit card company EXTRA MONEY for them to taken YOUR PAYMENT "express" ?
Or paying extra money for a "Service Plan" to get "updates" to bug-ridden software?
Or paying a monthly fee for ambulance service? WTF?!?!!
Sadly, we do live in interesting times... And its only getting more and more "interesting"!
Why not just set firefox to have the green color for any site with any certificate?
Joe Computer User will then wonder why Internet Explorer doesn't have the green bar when he logs into his favorite porn site.
Sorry, I forgot Joe only uses what comes installed by default, and has no idea what's going on.
Firefox users are at least computer literate enough to download and install a new browser, perhaps not enough to understand why they don't get that purdy green url color. so... disregard this.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
(1) There are few if any perfect encryption systems; security is based on the estimated computing (i.e., time) cost to break.
(2) Realistically we should only be interested in encryption that is "good enough" for our purposes. That is to say, systems that give us reasonable security in proportion to the risk involved. Expecting perfection is not realistic.
(3) "Good enough" keeps shifting, but it is possible to create systems that will be reasonably good enough for, say, about 5 years.
(4) Systems that use too much or unnecessary encryption are resource hogs, which in turn means they cost you unnecessary money and time.
(5) Thanks for nothing Verisign, you greedy bastards.
The DOS / Windows 3.x days were when MS was at its worst. DOS and Windows each had much better alternatives, but the licensing from MS made it financial suicide to ship a PC with anything else. If a computer manufacturer wanted to ship 1 computer with DOS and/or Windows on it, it had to pay licensing fees for *every* computer they made. There was no negotiating over those terms, it was take it or leave it. That didn't change until the government got involved, at which point all the other players had already been wiped out (well, Apple was still alive, but barely).
The website http://colorfilter.wickline.org/ claims to provide representations of how websites will look to various forms of color blindness.
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
If the extra up-front validation is the main thing, Verisign should be charging a high one-time-fee for undertaking those steps, then charging a low low monthly rate to rest on their laurels and do nothing further. Somehow I doubt that's the price structure they adopted here.
Same as with those "tubes" err "pipes" - telcos want you to pay more so that they can actualy deliver the speeds they alredy sold you.
Sorry for bringing this subject up again. :)
hany
"The system is implemented in IE7 by turning the address green for sites holding a extended validation certificate"
Any bets on how soon will someone come up with a piece of code that turns the address green on bogus sites. Any security device that relies on the user having to do something or in this case not doing something, is bound to fail. How about a cert built into the DNS system that way when the browser queries a domain name the DNS server returns an 'invalid' code and nothing pops up in the browser. I here by put this in the public domain.
"Callan puts Mozilla's apparent heel-dragging on the new security technology down to the character of its development community"
fud injection: the inneficient Open Source process as compared to the professional commercial product.
"Firms will have to stump up about 150 per cent of what they currently do for an SSL certificate."
How about you get fined each time a phishing site is registered with Verisign.
was Extended Validation SSL, More Secure or Just a Racket?
davecb5620@gmail.com
If Firefox (Mozilla) is not keeping up with technology fast, where is the OS X support? E.g. will there be a Safari update to support that thing? Why not? There, Apple.com, traditional business with "security department", will they ship it?
:) I am nearly sure that it will be implemented on Windows CE next.
g h-assurance/index.html
If Verisign loses the "compatibility", there won't be any Verisign in matter of couple of years. Remember I said it.
SSL'es power comes from Compatibility. When you implement a SSL site with Verisign, you know your clients,even the ones using Opera on their Symbian PDA's will have no problem accessing it,with same security standard.
Oh, what about Symbian support Verisign? They don't keep up with technology too I guess
I remember first days when Outlook Express came with S/MIME support. When you wanted it, a IE page opened with huge Verisign icon asking for $$$ for a full feature certificate. It took years for some to figure there is Thawte.com which gives them for FREE.
Speaking about Thawte, look at that:
http://www.thawte.com/ssl-digital-certificates/hi
"To this end, and through our involvement with the CA Browser Forum, we are working with the American Bar Association Information Security Committee, browser manufacturers such as Mozilla, KDE, Microsoft and Opera as well as leading CAs to define industry standard online identity assurance processes that will serve to reassure all our customers of our dedication to building a trusted digital future that instills confidence and trust in all internet users."
So, there is a open technology which will be supported by ALL browsers (Read KDE as Apple). You know what to install from who.
SSL means that at least my credit card number and
address aren't going across the internet in the clear.
That's important to me.
It also provides SOME assurance that I'm talking to
the site I think I am. What happens to my credit card
number after it's unpacked in the web server is another
story entirely.
-- ac at home
Let me guess, you don't like Verizon, either.
The Gimp can also display (instructions) images to simulate the various forms of colorblindness (though in that case you would have to do a static screen capture of your stuff). For much more ./ style prattling on developing for colorblindness, an ask ./ item was posted on this topic a while back.
If you're really good, hack your xorg.conf to simulate colorblindness. But don't ask me how to do it.
The thing is, no one is going to care whether an address comes up green or white. If they ever start caring, no one is going to buy the cheap certificates anyway. This is just a mandated price increase by Verisign, or a moot point. Why not just stick CAcert's root certificate in Firefox and be done with it?
You don't need to look any further than who is on the board of Verisign, what they have done so far, and what entities they are connected to and you get the picture of how evil this company is. It is scary and obviously they are up to no good but seizing even more control and filling their pockets with peoples' money.
If I remove VeriSign from my browser's list of trusted CAs, will I still be able to do online shopping?
I don't see why this required a change to SSL. CAs already have multiple root certs, one for each level of verification they support. All that was really needed was a configuration to set the bar color on a root by root basis. Then it would "Just Work" with no further changes.
That would be a much better model of how trust is supposed to work. It's not a question of how much Verisign trusts that X is really X, what matters is how much *I* trust Verisign to be right. If I believe that "Snake Oil Limited" is more trustworthy than Verisign, that's my business (or problem) and the color bar should reflect that belief. If *I* believe that Verisign's double sooper secret cert means something, then my color bar will reflect that.
I suppose they didn't do that because then people might decide they don't really trust Verisign that much and configure them to show up as the warning color. Either that or they were hoping to slow their competition down by making them jump through a few extra hoops.
The only software changes that are REALLY needed is a simple way to support virtual sites using https without assigning each site a port and proper support for a web of trust system.
No tinfoil hat needed, Verizon simply sucks and people know to take their business elsewhere. For example, Thawte is almost as widely used as Verisign, enrolled in ALMOST every browser as a root CA, and their high assurance certs cost half as much as Verisign's.
There are lots of others, just as reasonably priced. These root CAs WILL call you back after you fax in your letterhead.
There is also evident competition, because dealing with Verisign is much less the exercise in frustration it was several years ago, although you are still well advised to take a tranqilizer or two to take the edge off the occasional rage you will experience when dealing with them. Their online documentation is quite good.
The problem is that there are still a few lame-ass browsers, like the ones in my cell phone, only accept a small number of root CAs and won't allow cert importation, and have smoked the crack pipe of peace with Verizon. So I can't reach half the SSL sites on the web with my phone. And so on.
So you perpetuate the factionalization of root CAs at your own risk, to some extent.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
>> The problem is that there are still a few lame-ass browsers, like the ones in my cell phone, only accept a small number of root CAs and won't allow cert importation, and have smoked the crack pipe of peace with Verizon.
Sorry, that came out wrong. My phone's browser only accepts Verisign and GTE as root CAs and doesn't allow me to import certs. So it's mostly useless. This is not Openwave's fault, the cert management is under the control of Verizon. Most likely they were just trying to make the phone idiot proof so they could sell their overpriced gansta ringtones with a minimum of hassle. That could be its own potential level of Hell: trying to explain PKI in a conversation between your average cell phone tech support and your average cell phone customer.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
I don't know about you, but I heard the joke as "There are three types of people in the world: those who can count and those what can't." long before I every saw "There are 10 types of people in the world: those who know binary and those who don't." The .sig line is simply a combination of the two.
Centralization breaks the internet.
That would be a cool idea, especially because that could be used to sign your small personal website by asking all of your friends to sign it and having it propogate via the six-degrees principle.
Actually, if I connect to a site via HTTPS that has no certs and no signatures, then I have no way of knowing whether there is a man-in-the-middle attack going on, so there must be some initial signatures by the creator and his friends and/or employees of the company, who would be within your web of trust, but maybe far away. That would be reasonable. Then, say, once you buy something from the company and actually get something for your money, you could sign it yourself, so people close to you would get a higher trust rating for the site.
The problem is getting people to actually use web of trust systems. Currently they are pretty well limited to a subset of geeks. (I confess that I do not use GPG on my e-mail.) The problem is that some sort of out-of-band communication is needed for verifying keys. For example, OTR (IM encryption, no web of trust) shows a hex digit string that it recommends reading over a phone connection if you want to ensure security.
Maybe you could make a set-up where public keys could be stored on USB mass storage devices (read: iPods) and automatically scanned for when such a device is plugged in. Then sharing public keys requires plugging your iPod into your friends' computers.
Although, that still has a problem (for the common user) that spyware could silently modify the trusted keys to include. On top of that, the common user would have to trust at least one person who had a reasonable idea of what sites were trustworthy. You could get sub-webs of people who are already clicking on phishing links distributing signatures saying those phishing sites are good.
Centralization breaks the internet.
"Let me start by stating that the story as written is very much not in keeping with the tenor of the actual conversation I had with the reporter in question. Among other things, the story makes it sound like VeriSign is critical of the Mozilla Foundation for not having announced support for the Extended Validation SSL standard at this time. Quite the opposite, in fact. Several members of the FireFox community have been key contributors to the Extended Validation effort and are active participants in the CA/Browser Forum. I never characterized Mozilla as heel-dragging in any sense of the word, and it was my effort to defend Mozilla's method of operation that led to the most regrettable moment in the article."
RichM
Data Center Knowledge
that still has a problem (for the common user) that spyware could silently modify the trusted keys to include
You should have to sign keys yourself to add them to the trusted list. So when it detected a key on removable media, this system would pop up a dialog asking for you to re-enter your password to verify you wanted to add the keys to your list.
That makes sense, but if you have malware installed on the computer doing the signing, you are still in trouble no matter how the system is implemented. The real solution is to bundle the web-of-trust app with Ad-Aware. ;)
Centralization breaks the internet.