To put it simple: NO. It's slightly faster, but when running heavy PHP scripts, you wont see much differences.
better web server
Better as in what? More hyped, maybe. But I do think it's like people talking about Ruby and spitting at PHP. It's more or less the same, but there's always one to tell that one is so much better than the other.
PHP under Apache (And really what serious professional would use anything else?) as a module and needs no threads
I suppose you forgot the world "run" after PHP. If that is the case, then NO. In most serious environment, you would run PHP as a CGI, because this way, you can run it in a chroot. I maintain sbox in Debian for doing just that: chroot in the folder of the vhost, and setlimit() calls to avoid nasty effects of bad scripts and setting reasonable limits. And NO, that's not a lot slower as one might think. I have real production environment to back-up what I'm saying. I could see no difference in the load average graph of a busy shared hosting server after switching to sbox. Oh, and for maintaining a common (but customizable) chroot on all vhosts, I use aufs, which is great!:)
I got clients that still have 5 years or more to go on lease contracts for huge printer and document systems. No IPv6 firmware updates in the pipeline that I know about.
We never asked that these migrate to IPv6. They are fine with v4.
This is *NOT* a bug. You should *always* check the full fingerprint. If it happens that gpg fetches 2 keys at the same time instead of just one, then it's not a big deal, since I'm going to check the full of the fingerprint anyway. People just should be aware of what's going on, and that's why asheesh made this blog post. Note that he has done this "trick" to brute-force the GPG UUID a long time ago (he told me about this at last debconf11 last summer), but it's nice that he gets exposure through Slashdot.
When you stop and think about it it's pretty dumb to have to install a custom ROM
When you stop and think about it it's pretty dumb to make uninformed remarks about things you have demonstrated to have no knowledge on.
Come on, he is right! It's dumb to have to install a custom ROM because the one you get by default is bloated with crap. It's dumb as well that there's no real official channel to get it (you should trust the "Android scene"... frankly, what's that???). But it's even more dumb to not being able to install alternative ROMs at all, like for the iOS platform. Please don't make a competition of who's the looser: Apple platform is evil and closed, but make no mistake, Android isn't so much better at this game.
I suppose that's why it's awesome that iOS is open-source and a thriving community has grown up around modifying the sources to leave out bullshit like CarrierIQ (which is rolled into iOS BTW). Let me know how those custom iOS roms are working out.
If you want to try determining which of the 2 is the most evil, good luck with that, but without me. I want none of Apple or Android: I want a fully open platform, not half of the sources when Google CEO is in a good mood, and yes, I do care to also have things like my GSM stack and device drivers being open as well. Installing a random binary blob from someone pretending he has made a nice release of Android for your device is not what I want to use (why should I trust any random forums offering me ROMs?). Because when you're talking about re-flashing an Android device, that's what it is all about.
Moral of this? To fetch my key, use:
gpg --recv-keys 0xE4F0EDDF374F2C50D473 5EC097833DC998EF9A49
and not just:
gpg --recv-keys 0x98EF9A49
Doing the former, gpg will then download all keys with fingerprint ending by 98EF9A49, and check which one matches the fingerprint. Bonus point: on top of fetching my key, you'll be doing a fingerprint verification (which is needed anyway) by copying entirely with your keyboard.
Yes, it's easy to say "don't buy this product", but then what to buy? Certainly, I wont buy a windows phone. I don't like Android, hated the CarrierIQ story, and think that Google is as evil as Apple. What's remaining? Looks like I'm going to keep using my n900, let's hope it doesn't fail on me.
If the issue is just plain physical space for putting more HDDs, get one of these Supermicro storage solutions. There's from 15 to 36 HDD chassis, so take your pick. It will cost "only" few hundred bucks. Then yes, you don't want this to sit in your main room, it would be too noisy. If there's no humidity in your garage, and it doesn't get too hot in there in the summer, then using a cat6 to it should be fine. If you don't want to change your motherboard just right away, then just use the old existing one you have currently for the moment, anyway any ATx board will fit in.
Please don't write "the government", and think about the fact that China has an SSL cert governmental organization that has been caught doing man in the middle attacks with illegitimate certs already. There's so many certification organization these days, that I wouldn't consider it safe. The PGP key thing solve the issue since you can verify fingerprints (in fact, you always should).
There's nothing bad with using self-signed certs, if you check the fingerprint of the certificate by hand. But I guess you just gave to your peers the server address, and they blindly accepted any certificate. Not even every email software would show you the certificate fingerprint before the first connection, and I don't know any of them that would prompt you a dialog box when your server's cert is replaced (the way certificate patrol would do...).
So with all this in mind, it would be trivial for a government administration to do a man in the middle attack, which is totally impossible if you use GPG, and manual checks of fingerprints (which is why you should print the fingerprint of your GPG key on your business card).
The subject of the post was "Secure within a single server" and I noted that I have friends and family who have accounts on my server.
How exactly is your family and friends trusting your TLS connections? Did you go up to transmit them your CA cert? Or do you just register a certificate and you trust the ever growing number of organizations issuing them?
Firefox is open source, yes? And so is Chrome, I believe? Also Opera?
We're talking about MAIL here, why do you put browser names here? And no, Opera isn't open sourced.
Don't these projects have an E-mail reader as part of their offering?
apt-get install enigmail, which is what I use. It's also available as a standalone extension if you don't have an operating system that uses packages (in that later case, shame on you, anyway you aren't safe...).
All we need is for one of the major browsers to choose an encryption standard and bundle it with their reader, and include a checkbox in the sender that reads "let others read this message" or similar wording.
If you mean having a gpg key generated automatically at the first startup of the email client, then at least silently sign outgoing message with that key, I think that would be a very good idea indeed.
Also, there's a javascript library implementing the GPG protocol (see/. history), so it should be even possible to do it by default, on a webmail. Squirrelmail has a module for GPG, but I'm not fan of uploading my private key on the server (which is also the reason why that package has never made it into Debian).
But no, developers don't like to make the decisions. They like to be consulted by the people who *do* make the decisions ("SOPA is supported by people who don't know how the internet works"), but they don't actually want to *make* the decisions.
If you care that much, I would suggest you to file a bug in the relevant bug tracking system (mozilla uses bugzilla...) to make plugins like enigmail part of the main project. That's a better place to complain than/.
I run my own mail server. Anyone connecting to it over the Internet must use an encrypted connection for receiving or sending mail; I don't even open the insecure ports in my firewall.
Then you didn't understand how STARTLS works (hint: it also can be on port 25).
So, when I send email to family members who are using my server, my email is encrypted while going onto the server and being pulled from the server.
Your mail is encrypted for PART of the transport (in fact, for the part that you control). But that's it. It may have been sent to you over a non SSL webmail for example. And you must be sending it to a 3rd party that anyway, will read what you sent unencrypted. That kind of encryption is useless, because it's not end-to-end.
This doesn't solve the general problem but it is better than having only insecure email.
IT IS insecure the way you use it. The fact that you think it is safe is even more dangerous, because it is not.
Privacy isn't about secrecy. Privacy is about choosing what you want to be disclosed and to who. Jonas once posted his social security number on his personal website just to make that point clear. So your question has no meaning, because the reason why we are using GPG isn't only for security of valuables, but because we care about privacy, and being (technically) able to make sure everyone will respect it.
Also, GPG isn't only about encryption, it's also about authentication. See above, someone could verify that I was the real sender, and it proved my identity. In Debian, we sign every package that we upload with our GPG key, to make sure that we are who we pretend to be, and that we have been previously allowed to upload. We also use it for voting when there's DPL election every year, or when we want to change the Debian constitution (that vote would be called a "general resolution").
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Like every of the ~800 Debian developer in this world, I do use
encryption, and know how to handle PGP keys. My private key is encrypted
in a dm-crypt partition of 2 of my laptop, and I have a revoke
certificate handy burnt on a CD. My GPG fingerprint is also written on
my business card, so that everyone who I met can fetch my private key
from any of the major key servers, and check its fingerprint. My public
key is signed by about a dozen different people, mostly other Debian
developers, which is a strong "web of trust". If everyone was printing
his GPG key on a business card, I could also send encrypted emails, but
I've seen only other DDs doing it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
Wouldn't Oracle want to have their platform deployed as widely as possible?
What Oracle wants is money, they don't care anything else. The new license forced Debian to stop distributing Oracle Java from the non-free repositories, I'm not surprised this happens to Canonical.
Slashdot Mirror
Just as a side note, nginx is much faster
To put it simple: NO. It's slightly faster, but when running heavy PHP scripts, you wont see much differences.
better web server
Better as in what? More hyped, maybe. But I do think it's like people talking about Ruby and spitting at PHP. It's more or less the same, but there's always one to tell that one is so much better than the other.
PHP under Apache (And really what serious professional would use anything else?) as a module and needs no threads
I suppose you forgot the world "run" after PHP. If that is the case, then NO. In most serious environment, you would run PHP as a CGI, because this way, you can run it in a chroot. I maintain sbox in Debian for doing just that: chroot in the folder of the vhost, and setlimit() calls to avoid nasty effects of bad scripts and setting reasonable limits. And NO, that's not a lot slower as one might think. I have real production environment to back-up what I'm saying. I could see no difference in the load average graph of a busy shared hosting server after switching to sbox. Oh, and for maintaining a common (but customizable) chroot on all vhosts, I use aufs, which is great! :)
I got clients that still have 5 years or more to go on lease contracts for huge printer and document systems. No IPv6 firmware updates in the pipeline that I know about.
We never asked that these migrate to IPv6. They are fine with v4.
5) someone else starts getting a bunch of connection attempts....
6) that someone else also runs a mail server, and it's replying "no such domain / user", and sender receives a bounce message
This is *NOT* a bug. You should *always* check the full fingerprint. If it happens that gpg fetches 2 keys at the same time instead of just one, then it's not a big deal, since I'm going to check the full of the fingerprint anyway. People just should be aware of what's going on, and that's why asheesh made this blog post. Note that he has done this "trick" to brute-force the GPG UUID a long time ago (he told me about this at last debconf11 last summer), but it's nice that he gets exposure through Slashdot.
When you stop and think about it it's pretty dumb to have to install a custom ROM
When you stop and think about it it's pretty dumb to make uninformed remarks about things you have demonstrated to have no knowledge on.
Come on, he is right! It's dumb to have to install a custom ROM because the one you get by default is bloated with crap. It's dumb as well that there's no real official channel to get it (you should trust the "Android scene"... frankly, what's that???). But it's even more dumb to not being able to install alternative ROMs at all, like for the iOS platform. Please don't make a competition of who's the looser: Apple platform is evil and closed, but make no mistake, Android isn't so much better at this game.
I suppose that's why it's awesome that iOS is open-source and a thriving community has grown up around modifying the sources to leave out bullshit like CarrierIQ (which is rolled into iOS BTW). Let me know how those custom iOS roms are working out.
If you want to try determining which of the 2 is the most evil, good luck with that, but without me. I want none of Apple or Android: I want a fully open platform, not half of the sources when Google CEO is in a good mood, and yes, I do care to also have things like my GSM stack and device drivers being open as well. Installing a random binary blob from someone pretending he has made a nice release of Android for your device is not what I want to use (why should I trust any random forums offering me ROMs?). Because when you're talking about re-flashing an Android device, that's what it is all about.
Moral of this? To fetch my key, use:
gpg --recv-keys 0xE4F0EDDF374F2C50D473 5EC097833DC998EF9A49
and not just:
gpg --recv-keys 0x98EF9A49
Doing the former, gpg will then download all keys with fingerprint ending by 98EF9A49, and check which one matches the fingerprint. Bonus point: on top of fetching my key, you'll be doing a fingerprint verification (which is needed anyway) by copying entirely with your keyboard.
Yes, it's easy to say "don't buy this product", but then what to buy? Certainly, I wont buy a windows phone. I don't like Android, hated the CarrierIQ story, and think that Google is as evil as Apple. What's remaining? Looks like I'm going to keep using my n900, let's hope it doesn't fail on me.
If the issue is just plain physical space for putting more HDDs, get one of these Supermicro storage solutions. There's from 15 to 36 HDD chassis, so take your pick. It will cost "only" few hundred bucks. Then yes, you don't want this to sit in your main room, it would be too noisy. If there's no humidity in your garage, and it doesn't get too hot in there in the summer, then using a cat6 to it should be fine. If you don't want to change your motherboard just right away, then just use the old existing one you have currently for the moment, anyway any ATx board will fit in.
Then just tell what websites you're hosting with them...
What if he was working for FDC Servers...
That's my company, but since you're also doing some self-advertizing ... you might also wana add gplhost.com. :)
Would you mind to tell us, as a proof you aren't a spammer/advertizer, what is the domain name that you host with them?
Please don't write "the government", and think about the fact that China has an SSL cert governmental organization that has been caught doing man in the middle attacks with illegitimate certs already. There's so many certification organization these days, that I wouldn't consider it safe. The PGP key thing solve the issue since you can verify fingerprints (in fact, you always should).
There's nothing bad with using self-signed certs, if you check the fingerprint of the certificate by hand. But I guess you just gave to your peers the server address, and they blindly accepted any certificate. Not even every email software would show you the certificate fingerprint before the first connection, and I don't know any of them that would prompt you a dialog box when your server's cert is replaced (the way certificate patrol would do...).
So with all this in mind, it would be trivial for a government administration to do a man in the middle attack, which is totally impossible if you use GPG, and manual checks of fingerprints (which is why you should print the fingerprint of your GPG key on your business card).
The subject of the post was "Secure within a single server" and I noted that I have friends and family who have accounts on my server.
How exactly is your family and friends trusting your TLS connections? Did you go up to transmit them your CA cert? Or do you just register a certificate and you trust the ever growing number of organizations issuing them?
You mean my private key? Yes, right, hang on a moment, let me past it here...
-----BEGIN PGP MESSAGE-----
/NH1IpCa6PhvhdDKTm93PmnFV5bSIIHhQ/FV9eafd1GEv9z/AvVbb4pw9zgpyK1L
Charset: ISO-8859-1
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
hQIMAyufy8ZCeZ+RARAAxJN6B6C2450KX8Y0sU82poH77Jwj6NdK4Xh4nOfncAa2
k36walmvAhs3dTcxXmNsDlrNpOrsLEK51QKtNJSuhRKng0MkgmqmuutZoxVNaFjR
5GF3RsnKKHQ/7QUnGtJR8H6e56HjkipCWn258myOZtww2CI/3gtSEP2CuidUwU0W
bYN2cTpSfBKLGn3STXW5+cPEM6fMhtPxO4Pq0JyBjqorD60oVTzAtpkBKTEiVsqT
wnuQJRLKNTm4PinnyFlR6sTlCTIhHIocmh/eoihcMylWOWiHZcPivuyWAfq2xxkm
54YQEzTj53lGe1lZS3PjqON6LGYVaAoyr8MARcSHqlXMPzibm5knuJZNbhQUs9u1
514CXbZl52BrDBTCvCqBm3tGmA6LXMDtkgsjrRI4nbBaLobMkczFrSMIh3xwFLZn
pbCcpJlyC+GVdWjwJGVBqiOtYUMWv+14WxwG6IxC1xiMkLumhS+8dQhvcgK7eOh5
TFYKS2lD1Lu8F1xY2eT+Mw+xK5bibweFADtb7PHfqD3ZfgHKHwQprsR8Gecokwt5
iM+3AEK0KK4d3HU/Vqg1tDg+DuTaZCRnGbrBIVRjlXg5b87oJpIkcRz5NlT7InGV
l3GudSCIYjOnGRd4X2XYa/mks8zRGryfpCRmjUsHC1dYcPmKNxXsTFF5etsDwZCF
Ag4DnNG+pF42QAcQB/983wBMPUTY1HzNfa0S5kHobR/MOMkJNktfzD7cUS3anibi
pzqidp7IOSbgLSFRUTlVdtN/sbcAs9HXluBv/RkhUWTm3Jz3OGXvC035CLEhQTby
T9Jzi1b7UYZddTwHDP3t9c4J1sUKlMlnTSfnCNMI2uszop5PFO9cMQzl4M2TmRfr
DFaAXVX1Jf0humr2jRgzwC12GfI4xBzHd6GegoLg2Xj/RJIgJKn8CpYfnZONDHa2
3WRJgXrAguHvSEXYxHm29550fWadyrZEM/5UGlVUB/9PHiwrJ66FkezS12D9hDq5
WeJwqUPW+aD1I7Yknk6cisFTEksCCQWIBEPP7ZQiFqvEPhLvtVYDxBtlQcMzVSiD
atraKXdmcPrpLmZ8gAdfKRgNmMgMYJJ3frqg5agxygnHAVPjV9qMsuNOSrSvc9gC
AHfsfx8wafQR6XB4Ai1cJ9jDsUP69Hk37YtY5sM/i51D2R6qcIQK6wVAm0WjarGR
6N+WOu+MgTwBTAe30iBPbLpmwfWad4Ah4eDepGvyuqEiekPJY4ePCg5zmcmTx0EF
zyB1vpRGZUGVi90ICWrrmISllp95Qr9D1R24V4wjVhJgcraYgRgkfIbzZbZEC8d2
0nsBpvCH8DxQ02napKFt8mAVcIX/K29dFwYNgowiHdj6LeP0JfXzM47zi10Sru/u
sDTqGuHlXX24PaEKS7VvnF43r8elL8JMo4e5MmNnWQezHkShp7PkJN1KJzSJpkpt
91csvdafX97moDfwc3FWgmrAiQicoCeMtaBKtYk=
=8z8H
-----END PGP MESSAGE-----
Firefox is open source, yes? And so is Chrome, I believe? Also Opera?
We're talking about MAIL here, why do you put browser names here? And no, Opera isn't open sourced.
Don't these projects have an E-mail reader as part of their offering?
apt-get install enigmail, which is what I use. It's also available as a standalone extension if you don't have an operating system that uses packages (in that later case, shame on you, anyway you aren't safe...).
All we need is for one of the major browsers to choose an encryption standard and bundle it with their reader, and include a checkbox in the sender that reads "let others read this message" or similar wording.
If you mean having a gpg key generated automatically at the first startup of the email client, then at least silently sign outgoing message with that key, I think that would be a very good idea indeed.
/. history), so it should be even possible to do it by default, on a webmail. Squirrelmail has a module for GPG, but I'm not fan of uploading my private key on the server (which is also the reason why that package has never made it into Debian).
Also, there's a javascript library implementing the GPG protocol (see
But no, developers don't like to make the decisions. They like to be consulted by the people who *do* make the decisions ("SOPA is supported by people who don't know how the internet works"), but they don't actually want to *make* the decisions.
If you care that much, I would suggest you to file a bug in the relevant bug tracking system (mozilla uses bugzilla...) to make plugins like enigmail part of the main project. That's a better place to complain than /.
Just use talk over ssh then...
I run my own mail server. Anyone connecting to it over the Internet must use an encrypted connection for receiving or sending mail; I don't even open the insecure ports in my firewall.
Then you didn't understand how STARTLS works (hint: it also can be on port 25).
So, when I send email to family members who are using my server, my email is encrypted while going onto the server and being pulled from the server.
Your mail is encrypted for PART of the transport (in fact, for the part that you control). But that's it. It may have been sent to you over a non SSL webmail for example. And you must be sending it to a 3rd party that anyway, will read what you sent unencrypted. That kind of encryption is useless, because it's not end-to-end.
This doesn't solve the general problem but it is better than having only insecure email.
IT IS insecure the way you use it. The fact that you think it is safe is even more dangerous, because it is not.
Privacy isn't about secrecy. Privacy is about choosing what you want to be disclosed and to who. Jonas once posted his social security number on his personal website just to make that point clear. So your question has no meaning, because the reason why we are using GPG isn't only for security of valuables, but because we care about privacy, and being (technically) able to make sure everyone will respect it.
Also, GPG isn't only about encryption, it's also about authentication. See above, someone could verify that I was the real sender, and it proved my identity. In Debian, we sign every package that we upload with our GPG key, to make sure that we are who we pretend to be, and that we have been previously allowed to upload. We also use it for voting when there's DPL election every year, or when we want to change the Debian constitution (that vote would be called a "general resolution").
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Like every of the ~800 Debian developer in this world, I do use
encryption, and know how to handle PGP keys. My private key is encrypted
in a dm-crypt partition of 2 of my laptop, and I have a revoke
certificate handy burnt on a CD. My GPG fingerprint is also written on
my business card, so that everyone who I met can fetch my private key
from any of the major key servers, and check its fingerprint. My public
key is signed by about a dozen different people, mostly other Debian
developers, which is a strong "web of trust". If everyone was printing
his GPG key on a business card, I could also send encrypted emails, but
I've seen only other DDs doing it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEAREDAAYFAk7wBSAACgkQl4M9yZjvmklYVACfXYV3ncJnZuKosZJ8k0ZSzc3t
SpQAn0eYtQCIrQeTcBgA1b+Yz58OVqCJ
=EQHO
-----END PGP SIGNATURE-----
Wouldn't Oracle want to have their platform deployed as widely as possible?
What Oracle wants is money, they don't care anything else. The new license forced Debian to stop distributing Oracle Java from the non-free repositories, I'm not surprised this happens to Canonical.