You miss an important point. I am running a NoCat authentication gateway which captures all inbound http trafic and directs it to a SSL login page. Lets say that I signed my own cert Snake Oil LTD so when a user tries to log on for the first time they have to accept my cert. They have the option of accepting it for this session only and so they do. The next time they try to log in, someone has set up a rouge AP and dirrects them to a login page just like mine. If they also signed their cert with Snake Oil LTD and say they are me, the user has no way of knowing that they are connecting to a different web server and enters their login/password which the rouge operator can then use to log into my network.
I see what you're saying, but, if you have man-in-the-middle attacks, the legitimacy of your certifying authority is the least of your troubles.
hmmm depends. personally i usually wouldn't be handing my cc number to a company that won't pay for it's own cert and is using a shared hosting one, unless i already knew they were ok beforehand.
First and foremost, the Fair Credit Billing Act of 1976 protects consumers against most credit card fraud, so the whole notion of fraud being a major issue is essentially blown out of preportion. If someone charges something to your credit card, you charge it back and the burden is on the merchant to prove the legitimacy of the transaction or they lose, so there's never been much of a threat for consumers anyway.
Second, the way things have been going, customers are likely to get better products and services from smaller companies, many of whom may not be that technically inclined but instead tend to spend their energy on providing their core products and services and not running their own web servers.
Our ISP handles more than US$5M/month in online transactions for many companies much larger than ourselves, and we operate most sites under our umbrella SSL Cert. Never had any complaints.
The issue is not unlike Paypal. People accept Paypal on their web sites. When you go to complete the transaction, you're switched to Paypal's servers - there's no easy way around that. Consumers are used to this and companies like mine go out of our way to establish our reputation as a trusted provider of solid, secure e-commerce. Clients that use our services benefit from our reputation and performance. Everything works fine.
Yea, I'm aware of this. It's pretty insideous that the top two Certifying authories are basically the same company, pretending to be separate so that people think they have a choice among #1 and #2.
If you want to have fun, contact one and rant and rave about the other. For example, contact Thawte and tell them you're sick of Verisign and want to switch to them. They'll play along and never tell you they're owned by the same company!
You do understand that certs are for far more than online shopping, right? Verified email, for example.
Long before Verisign, PGP was offering a superior service for identity authentication for e-mail. If that's what you need, you're better off using open source PGP.
Not just anyone can get a CA cert. You have to be a business, I know verisign wants a copy of your business license, ect before they even issue you a cert.
It's not a big deal. It doesn't mean anything. It doesn't offer more security ultimately.
The majority of e-commerce sites on the Internet are NOT operating under their own certs. Many sites that offer hosted shopping carts use a central SSL server operating under an umbrella cert. Nobody really seems to have noticed, so what Verisign/Thawte are selling is not something consumers really seem to care about.
This is why I pay the "mafia" their protection money for our main e-commerce web servers. Most consumers just see the dialogue box and conjure up images of their credit card numbers showing up on billboards.
But we all know why we pay this fee: not to really provide more security or privacy for transactions; to merely keep that paranoia-inducing dialog box from appearing. And it's necessary for e-commerce web sites because most users don't know any better.
But for non-public sites, like a web-based mail server, we use homebrewed certs and put a message on the web site explaining to users that the dialogue box that pops up doesn't mean the transaction isn't secure; it just means we prefer to sign our own 50-year certificate instead of paying a useless fee to Verisign and getting strip-searched every two years by a company that we feel is less trustworthy than any other.
Stumbling blocks would be that Verisign would still be the expensive 'gold standard' for quite a while because its always been compatible from the earlydays in the most number of browsers,
Let's qualify this for people who may not understand.
This new certifying authority will be just as compatible as any other cert. It will still offer as much encryption protection as any cert provided by any authority.
The difference is that the browser may not be "pre programmed" to recognize the authority, and will therefore pop up a "warning dialogue box" that says something like "Certificate is signed by an unknown authority". In reality the encryption and transaction is just as strong. It's just that the browser company hasn't been paid a fee to keep the dialogue box from popping up and scaring users into thinking that their transactions are not encrypted.
So basically, those of us who have used CAs from Verisign are paying a fee to keep a dialogue box from popping up scaring our users, making them think their transaction isn't secure, when it is.
There is this notion that companies like Verisign/Thawte are charging their outrageous fees for an intangible piece of digital information because they "verify" that the name on the certificate matches name of the web site you're dealing with. Most users wouldn't be conducting e-commerce or secure transactions with a web site unless they were fairly confident who they were dealing with in the first place, so the notion that a cert offers additional security is pretty superfluous.
It's quite ironic, that one of the nice things about Windows historically was the notion that installation of applications was somewhat standardized: you just run SETUP or stick the disk in and it would automatically install and guide you through the process.
Nowadays, installing a Windows app is anything but easy; you have to shut down everything on the computer and reboot at least once. Un-installing applications is 'iffy' at best, and if something goes wrong, or you need to migrate to another machine or hard drive, most users have to trash everything and re-install everything from scratch.
In reality, Unix has become a lot more standardized and consistent in terms of application management, installation and migration. It's really a lot easier now to remove an app from Unix, whereas with Windows, you never know if you could ever remove a program without leaving tons of remnants and agents clogging things up.
The whole notion that a Cert authority is needed is essentially bogus in my opinion. We've been rolling our own certs for years for all but the main e-commerce web servers. Who wants to pay the outrageous extortion fees Verisign/Thawte charge and jump through the goofy hoops? I bite my lip and do this every two years for the main web server just so my clients don't totally (unnecessarily) freak out at the prospect of a dialogue box popping up in SSL mode warning them that Microsoft's "paranoia-protection-money" wasn't paid-off.
The Cert authorities are a joke. We registered one CA with Verisign with virtually no documentation, and another time, when renewing an existing, different cert, they demanded everything short of a blood test for "authentication." It's nothing short of criminal considering they charge $200+ for something that takes 10ms to generate that they make people wait weeks for, and in no way guarantees superior security, and they'll make certs for anyone with money so the identity checking is BS and moot.
I'm all for a free certifying agency, but you can also roll-your-own with OpenSSL.
The best and funniest game I've ever seen is Bushgame. It's an extensive Flash-based game with tons of educational content. In the game you get to play a host of characters including Howard Dean, Michael Moore, Howard Stern, Rosie O'donnel and each has special powers to destroy enemies... it's worth playing just to see the special moves each character has... totally hilarious.
A cursory examination of some of their documents seems to indicate the plan involves what they're calling DNS-SD (DNS-based service discovery) which is a way of encapsulating device id and configuration information within DNS records, and specifically making use of special conventions for TXT data.
If this is the case, it seems a pretty clever and resourceful approach.
Then again, this will make DNS servers the main entry point for discovering information about networks, especially information that might normally not be publicly available.
Personally, I like this approach because far less people have access to manage detailed DNS data and may actually be able to manage these things effectively, but there's also a ton of people out there who have insecure DNS information and adoption of this approach among those admins who haven't secured their networks might create an even bigger security problem.
I disagree. Churches have a more antiseptic method of distinguishing themselves from "evil" by claiming they have "sinned" which is generally regarded as a reversable type of wrong-doing. In fact the Catholic church has perfected this unique brand of "drive thru evil removal" but it's not "evil", it's "sin". Something entirely different. I've never heard any religious icon refer to themselves or their actions as being "evil" and most church people would distinguish between the two as being different, with sin being forgivable, but evil being a static state. Google's use of the term evil is in the classic sense, that they represent "good" and therefore "evil" is defined by what they decide is different from themselves. The church (and the Bush administration) operate the exact same way: they do no evil.
It's those who believe or act differently who are the evil-doers.
The bounty system presupposes that there will be civil action taken against a spammer in the first place, and those that help will get a reward.
The problem is, we have hundreds of civil-oriented anti-spam laws on the books that are not being enforced or pursued. It is not economically viable to use the civil courts to attack the spamming industry. The main reason is that it's not cost-effective: good luck finding a lawyer who will take this case which will cost a lot of money and time up front with no guarantee of a pay off. Second, suing someone in civil court generally works when you can find these people and bring them into court, which is very problemmatic with spammers, but more importantly, it assumes the spammers have money in the first place, which is pretty doubtful. If spammers were really making lots of money, they'd be more visible than they are - all indications are that most of these people are transient scam artists with very little long-term equity in their posession. So the bottom line is that civil suits have never proven to make any difference in this field. Who's crazy enough to jump on this bandwagon? What has happened to people when they propose ideas that are based on premises that have shown to be consistently useless and ineffective?
The problem is, patents are being used now as weapons more than they are to protect IP. It would be one thing if the holder of a patent goes after a large company that is infringing, but many of these patent holders are deliberately avoiding infringers who have the resources to invalidate their claims, and instead intimidating smaller operations who will settle instead of going bankrupt trying to defend themselves.
Usually anybody who dares use the term "evil" has already defined evil as anything anyone else other than themselves is susceptable to. See: any church, Bush administration.
I tell everyone, before they forward any of that crap, or virtually anything they deem worthy of sharing, they should first check it against the Urban Legends Reference Pages.
This looks like another weird anamoly introduced by Firefox where it still doesn't completely detach hooks to IE/DDE when it takes over file associations.
I'm still not taking that sleazebag ISP out of my RBL. I'm sick and tired of these ISPs not controlling the traffic from their customers, especially in cases where this stuff is so easily managed.
When IPv6 comes out, spamming will exponentially increase - I dread the day they roll out the enlarged address space.
As for these big companies with huge IP blocks, they don't need them. Those large companies should be running VPNs for the most part - having millions of publicly-addressable IP addresses for corporate use is excessive IMO, hat or no hat.
It might seem reasonable for IBM and Apple to have an entire Class A, but why do Ford, Eli Lily, Halliburton, Prudential, GE, and Merck have entire Class A IP blocks when they're not using a fraction of them??? The IP allocation list reads like a who's who of political favors.
Your suggestions helped quite a bit. But now I have another problem due to un-installing Firefox and re-installing. I hosed the.url file association and when I went to rebuild it, I finally got it to work but I get this message:
"cannot find the file (url). make sure all the required libraries are available" but the funny part is clicking on the URL brings up a browser window and displays the url but I also get an annoying error box at the same time, and this still doesn't solve the problem with each click of a.url spawning a new browser window when 0.8 would display the link in the active browser window.. any ideas? my open command for.url is:
rundll32.exe shdocvw.dll,OpenURL %l
Someone suggested I clear/recreate a profile to fix problems upgrading from 0.8 to 0.9 - I found the link to profile manager just spawned a blank Firefox window (very useful) so I uninstalled all versions and re-installed 0.9.1. Now my PC is completely screwed up and the.url extension is no longer associated with any browser.
I have been recommending Firefox to all my clients but these later versions seem PLAGUED WITH PROBLEMS! I implore the dev team to test the product thoroughly with Win98 - not all of us are running XP.
Slashdot Mirror
Lucky for you America hasn't banned stupidity and ignorance.
You miss an important point. I am running a NoCat authentication gateway which captures all inbound http trafic and directs it to a SSL login page. Lets say that I signed my own cert Snake Oil LTD so when a user tries to log on for the first time they have to accept my cert. They have the option of accepting it for this session only and so they do. The next time they try to log in, someone has set up a rouge AP and dirrects them to a login page just like mine. If they also signed their cert with Snake Oil LTD and say they are me, the user has no way of knowing that they are connecting to a different web server and enters their login/password which the rouge operator can then use to log into my network.
I see what you're saying, but, if you have man-in-the-middle attacks, the legitimacy of your certifying authority is the least of your troubles.
hmmm depends. personally i usually wouldn't be handing my cc number to a company that won't pay for it's own cert and is using a shared hosting one, unless i already knew they were ok beforehand.
First and foremost, the Fair Credit Billing Act of 1976 protects consumers against most credit card fraud, so the whole notion of fraud being a major issue is essentially blown out of preportion. If someone charges something to your credit card, you charge it back and the burden is on the merchant to prove the legitimacy of the transaction or they lose, so there's never been much of a threat for consumers anyway.
Second, the way things have been going, customers are likely to get better products and services from smaller companies, many of whom may not be that technically inclined but instead tend to spend their energy on providing their core products and services and not running their own web servers.
Our ISP handles more than US$5M/month in online transactions for many companies much larger than ourselves, and we operate most sites under our umbrella SSL Cert. Never had any complaints.
The issue is not unlike Paypal. People accept Paypal on their web sites. When you go to complete the transaction, you're switched to Paypal's servers - there's no easy way around that. Consumers are used to this and companies like mine go out of our way to establish our reputation as a trusted provider of solid, secure e-commerce. Clients that use our services benefit from our reputation and performance. Everything works fine.
Yea, I'm aware of this. It's pretty insideous that the top two Certifying authories are basically the same company, pretending to be separate so that people think they have a choice among #1 and #2.
If you want to have fun, contact one and rant and rave about the other. For example, contact Thawte and tell them you're sick of Verisign and want to switch to them. They'll play along and never tell you they're owned by the same company!
You do understand that certs are for far more than online shopping, right? Verified email, for example.
Long before Verisign, PGP was offering a superior service for identity authentication for e-mail. If that's what you need, you're better off using open source PGP.
Not just anyone can get a CA cert. You have to be a business, I know verisign wants a copy of your business license, ect before they even issue you a cert.
It's not a big deal. It doesn't mean anything. It doesn't offer more security ultimately.
The majority of e-commerce sites on the Internet are NOT operating under their own certs. Many sites that offer hosted shopping carts use a central SSL server operating under an umbrella cert. Nobody really seems to have noticed, so what Verisign/Thawte are selling is not something consumers really seem to care about.
I agree with you.
This is why I pay the "mafia" their protection money for our main e-commerce web servers. Most consumers just see the dialogue box and conjure up images of their credit card numbers showing up on billboards.
But we all know why we pay this fee: not to really provide more security or privacy for transactions; to merely keep that paranoia-inducing dialog box from appearing. And it's necessary for e-commerce web sites because most users don't know any better.
But for non-public sites, like a web-based mail server, we use homebrewed certs and put a message on the web site explaining to users that the dialogue box that pops up doesn't mean the transaction isn't secure; it just means we prefer to sign our own 50-year certificate instead of paying a useless fee to Verisign and getting strip-searched every two years by a company that we feel is less trustworthy than any other.
Stumbling blocks would be that Verisign would still be the expensive 'gold standard' for quite a while because its always been compatible from the earlydays in the most number of browsers,
Let's qualify this for people who may not understand.
This new certifying authority will be just as compatible as any other cert. It will still offer as much encryption protection as any cert provided by any authority.
The difference is that the browser may not be "pre programmed" to recognize the authority, and will therefore pop up a "warning dialogue box" that says something like "Certificate is signed by an unknown authority". In reality the encryption and transaction is just as strong. It's just that the browser company hasn't been paid a fee to keep the dialogue box from popping up and scaring users into thinking that their transactions are not encrypted.
So basically, those of us who have used CAs from Verisign are paying a fee to keep a dialogue box from popping up scaring our users, making them think their transaction isn't secure, when it is.
There is this notion that companies like Verisign/Thawte are charging their outrageous fees for an intangible piece of digital information because they "verify" that the name on the certificate matches name of the web site you're dealing with. Most users wouldn't be conducting e-commerce or secure transactions with a web site unless they were fairly confident who they were dealing with in the first place, so the notion that a cert offers additional security is pretty superfluous.
It's quite ironic, that one of the nice things about Windows historically was the notion that installation of applications was somewhat standardized: you just run SETUP or stick the disk in and it would automatically install and guide you through the process.
Nowadays, installing a Windows app is anything but easy; you have to shut down everything on the computer and reboot at least once. Un-installing applications is 'iffy' at best, and if something goes wrong, or you need to migrate to another machine or hard drive, most users have to trash everything and re-install everything from scratch.
In reality, Unix has become a lot more standardized and consistent in terms of application management, installation and migration. It's really a lot easier now to remove an app from Unix, whereas with Windows, you never know if you could ever remove a program without leaving tons of remnants and agents clogging things up.
The whole notion that a Cert authority is needed is essentially bogus in my opinion. We've been rolling our own certs for years for all but the main e-commerce web servers. Who wants to pay the outrageous extortion fees Verisign/Thawte charge and jump through the goofy hoops? I bite my lip and do this every two years for the main web server just so my clients don't totally (unnecessarily) freak out at the prospect of a dialogue box popping up in SSL mode warning them that Microsoft's "paranoia-protection-money" wasn't paid-off.
The Cert authorities are a joke. We registered one CA with Verisign with virtually no documentation, and another time, when renewing an existing, different cert, they demanded everything short of a blood test for "authentication." It's nothing short of criminal considering they charge $200+ for something that takes 10ms to generate that they make people wait weeks for, and in no way guarantees superior security, and they'll make certs for anyone with money so the identity checking is BS and moot.
I'm all for a free certifying agency, but you can also roll-your-own with OpenSSL.
The best and funniest game I've ever seen is Bushgame. It's an extensive Flash-based game with tons of educational content. In the game you get to play a host of characters including Howard Dean, Michael Moore, Howard Stern, Rosie O'donnel and each has special powers to destroy enemies... it's worth playing just to see the special moves each character has... totally hilarious.
A cursory examination of some of their documents seems to indicate the plan involves what they're calling DNS-SD (DNS-based service discovery) which is a way of encapsulating device id and configuration information within DNS records, and specifically making use of special conventions for TXT data.
If this is the case, it seems a pretty clever and resourceful approach.
Then again, this will make DNS servers the main entry point for discovering information about networks, especially information that might normally not be publicly available.
Personally, I like this approach because far less people have access to manage detailed DNS data and may actually be able to manage these things effectively, but there's also a ton of people out there who have insecure DNS information and adoption of this approach among those admins who haven't secured their networks might create an even bigger security problem.
I disagree. Churches have a more antiseptic method of distinguishing themselves from "evil" by claiming they have "sinned" which is generally regarded as a reversable type of wrong-doing. In fact the Catholic church has perfected this unique brand of "drive thru evil removal" but it's not "evil", it's "sin". Something entirely different. I've never heard any religious icon refer to themselves or their actions as being "evil" and most church people would distinguish between the two as being different, with sin being forgivable, but evil being a static state. Google's use of the term evil is in the classic sense, that they represent "good" and therefore "evil" is defined by what they decide is different from themselves. The church (and the Bush administration) operate the exact same way: they do no evil.
It's those who believe or act differently who are the evil-doers.
The bounty system presupposes that there will be civil action taken against a spammer in the first place, and those that help will get a reward.
The problem is, we have hundreds of civil-oriented anti-spam laws on the books that are not being enforced or pursued. It is not economically viable to use the civil courts to attack the spamming industry. The main reason is that it's not cost-effective: good luck finding a lawyer who will take this case which will cost a lot of money and time up front with no guarantee of a pay off. Second, suing someone in civil court generally works when you can find these people and bring them into court, which is very problemmatic with spammers, but more importantly, it assumes the spammers have money in the first place, which is pretty doubtful. If spammers were really making lots of money, they'd be more visible than they are - all indications are that most of these people are transient scam artists with very little long-term equity in their posession. So the bottom line is that civil suits have never proven to make any difference in this field. Who's crazy enough to jump on this bandwagon? What has happened to people when they propose ideas that are based on premises that have shown to be consistently useless and ineffective?
The problem is, patents are being used now as weapons more than they are to protect IP. It would be one thing if the holder of a patent goes after a large company that is infringing, but many of these patent holders are deliberately avoiding infringers who have the resources to invalidate their claims, and instead intimidating smaller operations who will settle instead of going bankrupt trying to defend themselves.
Usually anybody who dares use the term "evil" has already defined evil as anything anyone else other than themselves is susceptable to. See: any church, Bush administration.
I tell everyone, before they forward any of that crap, or virtually anything they deem worthy of sharing, they should first check it against the Urban Legends Reference Pages.
Dude you rock! That fixed it.. Thanks very much!
This looks like another weird anamoly introduced by Firefox where it still doesn't completely detach hooks to IE/DDE when it takes over file associations.
I'm still not taking that sleazebag ISP out of my RBL. I'm sick and tired of these ISPs not controlling the traffic from their customers, especially in cases where this stuff is so easily managed.
When IPv6 comes out, spamming will exponentially increase - I dread the day they roll out the enlarged address space.
As for these big companies with huge IP blocks, they don't need them. Those large companies should be running VPNs for the most part - having millions of publicly-addressable IP addresses for corporate use is excessive IMO, hat or no hat.
What's really scary about IP allocation is how many individual corporations have so many IPs.
It might seem reasonable for IBM and Apple to have an entire Class A, but why do Ford, Eli Lily, Halliburton, Prudential, GE, and Merck have entire Class A IP blocks when they're not using a fraction of them??? The IP allocation list reads like a who's who of political favors.
This bug was introduced in 0.9. The fix can be found here: http://johnhaller.com/jh/mozilla/firefox_bug_24607 8.asp
Funny, it wasn't fixed in 0.9.1 apparently, so I guess we can expect another update in the next few days?
by the way, your patch doesn't seem to be a valid file anyway.
nope, i upgraded to 0.9.1 and had even more problems, which reaffirms that each new upgrade seems to make things a little bit worse. very frustrating.
Your suggestions helped quite a bit. But now I have another problem due to un-installing Firefox and re-installing. I hosed the .url file association and when I went to rebuild it, I finally got it to work but I get this message: .url spawning a new browser window when 0.8 would display the link in the active browser window.. .url is:
"cannot find the file (url). make sure all the required libraries are available"
but the funny part is clicking on the URL brings up a browser window and displays the url but I also get an annoying error box at the same time, and this still doesn't solve the problem with each click of a
any ideas? my open command for
rundll32.exe shdocvw.dll,OpenURL %l
Someone suggested I clear/recreate a profile to fix problems upgrading from 0.8 to 0.9 - I found the link to profile manager just spawned a blank Firefox window (very useful) so I uninstalled all versions and re-installed 0.9.1. Now my PC is completely screwed up and the .url extension is no longer associated with any browser.
I have been recommending Firefox to all my clients but these later versions seem PLAGUED WITH PROBLEMS! I implore the dev team to test the product thoroughly with Win98 - not all of us are running XP.
This version is BUGGY!!!!