What does it matter if it's free or not? They do the same "domain validation" that is common amongst paid CAs, and basically used for most everything except EV certs. At least StartCom puts their Class 1 certs under a specific intermediate root that you can choose to not trust if you wish, as opposed to how a lot of other CAs do it.
Should CAs do more thorough validation? No doubt. I'd like to see them do away with DV certs (or at least have browsers display different trust indicators). That said, validation isn't always a function of the purchase price.
Disclaimer: I'm a StartCom customer, went through StartCom's Class 2 verification, and use their Class 1 and 2 certs for a few minor services.
In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.
While it may be expensive and tedious for an individual to purchase all the necessary infrastructure to provide highly-durable backups of their data, a company like Amazon can design such a system, sell access to customers, and have them all benefit from their system. When Amazon is buying hard disks by the truckload and spreading the costs out over a large userbase, the cost-per-user is quite low.
For example, according to its website, "Amazon S3 PUT and COPY operations synchronously store your data across multiple facilities before returning SUCCESS. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy. Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data. In addition, Amazon S3 calculates checksums on all network traffic to detect corruption of data packets when storing or retrieving data."
They claim to be able to offer 99.999999999% durability of an object over one year (they provide the example where if one stores 10,000 objects, with 99.999999999% durability per-object-per-year, then one could expect to lose one object every ten million years.)
I can't imagine setting up such a system on my own. Why wouldn't I want to benefit from someone else's hard work?
I'm a fan of CrashPlan -- it can handle backups between different local media (e.g. from one hard disk to another), between one computer and another, between your computer and a friend's computer, and between your computer and their online storage service. In all cases, your data is encrypted so that the other party (be it the second computer, your friend, or the online service) has no access to your data.
One of the features I like is that the software does regular integrity checks on the backed-up data. Still, if the original data is corrupted, the software will dutifully back up that corrupted data, so that won't help you much.
If they're important family photos, I'd use keep the files on at least two local drives, as well as remote backup using something like CrashPlan. If you're particularly concerned, you might keep the photos on Amazon S3 -- they claim their storage infrastructure is highly durable and reliable, which could be beneficial.
Fair enough. Perhaps my price experience is skewed by the pricey Swiss networks, though I've made it a point to look at the various phone plans available in all the countries I visit.
Fortunately, the only calls I really make are to my wife, who's also here in Switzerland with me. Her calling habits are much the same, as we use Google Voice, Google Video Chat, or Skype to contact friends and family back in the States. Our CHF 20 (each) prepaid credit on the aforementioned MVNO is likely to last us a while.
The way the North American Numbering Plan is structured (which is shared between the US, Canada, and a few other countries), there's not really any way to have a separate prefix for mobile phones. Mobiles and landlines are mixed in the same area codes Thus, calling (000) 555-0111 might go to a landline, while (000) 555-0112 might go to a mobile.
Since the caller has no idea whether or not the recipient is on a mobile with this numbering plan, it wasn't possible to introduce the European-style billing model.
That said, as an American living in Europe, I admit to having a bit of a preference for the US model: it seems that the European mobile companies (or at least those I've used in Switzerland and Germany) charge significant rates for a mobile user to call a number on other domestic mobile carriers (on the order of $0.40 USD per minute in Switzerland depending on carrier, a bit less in Germany), and lower-but-still-steep rates (about $0.20-$0.30 USD per minute) to call landlines. Landline-to-mobile calls are about $0.35/minute.
All-inclusive unlimited mobile subscriptions on the various Swiss carriers are about $150-$180/month, depending on carrier. The same in the US is about $50-$70 the last time I checked.
With several US carriers, in-network calls (that is, calls to other mobile users on the same carrier) are unlimited and without charge, while one at least one carrier (Sprint), calls to all mobiles, regardless of network, are unlimited. I haven't found anything like that in Switzerland -- the closest I've gotten is CHF 0.05/min (about $0.06 USD) for in-network calls on a MVNO.
Yes, it may be somewhat unfair for a US mobile user to have to pay to receive calls, but I've found the overall cost for mobile service in the US to be much less expensive than in Europe. That said, my experience has primarily been with Swiss mobile phone service, and it's my understanding that the cost in Switzerland is a bit more than in other European countries.
I was thinking more of the "stealing the content" type of illegality. Since I continue to pay for it, I don't think that is an issue. I'm not a lawyer, so I could very well be breaking some law somewhere. Mea culpa.
Perhaps not, but if this is something that you do on a regular basis, they can see a pattern.
Perhaps I haven't been going to the right places, but most public hotspots I've seen (outside of travel centers, like airports) have only had a few people using laptops at any given time. The number has decreased since smartphones have become more popular.
Why not? What prevents the authorities from determining that the traffic in question came from that hotspot at a particular time, and then subpoenaing the security camera footage from that time? If you're within wifi range, you're almost certainly within range of the cameras covering the interior and exterior of the business.
I've had good luck with StrongVPN and their L2TP/IPSec VPN service.
I'm in Switzerland and connect to a Washington DC server (low latency from Europe to the US East Coast). The only connectivity problems I've had were related to the spotty wifi environment in the temporary place I'm presently living in (shared wifi between about 30-40 people) until I move into my private, long-term apartment in a week.
Setup was trivial, and so far connections have been limited only by my local connection speed.
It's quite clear that HMA see their service as a way of doing things that are not illegal through a VPN.
Indeed. I use a similar service for accessing various online services (e.g. Netflix, Pandora, etc.) that are geographically limited to the US (or at least to US+Canada) while I'm in graduate school in Europe. Nothing illegal about that, and I wouldn't be surprised if the VPN provider kept detailed logs.
That, and Comodo's core infrastructure (e.g. the stuff that actually does the signing) wasn't compromised.
The attacker used the compromised third party to issue certificates through the normal channels made available by Comodo to resellers, so it was possible to determine exactly what certificates were issued erroneously.
At least that was my understanding of what happened, based on information I read several months ago.
Nevertheless, if the CA fails an audit, they *should* be removed (perhaps after a reasonable time to resolve the problem and get re-audited, if the problem is not too serious).
Sure, the revocation process could use some improvements (I'd really like to see browsers hard-fail if OCSP doesn't work, or at least display a warning to the user that the certificate's validity could not be checked and to treat the connection as suspicious).
That said, there are a number of scenarios where certificates need to be revoked where the CA itself was not compromised. Having a CA that's able to revoke certs is valuable in such situations.
Interestingly enough, the Swiss Post Office provides that same service. One goes to the local post office, shows a valid ID card/passport for identity validation, and can then apply for the certificate (contained in a smartcard, smartcard-on-a-USB-stick, or the "SwissStick" [which has a built-in browser and some other tools]).
The certs chain back to SwissSign, a widely-deployed CA owned by the Swiss Post Office.
I have no idea how widely used such certs are in Switzerland (I only moved here a month ago), but it still seems like a good idea as post offices are available in essentially every town, so validation is easy (compare to finding notaries for the now-defunct Thawte client cert system outside of major metro areas).
If the US Post Office offered such services at a reasonable cost, I would definitely get such a cert. The US State Department would also be a good choice for an issuer, as they already process passport applications (which requires identity verification) so a similar process could be done for certificates as is done for passports.
CA-issued certs, even free ones from StartSSL and cheap ones from GoDaddy, have the advantage of being revocable. Nearly all the self-signed certs I've encountered lack a CRL or OCSP responder. This is a Bad Thing.
My understanding (based off of a friend who had an account banned because he was using various cheats in online multiplayer games on Steam) of the situation is that you can still play games in your account. However, you cannot play on any "Valve Anti-Cheat"-enabled multiplayer server (which is nearly all of them).
I'm not sure if the penalties are different for attempting to pirate things with Steam.
SSH is not as widely used by the general public, who has little knowledge of security, and wouldn't know how to verify a key fingerprint (or understand why they needed to do so) if asked.
You are, I trust, aware that there are CAs out there that offer free (or very nearly free) certificates that are widely trusted by browsers, and so won't annoy users with annoying warnings. Why not use those?
Microsoft and Mozilla's Brain dead Idea of putting HUGE warnings up for "Self Signed Certificates" means that people cannot just choose security
And "security" is meaningless if one is connecting to a MITM with a self-signed cert. That's why CAs (or other validation schemes) exist: to show that a third-party has also verified that the organization presenting the cert is the intended organization. It's not perfect, but it beats having no third-party validation.
By using "Authority" signed Certificates people are "Trusting" someone else to secure their data. - and paying a large(ish) sum of money for this service.
GoDaddy charges about $13/year for domain-validated certs with a discount code. StartSSL doesn't charge anything for DV certs. I'd hardly consider that a "large(ish)" expense.
T-Mobile used to offer subscriptions that were, for example, $50/month for the two-year-contract plan and $40/month for the no-contract plan, on the condition that you either used a pre-existing phone or paid full-price for the phone, rather than having it subsidized through the subscription.
Since there's no need for them to keep you locked to them (e.g. they didn't subsidize the cost of a pricey phone), one would be free to cancel at any time with no early termination fees.
Slashdot Mirror
What does it matter if it's free or not? They do the same "domain validation" that is common amongst paid CAs, and basically used for most everything except EV certs. At least StartCom puts their Class 1 certs under a specific intermediate root that you can choose to not trust if you wish, as opposed to how a lot of other CAs do it.
Should CAs do more thorough validation? No doubt. I'd like to see them do away with DV certs (or at least have browsers display different trust indicators). That said, validation isn't always a function of the purchase price.
Disclaimer: I'm a StartCom customer, went through StartCom's Class 2 verification, and use their Class 1 and 2 certs for a few minor services.
Not much:
In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.
While it may be expensive and tedious for an individual to purchase all the necessary infrastructure to provide highly-durable backups of their data, a company like Amazon can design such a system, sell access to customers, and have them all benefit from their system. When Amazon is buying hard disks by the truckload and spreading the costs out over a large userbase, the cost-per-user is quite low.
For example, according to its website, "Amazon S3 PUT and COPY operations synchronously store your data across multiple facilities before returning SUCCESS. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy. Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data. In addition, Amazon S3 calculates checksums on all network traffic to detect corruption of data packets when storing or retrieving data."
They claim to be able to offer 99.999999999% durability of an object over one year (they provide the example where if one stores 10,000 objects, with 99.999999999% durability per-object-per-year, then one could expect to lose one object every ten million years.)
I can't imagine setting up such a system on my own. Why wouldn't I want to benefit from someone else's hard work?
I'm a fan of CrashPlan -- it can handle backups between different local media (e.g. from one hard disk to another), between one computer and another, between your computer and a friend's computer, and between your computer and their online storage service. In all cases, your data is encrypted so that the other party (be it the second computer, your friend, or the online service) has no access to your data.
One of the features I like is that the software does regular integrity checks on the backed-up data. Still, if the original data is corrupted, the software will dutifully back up that corrupted data, so that won't help you much.
If they're important family photos, I'd use keep the files on at least two local drives, as well as remote backup using something like CrashPlan. If you're particularly concerned, you might keep the photos on Amazon S3 -- they claim their storage infrastructure is highly durable and reliable, which could be beneficial.
Fair enough. Perhaps my price experience is skewed by the pricey Swiss networks, though I've made it a point to look at the various phone plans available in all the countries I visit.
Fortunately, the only calls I really make are to my wife, who's also here in Switzerland with me. Her calling habits are much the same, as we use Google Voice, Google Video Chat, or Skype to contact friends and family back in the States. Our CHF 20 (each) prepaid credit on the aforementioned MVNO is likely to last us a while.
Yes.
The way the North American Numbering Plan is structured (which is shared between the US, Canada, and a few other countries), there's not really any way to have a separate prefix for mobile phones. Mobiles and landlines are mixed in the same area codes Thus, calling (000) 555-0111 might go to a landline, while (000) 555-0112 might go to a mobile.
Since the caller has no idea whether or not the recipient is on a mobile with this numbering plan, it wasn't possible to introduce the European-style billing model.
That said, as an American living in Europe, I admit to having a bit of a preference for the US model: it seems that the European mobile companies (or at least those I've used in Switzerland and Germany) charge significant rates for a mobile user to call a number on other domestic mobile carriers (on the order of $0.40 USD per minute in Switzerland depending on carrier, a bit less in Germany), and lower-but-still-steep rates (about $0.20-$0.30 USD per minute) to call landlines. Landline-to-mobile calls are about $0.35/minute.
All-inclusive unlimited mobile subscriptions on the various Swiss carriers are about $150-$180/month, depending on carrier. The same in the US is about $50-$70 the last time I checked.
With several US carriers, in-network calls (that is, calls to other mobile users on the same carrier) are unlimited and without charge, while one at least one carrier (Sprint), calls to all mobiles, regardless of network, are unlimited. I haven't found anything like that in Switzerland -- the closest I've gotten is CHF 0.05/min (about $0.06 USD) for in-network calls on a MVNO.
Yes, it may be somewhat unfair for a US mobile user to have to pay to receive calls, but I've found the overall cost for mobile service in the US to be much less expensive than in Europe. That said, my experience has primarily been with Swiss mobile phone service, and it's my understanding that the cost in Switzerland is a bit more than in other European countries.
I was thinking more of the "stealing the content" type of illegality. Since I continue to pay for it, I don't think that is an issue. I'm not a lawyer, so I could very well be breaking some law somewhere. Mea culpa.
Perhaps not, but if this is something that you do on a regular basis, they can see a pattern.
Perhaps I haven't been going to the right places, but most public hotspots I've seen (outside of travel centers, like airports) have only had a few people using laptops at any given time. The number has decreased since smartphones have become more popular.
Why not? What prevents the authorities from determining that the traffic in question came from that hotspot at a particular time, and then subpoenaing the security camera footage from that time? If you're within wifi range, you're almost certainly within range of the cameras covering the interior and exterior of the business.
I've had good luck with StrongVPN and their L2TP/IPSec VPN service.
I'm in Switzerland and connect to a Washington DC server (low latency from Europe to the US East Coast). The only connectivity problems I've had were related to the spotty wifi environment in the temporary place I'm presently living in (shared wifi between about 30-40 people) until I move into my private, long-term apartment in a week.
Setup was trivial, and so far connections have been limited only by my local connection speed.
It's quite clear that HMA see their service as a way of doing things that are not illegal through a VPN.
Indeed. I use a similar service for accessing various online services (e.g. Netflix, Pandora, etc.) that are geographically limited to the US (or at least to US+Canada) while I'm in graduate school in Europe. Nothing illegal about that, and I wouldn't be surprised if the VPN provider kept detailed logs.
That, and Comodo's core infrastructure (e.g. the stuff that actually does the signing) wasn't compromised.
The attacker used the compromised third party to issue certificates through the normal channels made available by Comodo to resellers, so it was possible to determine exactly what certificates were issued erroneously.
At least that was my understanding of what happened, based on information I read several months ago.
Doubtful. Does Android have GNU stuff in it, or is it just a modified Linux kernel?
I second CrashPlan. I've used it for years, and it's worked quite well. No problems restoring all the data from backup after my laptop got stolen.
Conveniently Russia and NATO subs used exactly the same docking rings on their hatches too, iirc.
I thought that was intentional, to aid in undersea rescue by a DSRV (and their successor craft).
Indeed, it does suck.
Nevertheless, if the CA fails an audit, they *should* be removed (perhaps after a reasonable time to resolve the problem and get re-audited, if the problem is not too serious).
Sure, the revocation process could use some improvements (I'd really like to see browsers hard-fail if OCSP doesn't work, or at least display a warning to the user that the certificate's validity could not be checked and to treat the connection as suspicious).
That said, there are a number of scenarios where certificates need to be revoked where the CA itself was not compromised. Having a CA that's able to revoke certs is valuable in such situations.
Interestingly enough, the Swiss Post Office provides that same service. One goes to the local post office, shows a valid ID card/passport for identity validation, and can then apply for the certificate (contained in a smartcard, smartcard-on-a-USB-stick, or the "SwissStick" [which has a built-in browser and some other tools]).
The certs chain back to SwissSign, a widely-deployed CA owned by the Swiss Post Office.
I have no idea how widely used such certs are in Switzerland (I only moved here a month ago), but it still seems like a good idea as post offices are available in essentially every town, so validation is easy (compare to finding notaries for the now-defunct Thawte client cert system outside of major metro areas).
If the US Post Office offered such services at a reasonable cost, I would definitely get such a cert. The US State Department would also be a good choice for an issuer, as they already process passport applications (which requires identity verification) so a similar process could be done for certificates as is done for passports.
CA-issued certs, even free ones from StartSSL and cheap ones from GoDaddy, have the advantage of being revocable. Nearly all the self-signed certs I've encountered lack a CRL or OCSP responder. This is a Bad Thing.
My understanding (based off of a friend who had an account banned because he was using various cheats in online multiplayer games on Steam) of the situation is that you can still play games in your account. However, you cannot play on any "Valve Anti-Cheat"-enabled multiplayer server (which is nearly all of them).
I'm not sure if the penalties are different for attempting to pirate things with Steam.
SSH is not as widely used by the general public, who has little knowledge of security, and wouldn't know how to verify a key fingerprint (or understand why they needed to do so) if asked.
You are, I trust, aware that there are CAs out there that offer free (or very nearly free) certificates that are widely trusted by browsers, and so won't annoy users with annoying warnings. Why not use those?
Microsoft and Mozilla's Brain dead Idea of putting HUGE warnings up for "Self Signed Certificates" means that people cannot just choose security
And "security" is meaningless if one is connecting to a MITM with a self-signed cert. That's why CAs (or other validation schemes) exist: to show that a third-party has also verified that the organization presenting the cert is the intended organization. It's not perfect, but it beats having no third-party validation.
By using "Authority" signed Certificates people are "Trusting" someone else to secure their data. - and paying a large(ish) sum of money for this service.
GoDaddy charges about $13/year for domain-validated certs with a discount code. StartSSL doesn't charge anything for DV certs. I'd hardly consider that a "large(ish)" expense.
The red "x" is the site's favicon, not an SSL indicator.
Prepaid != No Contract.
T-Mobile used to offer subscriptions that were, for example, $50/month for the two-year-contract plan and $40/month for the no-contract plan, on the condition that you either used a pre-existing phone or paid full-price for the phone, rather than having it subsidized through the subscription.
Since there's no need for them to keep you locked to them (e.g. they didn't subsidize the cost of a pricey phone), one would be free to cancel at any time with no early termination fees.