I take it you have never order a SSL certificate at a shop like RapidSSL, instantSSL and the ilk? If your definition of trust translates to "owns (or stole) a credit card" then yes, today's PKI is perfectly fine.
Claiming that such a scenario would be "trivial" for a government or anyone else is just nonsense. The government does not own DNS, nor does it own the ISP pipes. If they want to go to such lengths as to fake a CA they can just as well rubberhose a privately owned CA into doing it for them today - and it would probably be much cheaper on a per-case basis than permanently maintaining the required infrastructure themselves.
Furthermore, what interest does the government have in snooping on our online banking and online shopping sessions on a broad scale? If you take your tinfoil hat off for a second you'll probably realize: None, zero. They can get all the information contained in these transactions for much cheaper after the fact, if they feel so inclined.
Oh, and the real terrorists and organized criminals are probably smart enough to not rely on an american CA either way... This whole discussion is just way beyond the point.
Let's take a look at reality, January 2009: The very real problem that we have today is that the privately owned CAs are happily handing out certs to anyone who transfers a few dollars to them - no questions asked. The reason for this is simple: They must sell as many certs as possible - or they go out of business. In order to achieve that goal they have to "streamline" the process of obtaining a cert as much as possible, up to the point of compromising trust because no meaningful checks are performed.
A government CA on the other hand would not suffer from this conflict of interest. In fact, the opposite is true: Governments have a vested interest in providing a secure eCommerce infrastructure to their citizens because that translates to more money spent on the internet and more tax dollars to collect. When you lose money to the Russian Business Network in a phishing attack then the government loses money, too. A private CA doesn't care about phishing attacks because by the time that happens they have already sold two certs; one to you and one to the phisher.
And please don't sing the fairy tale of CAs going out of business when they issue certs to phishers. VeriSign has issued a spoof cert for microsoft.com and last time I checked they were still in business. Spoofed certs for lower profile targets (i.e. your friendly online shop) can be had with little effort as the CA standards are sinking constantly.
I am utterly certain that they will issue any number of falsified certificates enabling them to intercept and MITM any SSL communication they want to.
Well, if that is your concern then you are just utterly clueless about how SSL works. The CA can not spy on your SSL traffic, no matter how much they want it.
Would you care to elaborate on how a private company is supposed to compete for trust and profit at the same time, without sacrifying one for the other?
Oh and btw: A governmental CA can not be used to "spy" on anyone. Put down the tin foil...
No and yes. I think both of you are making great points.
The flags are a great idea because they give the users who care a meaningful tool to assess the trustworthyness of the site at hand. Knowing the country of origin is much more meaningful than an anonymous padlock.
Saving the cert fingerprint and raising an alarm on change is not even a great idea by any means - it is just obvious, absolute baseline stuff. The Mozilla guys are seriously humiliating themselves by fucking up the SSL handling even more instead of fixing the fundamentals...
Google Maps/Google Earth, Google Docs, Google Mail, Google Calendar, Android, Picasa, YouTube, Google Talk, Google Gears, AppEngine...
Obviously everything (not only google's products) is related to search to some degree, but saying that all of the aforementioned are "entirely related" to search is just nonsense.
No worries, the termination of expired human capital is fairly streamlined nowadays. At first they make all but one employee jump off the building. The remaining employee will then clean up the mess and finally jump (along with the gore in a zipbag) into the crunch gears of a rented garbage truck.
Admittedly, the rental of that garbage truck (1 day) and those zipbags are still a cost factor but the they're working to optimize that further (experiments with paperbags are being carried out as we speak).
What a truckload of nonsense. Google has quite a few serious products lined up next to search and if you look really hard even you may be able to find them.
Yes, I can. Only this time the message is "IE6 is not supported, please upgrade to Firefox" and this time the message is a good thing.
Google stepping forward and banning IE6 is an all-year christmas present to millions of web developers around the world. Can you hear the collective sigh of relief? Now that a major website has locked out the beast we can do the same without worrying too much. Google can't be ignored, IE6 market-share will drop dramatically into insignificance over the next months.
Thank you Google! I'll buy an android as soon as I can afford, promise.
I somewhat doubt that a hosts file can be nearly as effective as adblock. Who maintains it, how often do you update it (manually)?
Yes, a hosts file is a good start and may take some of the pain away. But why bother with a half-baked kludge when you can have the real deal, ad-free surfing, for free as in beer?
Just to provide a counter-example: I had a model M and it died. Well, it didn't die entirely, but I bought it second hand, it worked for about a year and then the right shift key stopped working.
I disassembled the beast, cleaned it, but the bug didn't go away - the spring mechanism worked fine and was making contact, it just didn't send a keypress. It was manufactured in 1991 I think.
I didn't say that this is an ideal situation. I just said that this might be the situation that we're getting into if stupid lawsuits like this would succeed. And frankly, even if we end up there - it could be worse.
As you explained yourself, linux already *is* about downloading all the little extras individually and will probably stay that way anyways. You get a robust core distro and powerful tools to customize and extend it according to your wishes. This is not necessarily a drawback against the commercial OS'es, in fact it's a big selling point to many of us.
Moreover the metaphorical Grandma is not the target audience, never will be. The typical grandma doesn't go to a shop and buy a computer or thinks about things like "trying out a new operating system". She delegates all these tasks to a younger relative and if this relative chooses linux for her then he likely also knows how to make such a system usable.
Sure, that option is also possible but I tend to believe that for a feature as popular as thumbnail previews, word of mouth would work quite well. The information about how to install the required patches would quickly propagate across all the newbie-forums, howtos and other resources.
Keep in mind how newbies are introduced to linux: Either through a friend or through some sort of "trying out linux"-article. Both sources will likely introduce the step of "and then install X and Y for bling, because some asshole sued over it in 2008".
Step 3, 4 and 5 do not involve Canonical, Debian or any other distro. The DEBs and RPMs could be hosted anywhere and if they sue the hosters then the packages will just move to bittorrent and p2p.
That's the beauty of OSS at work here. You cannot effectively ban a piece of software that many people find useful.
Interestingly if this would pass (which I strongly doubt) and MS, Apple etc. were required to remove the previews - then Gnome, KDE would benefit from that.
It kinda works like this:
1. Idiot sues Apple 2. Apple must remove the previews
1. Idiot sues MS 2. MS must remove the previews
1. Idiot sues Gnome Foundation etc. 2. Gnome, KDE etc. must remove the previews 3. One day later an unofficial patch pops up somewhere 4. Two days later that same patch is wrapped up into RPMs, Debs etc. for one-click install 5. Due to popular demand this patch is continuously maintained
We have similar "No-Compete" clauses in our contracts here. They basically say that we are not allowed to enter competition with our (then former) employer for 5 years after the employment has ended.
Is such bullshit even enforcable anywhere in the world? I mean it's obvious that I cannot work at, say, motorola, take a blueprint from them and start selling a knockoff later.
But I don't see why I shouldn't be allowed to start my own mobile phone business after having worked in one.
Well, 20MPH on snow means a braking distance of about 8 car lengths - easily more if you're unlucky or have your fat cousin on the backseat. If you really think that entrances are the only possible obstacles on a freeway then well, I can only hope we'll seldomly drive on the same freeway in bad weather...
And yes, common sense obviously applies. On a sunny day there is no reason to go slow on a freeway. But people overestimating their own capabilities and underestimating physics are the primary reason why you see so many of those funny domino-accidents in the winter.
drive 20 MPH on the freeway because it snowed half an inch are morons.
Welcome to my "famous last words" cookie jar. Some of those snails may in fact be smarter than you and live longer. The way you are talking indicates that you have probably never had to perform a full-brake on snow. I'd suggest you go and attend an advanced driving class someday, the only way to grasp these things is to actually do them once (not on a public street, please).
The short version is: Your traction on snow, even "only half an inch", is unpredictable. 5 seconds ago you may have been driving on a fresh snow carpet with good traction but right now you're riding on an area that recently froze over. You never know, your car doesn't tell you and you only notice when you have to hit the brake - which is a tad bit too late.
Trust me, the moment you hit the brake and realize it does nothing is a very sobering one. Expirience that once and you may understand the 20MPH guys a bit better in the future.
Well, yes, you and a few hundred other nerds will do that. Probably close to the number of certs that comodo issues per hour...
Nobody, not comodo nor anyone else will ever notice a "stain". Mass effects just don't happen on such events. There have been much worse security bugs in Internet Explorer and Windows - people don't care.
As for "erasing the stain": There is no way. A revokation is final, they can beg for forgiveness all day. And there is a damn good reason for revokes to work that way: Their CA is tainted now and can never be trusted again.
They could have issued certs for amazon.com, yoursite.com, citibank.com etc. and every browser in the world will trust these certs until they expire or until the certificate chain is broken by revokation. Do you know what the maximum expiry for these flawed comodo certs was? Me neither. Could be 3 years or 10 years. Plenty of time for some nice phishing.
But no worries, we won't see a revoke. Comodo would go out of business if they invalidate certs of millions of customers. They'll certainly spend some money to avoid that, if needed.
Well, I'm following up on this exactly because your know-it-all attitude is annoying me. Don't let my naivety stop you, feel free to elaborate on your armchair worldview a bit more.
And is perfectly backwards, as far as I am concerned. Browsers should display a warning dialog for *every* cert that is encountered for the first time, something along the lines of "This site wants your trust, please check the cert details carefully before accepting".
Being issued by VeriSign or Thawte doesn't make a cert any more trustworthy in my eyes. They have issued forged certs for microsoft.com and such before and it will keep on happening. It can happen to my or your online banking site just later today, who knows?
What I want from my browser is to warn me when a site that I previously added to my trust-list suddenly *changes* its cert. None of the major browsers do that as far as I know. As long as the new cert is signed by one of the so called "authorities" it'll just happily let me send my data to whatever phishing site without the smallest warning dialog...
Slashdot Mirror
I take it you have never order a SSL certificate at a shop like RapidSSL, instantSSL and the ilk?
If your definition of trust translates to "owns (or stole) a credit card" then yes, today's PKI is perfectly fine.
Claiming that such a scenario would be "trivial" for a government or anyone else is just nonsense.
The government does not own DNS, nor does it own the ISP pipes. If they want to go to such lengths as to fake a CA they can just as well rubberhose a privately owned CA into doing it for them today - and it would probably be much cheaper on a per-case basis than permanently maintaining the required infrastructure themselves.
Furthermore, what interest does the government have in snooping on our online banking and online shopping sessions on a broad scale?
If you take your tinfoil hat off for a second you'll probably realize: None, zero. They can get all the information contained in these transactions for much cheaper after the fact, if they feel so inclined.
Oh, and the real terrorists and organized criminals are probably smart enough to not rely on an american CA either way... This whole discussion is just way beyond the point.
Let's take a look at reality, January 2009:
The very real problem that we have today is that the privately owned CAs are happily handing out certs to anyone who transfers a few dollars to them - no questions asked. The reason for this is simple: They must sell as many certs as possible - or they go out of business. In order to achieve that goal they have to "streamline" the process of obtaining a cert as much as possible, up to the point of compromising trust because no meaningful checks are performed.
A government CA on the other hand would not suffer from this conflict of interest. In fact, the opposite is true: Governments have a vested interest in providing a secure eCommerce infrastructure to their citizens because that translates to more money spent on the internet and more tax dollars to collect. When you lose money to the Russian Business Network in a phishing attack then the government loses money, too. A private CA doesn't care about phishing attacks because by the time that happens they have already sold two certs; one to you and one to the phisher.
And please don't sing the fairy tale of CAs going out of business when they issue certs to phishers.
VeriSign has issued a spoof cert for microsoft.com and last time I checked they were still in business. Spoofed certs for lower profile targets (i.e. your friendly online shop) can be had with little effort as the CA standards are sinking constantly.
Well, if that is your concern then you are just utterly clueless about how SSL works.
The CA can not spy on your SSL traffic, no matter how much they want it.
Would you care to elaborate on how a private company is supposed to compete for trust and profit at the same time, without sacrifying one for the other?
Oh and btw: A governmental CA can not be used to "spy" on anyone. Put down the tin foil...
No and yes. I think both of you are making great points.
The flags are a great idea because they give the users who care a meaningful tool to assess the trustworthyness of the site at hand.
Knowing the country of origin is much more meaningful than an anonymous padlock.
Saving the cert fingerprint and raising an alarm on change is not even a great idea by any means - it is just obvious, absolute baseline stuff.
The Mozilla guys are seriously humiliating themselves by fucking up the SSL handling even more instead of fixing the fundamentals...
So you trust your government less than a random company that has bought its CA status with money?
Google Maps/Google Earth, Google Docs, Google Mail, Google Calendar, Android, Picasa, YouTube, Google Talk, Google Gears, AppEngine...
Obviously everything (not only google's products) is related to search to some degree, but saying that all of the aforementioned are "entirely related" to search is just nonsense.
No worries, the termination of expired human capital is fairly streamlined nowadays.
At first they make all but one employee jump off the building. The remaining employee will then clean up the mess and finally jump (along with the gore in a zipbag) into the crunch gears of a rented garbage truck.
Admittedly, the rental of that garbage truck (1 day) and those zipbags are still a cost factor but the they're working to optimize that further (experiments with paperbags are being carried out as we speak).
What a truckload of nonsense.
Google has quite a few serious products lined up next to search and if you look really hard even you may be able to find them.
As long as it's not as slow and memory hungry as Firefox I'll.. oh, wait.
Yes, I can. Only this time the message is "IE6 is not supported, please upgrade to Firefox" and this time the message is a good thing.
Google stepping forward and banning IE6 is an all-year christmas present to millions of web developers around the world. Can you hear the collective sigh of relief? Now that a major website has locked out the beast we can do the same without worrying too much. Google can't be ignored, IE6 market-share will drop dramatically into insignificance over the next months.
Thank you Google!
I'll buy an android as soon as I can afford, promise.
I somewhat doubt that a hosts file can be nearly as effective as adblock.
Who maintains it, how often do you update it (manually)?
Yes, a hosts file is a good start and may take some of the pain away. But why bother with a half-baked kludge when you can have the real deal, ad-free surfing, for free as in beer?
Just to provide a counter-example: I had a model M and it died.
Well, it didn't die entirely, but I bought it second hand, it worked for about a year and then the right shift key stopped working.
I disassembled the beast, cleaned it, but the bug didn't go away - the spring mechanism worked fine and was making contact, it just didn't send a keypress.
It was manufactured in 1991 I think.
I don't have a child, you insensitive clod.
I didn't say that this is an ideal situation. I just said that this might be the situation that we're getting into if stupid lawsuits like this would succeed. And frankly, even if we end up there - it could be worse.
As you explained yourself, linux already *is* about downloading all the little extras individually and will probably stay that way anyways.
You get a robust core distro and powerful tools to customize and extend it according to your wishes. This is not necessarily a drawback against the commercial OS'es, in fact it's a big selling point to many of us.
Moreover the metaphorical Grandma is not the target audience, never will be.
The typical grandma doesn't go to a shop and buy a computer or thinks about things like "trying out a new operating system". She delegates all these tasks to a younger relative and if this relative chooses linux for her then he likely also knows how to make such a system usable.
Sure, that option is also possible but I tend to believe that for a feature as popular as thumbnail previews, word of mouth would work quite well.
The information about how to install the required patches would quickly propagate across all the newbie-forums, howtos and other resources.
Keep in mind how newbies are introduced to linux: Either through a friend or through some sort of "trying out linux"-article.
Both sources will likely introduce the step of "and then install X and Y for bling, because some asshole sued over it in 2008".
Step 3, 4 and 5 do not involve Canonical, Debian or any other distro.
The DEBs and RPMs could be hosted anywhere and if they sue the hosters then the packages will just move to bittorrent and p2p.
That's the beauty of OSS at work here. You cannot effectively ban a piece of software that many people find useful.
Interestingly if this would pass (which I strongly doubt) and MS, Apple etc. were required to remove the previews - then Gnome, KDE would benefit from that.
It kinda works like this:
1. Idiot sues Apple
2. Apple must remove the previews
1. Idiot sues MS
2. MS must remove the previews
1. Idiot sues Gnome Foundation etc.
2. Gnome, KDE etc. must remove the previews
3. One day later an unofficial patch pops up somewhere
4. Two days later that same patch is wrapped up into RPMs, Debs etc. for one-click install
5. Due to popular demand this patch is continuously maintained
We have similar "No-Compete" clauses in our contracts here.
They basically say that we are not allowed to enter competition with our (then former) employer for 5 years after the employment has ended.
Is such bullshit even enforcable anywhere in the world?
I mean it's obvious that I cannot work at, say, motorola, take a blueprint from them and start selling a knockoff later.
But I don't see why I shouldn't be allowed to start my own mobile phone business after having worked in one.
Well, 20MPH on snow means a braking distance of about 8 car lengths - easily more if you're unlucky or have your fat cousin on the backseat.
If you really think that entrances are the only possible obstacles on a freeway then well, I can only hope we'll seldomly drive on the same freeway in bad weather...
And yes, common sense obviously applies. On a sunny day there is no reason to go slow on a freeway. But people overestimating their own capabilities and underestimating physics are the primary reason why you see so many of those funny domino-accidents in the winter.
Welcome to my "famous last words" cookie jar.
Some of those snails may in fact be smarter than you and live longer. The way you are talking indicates that you have probably never had to perform a full-brake on snow. I'd suggest you go and attend an advanced driving class someday, the only way to grasp these things is to actually do them once (not on a public street, please).
The short version is: Your traction on snow, even "only half an inch", is unpredictable. 5 seconds ago you may have been driving on a fresh snow carpet with good traction but right now you're riding on an area that recently froze over. You never know, your car doesn't tell you and you only notice when you have to hit the brake - which is a tad bit too late.
Trust me, the moment you hit the brake and realize it does nothing is a very sobering one. Expirience that once and you may understand the 20MPH guys a bit better in the future.
Thank you, your post was successfully saved. I and others have read it already and more people will be able to read it in the future.
Well, yes, you and a few hundred other nerds will do that.
Probably close to the number of certs that comodo issues per hour...
Nobody, not comodo nor anyone else will ever notice a "stain".
Mass effects just don't happen on such events. There have been much worse security bugs in Internet Explorer and Windows - people don't care.
As for "erasing the stain": There is no way. A revokation is final, they can beg for forgiveness all day.
And there is a damn good reason for revokes to work that way: Their CA is tainted now and can never be trusted again.
They could have issued certs for amazon.com, yoursite.com, citibank.com etc. and every browser in the world will trust these certs until they expire or until the certificate chain is broken by revokation. Do you know what the maximum expiry for these flawed comodo certs was? Me neither. Could be 3 years or 10 years. Plenty of time for some nice phishing.
But no worries, we won't see a revoke. Comodo would go out of business if they invalidate certs of millions of customers. They'll certainly spend some money to avoid that, if needed.
Well, I'm following up on this exactly because your know-it-all attitude is annoying me.
Don't let my naivety stop you, feel free to elaborate on your armchair worldview a bit more.
And is perfectly backwards, as far as I am concerned.
Browsers should display a warning dialog for *every* cert that is encountered for the first time, something along the lines of "This site wants your trust, please check the cert details carefully before accepting".
Being issued by VeriSign or Thawte doesn't make a cert any more trustworthy in my eyes.
They have issued forged certs for microsoft.com and such before and it will keep on happening. It can happen to my or your online banking site just later today, who knows?
What I want from my browser is to warn me when a site that I previously added to my trust-list suddenly *changes* its cert. None of the major browsers do that as far as I know. As long as the new cert is signed by one of the so called "authorities" it'll just happily let me send my data to whatever phishing site without the smallest warning dialog...