On Android you just download the cert and there's a setting to add it from a file on disk.
This is correct but not especially convenient for a few reasons. Adding a root certificate to an Android device requires you to set up your device's lock screen a particular way. Others posting comments to this story claim that doing so also produces a persistent warning on the device that your connection may be monitored. And since Android 7 "Nougat", an application won't see user-added root certificates unless its developer opts in to seeing user-added root certificates through the application's Network Security Config file.
Why would you need over twenty people managing over twenty different sub domains?
Because there happen to be twenty users of the same dynamic DNS provider.
Say 21 different users obtain subdomains under dyn.example, and each obtains a certificate from Let's Encrypt for that subdomain. The first 20 in a week will be issued a certificate, one each for foo.dyn.example, bar.dyn.example, etc. But the twenty-first will instead be issued an error message that the rate limit for dyn.example has been exceeded.
I also own my own domain for my business. It's is not HTTPS either.... why? Because it's a static information page that gives info on me and my business, what I do and how to get in touch with me and some samples of my work. There are no logins, no user accounts, no private information being stored or asked for. There is absolutely ZERO reasons for me to deal with the hassle of setting up and maintaining
I thought of more than three reasons:
1. Prevent MITM from injecting a Monero mining script into samples of your work 2. Prevent MITM from injecting intrusive tracking for delivery of interest-based advertisements into samples of your work 3. Prevent MITM from injecting a redirect to some madarchod's tech support scam in India into samples of your work 4. Prevent MITM from injecting drive-by downloads of ransomware into samples of your work
Obtaining a Cert every 6 months and having my hosting provider install it for me (since I can't myself, due to the need to have root privileges on the server)
File a support ticket with your hosting provider to offer you an API with which to install a certificate. Then you can set up an ACME client to upload a renewed certificate to that API on a cron job. Also search for competing shared hosting providers that do offer such an API.
This article is spot on, the public available portal for sites like Slashdot, news, and Wikipedia and many many thousands of other sites is not required.
For news, it's becoming increasingly common to have to log in as site after site goes behind a paywall due to falling advertisement revenue.
It's not that someone can MITM you on your home LAN. It's that web browsers make no distinction between a home LAN, where a MITM is less likely, and a coffee shop LAN, where a MITM is more likely.
The brochure covers up the fact that a massive "cloud" at one provider doesn't help with the single point of failure that is one provider's automated policy enforcement.
Why is it "getting harder" to host your own solutions?
Many applications are not even available for purchase of a copy to run on your server. Instead, they are available exclusively on service as a software substitute (SaaSS) terms, namely that the application runs on an application service provider's server. One example of these is the server for any major MMO game.
I am aware of that. The problem is that Let's Encrypt won't issue more than 20 certificates per week for subdomains within the same registrable domain. This means that if 20 other users of subdomains under the same domain also use Let's Encrypt, you will be issued an error message instead of a certificate for your subdomain.
Do you enjoy ads for something you already bought following you around the web? Do you enjoy having your phone's, tablet's, or laptop's battery drained, or the electric bill for use of your desktop increased, by Monero cryptocurrency mining scripts that third parties inject into HTML documents that you view?
The ISP raises the price on paper and then discounts it for the vast majority of users on the condition that they agree to "personalized experience". Almost nobody actually pays the increased sticker price; it's just there to satisfy some regulation.
Web of trust also means that If I trust example.com, I have every reason to place just as much trust in it signing a.example,com.
The next question is how you came to trust example.com in the first place. Is it that you trust com? If so, you've reinvented DANE, and the reason DANE hasn't taken off is registrars dragging their behinds on adding DNSSEC to the zone hosting bundled with a domain name.
I submit that the people who will not run such a thing are exactly the ones who could handle self-signed certs with pinning and a web of trust.
Bingo. You've found the real reason that governments are making travel more of a hassle. It isn't entirely to prevent terrorism against passengers; it's also to make it less convenient to attend key signing parties. Without attending key signing parties in faraway lands, you can't very well make your public key more densely connected in the global web of trust. You end up trusted on an island within bicycle range (that is, your home city) with some bottleneck keys in all trust paths in and out of the city. These bottleneck keys' owners are the key signing jet set, and they might as well be CAs.
You're paying them for a pipe, not a service in exchange for your info.
Then all the ISPs will hike their rates. Those who want a pipe can pay double. Those who want what less technical users are used to would get a 50 percent off discount in exchange for interest gathering and advertisement injection service.
You're proposing a technical solution be imposed on everyone, everywhere to fix a problem (lack of competiton allows behaviour customers don't like) with your specific market. How American of you.
How many visas does your country offer to people who seek asylum from the American regime and have work skills?
Public info doesn't require sec? Really, how do you know you are connected to the real site?
In theory, a cipher suite that does signing only and not encryption would allow this. A cipher suite that provides integrity without confidentiality would allow an intermediate proxy on the far side of a harshly metered link to replay the session to viewers behind that link, saving data transfer allowance across that link.
How do you know the info you read is real?
HTTPS does not prevent website operators from publishing fake news.
How do you know someone isn't checking what you read?
Some information, such as the National Weather Service forecast and radar image sequence for the city in which a user is located, is so generic that little information about the user's interests can be gleaned from observing that the user has viewed it. For these, integrity without confidentiality may be warranted. The problem is that current web technology offers no way to provide integrity without confidentiality.
Khyber's claim, as I understand it, is one of two things:
A. Charter has misused a certificate to set up a proxy. B. Charter is imposing a captive portal on past due subscribers, which causes the web browser to make a cleartext HTTP request to retrieve the network's sign-in page.
The value in tampering with a public domain movie is to insert copyrighted scenes. Then someone who reuses portions of the movie in his own work, thinking it's in the public domain, gets framed for accidental civil copyright infringement. Unlike crimes, torts do not require mens rea (intent, recklessness, or negligence). Besides, thanks to copyright term extensions, I thought public domain movies were undesirable to the majority of viewers because they are silent and in black and white.
What you're ultimately asking for is some means for signing only, as opposed to encryption. This provides an integrity guarantee but not one of confidentiality. But how would this be integrated into web standards?
Nobody's suggesting it's a problem Google won't include search results from your router's configuration page.
The summary mentions not only Search but also Chrome. Chrome makes a policy distinction only between localhost and not-localhost, not between your LAN and the Internet. This is because it assumes your LAN could be a coffee shop WLAN, which ought to be untrusted.
Zero dollars will get you a fully qualified domain from a DynDNS type of service.
If on your first attempt you hit the weekly rate limit for subdomains under a particular dynamic DNS provider, how practical is it to retry at random intervals for upwards of two days, as another Anonymous Coward suggested?
1. Why do you want your printer to show up in Google search results?
The summary mentions not only Search but also Chrome.
2. Do you really want your printer accessible directly over the Internet?
No, but web browsers' enforcement of Secure Contexts policy currently makes no distinction between machines on the LAN and machines on the Internet.
You've spent x$ on the blasted thing, surely them providing a "consumerrouter.netgear.com" domain name (or whatever) with valid cert that is served off the router itself should be included with the purchase price
Which conveniently has a not valid after date 12 months after purchase, once the warranty expires. And now that you're putting the onus on device manufacturers, what cert should someone who builds a NAS out of a Raspberry Pi use?
It's 2018, give me a GUI front end that has one button: Obtain and apply Cert. I click it, select the desired provider
I don't see how that can be made to work automatically given that many dynamic DNS providers require passing a CAPTCHA before obtaining or renewing a subdomain.
Most (All?) browsers and caching proxy servers do not save https content to disk.
Citation needed. Google Search for https disk cache returns, as its first result, "HTTPS Disk Cache Controller Browser Extensions" which contradicts your claim: "The default setting in Firefox 4.0 and later, true causes all HTTPS responses to be disk cached unless the server sends the header Cache-Control: no-store." Farther down the first page of results is the Chromium project's documentation of the disk cache mechanism used by Chromium and Google Chrome. Because this document doesn't contain "HTTPS", "secure", or "encrypt", it appears to say nothing about any distinction between cleartext and HTTPS.
Some caching proxies don't save HTTPS content to disk because they don't cache HTTPS at all. The FAQ of the Polipo proxy states that it falls back to a tunnel using the CONNECT method for HTTPS connections. It doesn't support a shared HTTPS cache with a private CA.
What kind of information is worth being transported but not worth being tampered with and worth being mentioned on Google?
The article mentions policies implemented not only by Google Search but also by Google Chrome. If you read websites through Chrome, then everything you read is "being mentioned on Google" in this sense.
Also, if by "Google" you mean only Search: Wikipedia and the sources it cites. With cleartext HTTP, your ISP can insert patent nonsense into just your view of an article with no help from Wikimedia. But with HTTPS, the ISP would have to publish a revision through Wikimedia's server, where it'd get reverted in a heartbeat.
In theory, you could configure your web browser to connect to domains hosting financial web applications directly and other sites through the proxy. But I concede that major web browsers lack UI that specifically targets the edge case of selective deliberate use of a caching MITM on the client side of a harshly metered last mile.
Slashdot Mirror
On Android you just download the cert and there's a setting to add it from a file on disk.
This is correct but not especially convenient for a few reasons. Adding a root certificate to an Android device requires you to set up your device's lock screen a particular way. Others posting comments to this story claim that doing so also produces a persistent warning on the device that your connection may be monitored. And since Android 7 "Nougat", an application won't see user-added root certificates unless its developer opts in to seeing user-added root certificates through the application's Network Security Config file.
Why would you need over twenty people managing over twenty different sub domains?
Because there happen to be twenty users of the same dynamic DNS provider.
Say 21 different users obtain subdomains under dyn.example, and each obtains a certificate from Let's Encrypt for that subdomain. The first 20 in a week will be issued a certificate, one each for foo.dyn.example, bar.dyn.example, etc. But the twenty-first will instead be issued an error message that the rate limit for dyn.example has been exceeded.
I also own my own domain for my business. It's is not HTTPS either.... why? Because it's a static information page that gives info on me and my business, what I do and how to get in touch with me and some samples of my work. There are no logins, no user accounts, no private information being stored or asked for. There is absolutely ZERO reasons for me to deal with the hassle of setting up and maintaining
I thought of more than three reasons:
1. Prevent MITM from injecting a Monero mining script into samples of your work
2. Prevent MITM from injecting intrusive tracking for delivery of interest-based advertisements into samples of your work
3. Prevent MITM from injecting a redirect to some madarchod's tech support scam in India into samples of your work
4. Prevent MITM from injecting drive-by downloads of ransomware into samples of your work
Obtaining a Cert every 6 months and having my hosting provider install it for me (since I can't myself, due to the need to have root privileges on the server)
File a support ticket with your hosting provider to offer you an API with which to install a certificate. Then you can set up an ACME client to upload a renewed certificate to that API on a cron job. Also search for competing shared hosting providers that do offer such an API.
This article is spot on, the public available portal for sites like Slashdot, news, and Wikipedia and many many thousands of other sites is not required.
For news, it's becoming increasingly common to have to log in as site after site goes behind a paywall due to falling advertisement revenue.
It's not that someone can MITM you on your home LAN. It's that web browsers make no distinction between a home LAN, where a MITM is less likely, and a coffee shop LAN, where a MITM is more likely.
The brochure covers up the fact that a massive "cloud" at one provider doesn't help with the single point of failure that is one provider's automated policy enforcement.
Why is it "getting harder" to host your own solutions?
Many applications are not even available for purchase of a copy to run on your server. Instead, they are available exclusively on service as a software substitute (SaaSS) terms, namely that the application runs on an application service provider's server. One example of these is the server for any major MMO game.
What subscription service would you recommend instead of Patreon?
I am aware of that. The problem is that Let's Encrypt won't issue more than 20 certificates per week for subdomains within the same registrable domain. This means that if 20 other users of subdomains under the same domain also use Let's Encrypt, you will be issued an error message instead of a certificate for your subdomain.
Do you enjoy ads for something you already bought following you around the web? Do you enjoy having your phone's, tablet's, or laptop's battery drained, or the electric bill for use of your desktop increased, by Monero cryptocurrency mining scripts that third parties inject into HTML documents that you view?
The ISP raises the price on paper and then discounts it for the vast majority of users on the condition that they agree to "personalized experience". Almost nobody actually pays the increased sticker price; it's just there to satisfy some regulation.
Web of trust also means that If I trust example.com, I have every reason to place just as much trust in it signing a.example,com.
The next question is how you came to trust example.com in the first place. Is it that you trust com? If so, you've reinvented DANE, and the reason DANE hasn't taken off is registrars dragging their behinds on adding DNSSEC to the zone hosting bundled with a domain name.
I submit that the people who will not run such a thing are exactly the ones who could handle self-signed certs with pinning and a web of trust.
Bingo. You've found the real reason that governments are making travel more of a hassle. It isn't entirely to prevent terrorism against passengers; it's also to make it less convenient to attend key signing parties. Without attending key signing parties in faraway lands, you can't very well make your public key more densely connected in the global web of trust. You end up trusted on an island within bicycle range (that is, your home city) with some bottleneck keys in all trust paths in and out of the city. These bottleneck keys' owners are the key signing jet set, and they might as well be CAs.
You're paying them for a pipe, not a service in exchange for your info.
Then all the ISPs will hike their rates. Those who want a pipe can pay double. Those who want what less technical users are used to would get a 50 percent off discount in exchange for interest gathering and advertisement injection service.
You're proposing a technical solution be imposed on everyone, everywhere to fix a problem (lack of competiton allows behaviour customers don't like) with your specific market. How American of you.
How many visas does your country offer to people who seek asylum from the American regime and have work skills?
Public info doesn't require sec? Really, how do you know you are connected to the real site?
In theory, a cipher suite that does signing only and not encryption would allow this. A cipher suite that provides integrity without confidentiality would allow an intermediate proxy on the far side of a harshly metered link to replay the session to viewers behind that link, saving data transfer allowance across that link.
How do you know the info you read is real?
HTTPS does not prevent website operators from publishing fake news.
How do you know someone isn't checking what you read?
Some information, such as the National Weather Service forecast and radar image sequence for the city in which a user is located, is so generic that little information about the user's interests can be gleaned from observing that the user has viewed it. For these, integrity without confidentiality may be warranted. The problem is that current web technology offers no way to provide integrity without confidentiality.
Khyber's claim, as I understand it, is one of two things:
A. Charter has misused a certificate to set up a proxy.
B. Charter is imposing a captive portal on past due subscribers, which causes the web browser to make a cleartext HTTP request to retrieve the network's sign-in page.
The value in tampering with a public domain movie is to insert copyrighted scenes. Then someone who reuses portions of the movie in his own work, thinking it's in the public domain, gets framed for accidental civil copyright infringement. Unlike crimes, torts do not require mens rea (intent, recklessness, or negligence). Besides, thanks to copyright term extensions, I thought public domain movies were undesirable to the majority of viewers because they are silent and in black and white.
What you're ultimately asking for is some means for signing only, as opposed to encryption. This provides an integrity guarantee but not one of confidentiality. But how would this be integrated into web standards?
Nobody's suggesting it's a problem Google won't include search results from your router's configuration page.
The summary mentions not only Search but also Chrome. Chrome makes a policy distinction only between localhost and not-localhost, not between your LAN and the Internet. This is because it assumes your LAN could be a coffee shop WLAN, which ought to be untrusted.
Zero dollars will get you a fully qualified domain from a DynDNS type of service.
If on your first attempt you hit the weekly rate limit for subdomains under a particular dynamic DNS provider, how practical is it to retry at random intervals for upwards of two days, as another Anonymous Coward suggested?
1. Why do you want your printer to show up in Google search results?
The summary mentions not only Search but also Chrome.
2. Do you really want your printer accessible directly over the Internet?
No, but web browsers' enforcement of Secure Contexts policy currently makes no distinction between machines on the LAN and machines on the Internet.
You've spent x$ on the blasted thing, surely them providing a "consumerrouter.netgear.com" domain name (or whatever) with valid cert that is served off the router itself should be included with the purchase price
Which conveniently has a not valid after date 12 months after purchase, once the warranty expires. And now that you're putting the onus on device manufacturers, what cert should someone who builds a NAS out of a Raspberry Pi use?
I use Let's Encrypt on a NoIP domain (DynDNS) without problems
How did you manage to get the request for your subdomain past the rate limit of 20 certificates per registrable domain per week? Has No-IP completed the Public Suffix List add process for all its domains?
It's 2018, give me a GUI front end that has one button: Obtain and apply Cert. I click it, select the desired provider
I don't see how that can be made to work automatically given that many dynamic DNS providers require passing a CAPTCHA before obtaining or renewing a subdomain.
Most (All?) browsers and caching proxy servers do not save https content to disk.
Citation needed. Google Search for https disk cache returns, as its first result, "HTTPS Disk Cache Controller Browser Extensions" which contradicts your claim: "The default setting in Firefox 4.0 and later, true causes all HTTPS responses to be disk cached unless the server sends the header Cache-Control: no-store." Farther down the first page of results is the Chromium project's documentation of the disk cache mechanism used by Chromium and Google Chrome. Because this document doesn't contain "HTTPS", "secure", or "encrypt", it appears to say nothing about any distinction between cleartext and HTTPS.
Some caching proxies don't save HTTPS content to disk because they don't cache HTTPS at all. The FAQ of the Polipo proxy states that it falls back to a tunnel using the CONNECT method for HTTPS connections. It doesn't support a shared HTTPS cache with a private CA.
What kind of information is worth being transported but not worth being tampered with and worth being mentioned on Google?
The article mentions policies implemented not only by Google Search but also by Google Chrome. If you read websites through Chrome, then everything you read is "being mentioned on Google" in this sense.
Also, if by "Google" you mean only Search: Wikipedia and the sources it cites. With cleartext HTTP, your ISP can insert patent nonsense into just your view of an article with no help from Wikimedia. But with HTTPS, the ISP would have to publish a revision through Wikimedia's server, where it'd get reverted in a heartbeat.
In theory, you could configure your web browser to connect to domains hosting financial web applications directly and other sites through the proxy. But I concede that major web browsers lack UI that specifically targets the edge case of selective deliberate use of a caching MITM on the client side of a harshly metered last mile.
Certificate Transparency logs make rogue certificates issued for ISPs in violation of the CAB Forum's Baseline Requirements easier to detect.