You trust those CAs because it's an audit-only club, and the friggin' web browser's company checked it
Actually, only newcomers to those lists get audited (such as Cacert.org). Older CAs (such as Comodo et al.) are considered "too big to fail" and are grandfathered in. And so are CAs trusted by competing browsers because "we can't start throwing up scary warnings on sites which do not cause a problem to our competitors.
Let's suppose they even give me a fingerprint or signature or whatever... That means squat: a certificate from an impostor also has a fingerprint. With what/whom do I check it, then?
Checking the fingerprint is the entire point. But you're right: the general populace, including helpdesks at banks and elsewhere is just so clueless that they aren't even able to read you a 40 digit number off an answersheet. And Firefox devs are so anal that they don't let you copy-paste it.
Stop treating self signed certificates like cancer, provide a way to see the fingerprint clearly,
Good luck making use of that. Ever tried to call the helpdesk of a server to verify its fingerprint? I'm pretty sure my bank would need to escalate such a request all the way up to the CEO, and still not be able to confirm the fingerprint...
For a mitm attack to succeed with Convergence, two notaries would have to collude.
No, it would be enough if a MITM can insert itself into the path from those two notaries to the target web server, and feed both notaries the same fake cert. No funny business by the notaries themselves is required.
===> so we better need the agreement of much more than just 2 notaries...
Even with a protocol needing all notaries to agree, a web server could be MITM'ed by its own ISP if it is single-homed (because paths from all notaries and visitors would go through that ISP). In order to prevent this, a web server should periodically probe notaries for its own certificate, and raise an alarm if it doesn't match.
The problem with Convergence is, how does the average user know which notaries to trust?
How does the average user know which CA to trust?
in that several notaries would have to be compromised in order to "fool" everyone instead of just the one.
You can set the notary algorithm to be very aggressive. As in all (rather than just most) notaries need to agree before a site is deemed secure. The rogue notary will become very obvious (because it stops everybody going to any SSL website), and will be promptly removed from the browsers' lists of trusted notaries.
... which means that notary compromise can only lead to a successful DOS, but never to a successful MITM.
"SSL" would continue to work if we switched the authentication component to another method like distributed views (notaries).
Correct. But it would stop to work (securely) if we switched off the authentication component altogether (as in "just use self-signed certs" without planning for any other means of authenticating them)
The server from which the Perspectives extension is distributed, addons.mozilla.org, has had a certificate forged for it
The same could happen for browser downloads and updates meaning that even classical CA certificates are not "well known". If the Diginotar hackers can forge a certificate for addons.mozilla.org, so can they for getfirefox.com...
Unless an Lserver MITM is in place from day one, which is not unthinkable in the case of a national firewall.
A server could periodically ask the notaries for its own certificate, and raise an alarm if there is a mismatch. Notaries' replies can be made secure by having them signed by the notaries (whose certificate are hopefully "well known" in the browser)
Well a smart MITM could foil this by "stepping back" when it sees that the server sends out a request for its own key, but then smart notaries could detect this by caching server certificates for a while.
I was wondering if the extra complexity would generate more/more serious failures when wires get cut.
Assuming only the cooling envelope was cut, but not the electricity-carrying cable:
the now exposed section of cable will eventually go over its superconducting temperature, and if electricity is still flowing,
the damaged section will start generating tremendous amounts of heat, causing the neighboring sections to go over critical temperature as well,
which will cause these sections to generate heat, which the cooling system won't be able to evacuate, as it was designed to cope with low amounts of environmental heat, and not huge amounts generated by the cable itself.
this will trigger a chain reaction eventually destroying the entire cable
So, monitoring the cable for coolant loss, and cutting power immediately when it happens is important.
Define organization. Especially in the context of hackers where organizations are often not much more then leet labels which the members bestow on themselves... And even if the kid doesn't consider himself a member of Anonymous, prosecution may still claim that his style of web site defacement matches Anonymous', so he should be tried as a member...
Then what about more bordeline jobs? Currently, a large online bookmaker is hiring. Betting may or may not be illegal in some jurisdiction. Would accepting such a job put myself in danger of being prosecuted under RICO?
And what if this betting shop was actually a front for something more sinister? Would software engineers working on the "generic" parts also become culpable of whatever other dealings go on in the company, of which they might not directly be aware?
So, for the sake of equality before the law, shouldn't companies such as Blackwater, or even Microsoft be treated as mobsters?
And what about construction companies? It is well known that they like to dabble in bribery in order to get public construction deals, and in some countries, they've got rather direct ties to the mob. So, does this mean that a simple bricklayer working for such a company can be prosecuted under RICO?
Sounds reasonable, provided that this doesn't mean that a lone hacker is automatically treated as a member of a criminal organization.
Indeed, that's the danger. Every lone hacker is de facto member of Anonymous, and, thanks to RICO, can be stuck with whatever real crime other member of Anonymous did...
So, as long as at least one hacker does indeed commit fraud (just look at the many online scams), they can now also put all the bored teenagers into the slammer who just defaced some little known website for the lulz.
. silly us, there's actually three kinds. (vellus hair, and two types of terminal hair: on the head, and "axillary hair", which is vellus hair that turns to terminal hair under exposure to testosterone.)
Interesting... so which type is the hair that women have under their armpits and around their pussy? Obviously not vellus (it's to thick for that), not head hair (it's preferred by pubic lice rather than by head lice), and not "axillary hair" (where would the needed testosterone come from?)
Search for 2011fe take you to a page in spanish...gee..thanks a lot.
Indeed, thanks alot. Someone really should explain to those damn spaniards the difference between a supernova and the moon! So, how do I now get that horrible image wiped off my retina?
Slashdot Mirror
or take a shot, keep it, and later wank to it...
You trust those CAs because it's an audit-only club, and the friggin' web browser's company checked it
Actually, only newcomers to those lists get audited (such as Cacert.org). Older CAs (such as Comodo et al.) are considered "too big to fail" and are grandfathered in. And so are CAs trusted by competing browsers because "we can't start throwing up scary warnings on sites which do not cause a problem to our competitors.
Let's suppose they even give me a fingerprint or signature or whatever... That means squat: a certificate from an impostor also has a fingerprint. With what/whom do I check it, then?
Checking the fingerprint is the entire point. But you're right: the general populace, including helpdesks at banks and elsewhere is just so clueless that they aren't even able to read you a 40 digit number off an answersheet. And Firefox devs are so anal that they don't let you copy-paste it.
Stop treating self signed certificates like cancer, provide a way to see the fingerprint clearly,
Good luck making use of that. Ever tried to call the helpdesk of a server to verify its fingerprint? I'm pretty sure my bank would need to escalate such a request all the way up to the CEO, and still not be able to confirm the fingerprint...
For a mitm attack to succeed with Convergence, two notaries would have to collude.
No, it would be enough if a MITM can insert itself into the path from those two notaries to the target web server, and feed both notaries the same fake cert. No funny business by the notaries themselves is required.
===> so we better need the agreement of much more than just 2 notaries...
Even with a protocol needing all notaries to agree, a web server could be MITM'ed by its own ISP if it is single-homed (because paths from all notaries and visitors would go through that ISP). In order to prevent this, a web server should periodically probe notaries for its own certificate, and raise an alarm if it doesn't match.
The problem with Convergence is, how does the average user know which notaries to trust?
How does the average user know which CA to trust?
in that several notaries would have to be compromised in order to "fool" everyone instead of just the one.
You can set the notary algorithm to be very aggressive. As in all (rather than just most) notaries need to agree before a site is deemed secure. The rogue notary will become very obvious (because it stops everybody going to any SSL website), and will be promptly removed from the browsers' lists of trusted notaries.
"SSL" would continue to work if we switched the authentication component to another method like distributed views (notaries).
Correct. But it would stop to work (securely) if we switched off the authentication component altogether (as in "just use self-signed certs" without planning for any other means of authenticating them)
Easy. Microsoft, Mozilla, Apple, Opera pay auditors to audio every CA on their list.
Yeah indeed. I'm all for it. Indeed the current list of approved CAs is way too long!
The server from which the Perspectives extension is distributed, addons.mozilla.org, has had a certificate forged for it
The same could happen for browser downloads and updates meaning that even classical CA certificates are not "well known". If the Diginotar hackers can forge a certificate for addons.mozilla.org, so can they for getfirefox.com...
Unless an Lserver MITM is in place from day one, which is not unthinkable in the case of a national firewall.
A server could periodically ask the notaries for its own certificate, and raise an alarm if there is a mismatch. Notaries' replies can be made secure by having them signed by the notaries (whose certificate are hopefully "well known" in the browser)
Well a smart MITM could foil this by "stepping back" when it sees that the server sends out a request for its own key, but then smart notaries could detect this by caching server certificates for a while.
So I hijack the router that website is using to access the internet.
This is indeed a valid concern... Hopefully routers near important web sites are appropriately secured...
Or I hack the router you use to access the internet...
Won't work if the notaries sign their certificates. The browser would notice that suddenly all notaries' signatures changed.
How does a Notary authenticate a cert?
They compare to each other. The system works on the assumption that it is difficult for a man-in-the-middle to invade all paths to a website.
I was wondering if the extra complexity would generate more/more serious failures when wires get cut.
Assuming only the cooling envelope was cut, but not the electricity-carrying cable:
So, monitoring the cable for coolant loss, and cutting power immediately when it happens is important.
Define organization. Especially in the context of hackers where organizations are often not much more then leet labels which the members bestow on themselves... And even if the kid doesn't consider himself a member of Anonymous, prosecution may still claim that his style of web site defacement matches Anonymous', so he should be tried as a member...
And what if this betting shop was actually a front for something more sinister? Would software engineers working on the "generic" parts also become culpable of whatever other dealings go on in the company, of which they might not directly be aware?
So, for the sake of equality before the law, shouldn't companies such as Blackwater, or even Microsoft be treated as mobsters?
And what about construction companies? It is well known that they like to dabble in bribery in order to get public construction deals, and in some countries, they've got rather direct ties to the mob. So, does this mean that a simple bricklayer working for such a company can be prosecuted under RICO?
Sounds reasonable, provided that this doesn't mean that a lone hacker is automatically treated as a member of a criminal organization.
Indeed, that's the danger. Every lone hacker is de facto member of Anonymous, and, thanks to RICO, can be stuck with whatever real crime other member of Anonymous did...
So, as long as at least one hacker does indeed commit fraud (just look at the many online scams), they can now also put all the bored teenagers into the slammer who just defaced some little known website for the lulz.
It could have been done by nazi pedophile devil beasts and I would still have been proud of the research.
Indeed, nazis such as Dr Mengele did lots of medical research whose results are still useful today!
Thanks. Indeed, this thread is annoying, thanks for stopping it :-)
If they oppose it, then it is a clear proof that their motivations are not as clear as they wish us to believe.
Or, more probably, they don't believe your formula, and are wary of hidden snags.
Don't worry, everybody understood... after all, the l of talking had to go somewhere...
Wow, that feels good!
I am a fat man that is apparently repugnant to women.
:-)
Despite this, many different women have commented on the quality of my shoulder-length hair.
And how is your chest (and back...) hair?
I imagine that on Slashdot I can't be the only fat man with great hair who can't get a date...
Maybe you are too restrictive in your choice of partners?
Now if they can only find a way to get reverse the hair growth on my back.
Exercise. RTFA!
. silly us, there's actually three kinds. (vellus hair, and two types of terminal hair: on the head, and "axillary hair", which is vellus hair that turns to terminal hair under exposure to testosterone.)
Interesting... so which type is the hair that women have under their armpits and around their pussy? Obviously not vellus (it's to thick for that), not head hair (it's preferred by pubic lice rather than by head lice), and not "axillary hair" (where would the needed testosterone come from?)
I was hoping for a link between being fat and being bald
There is a link. Hint: very few men wear their fat on the top of their head...
Search for 2011fe take you to a page in spanish...gee..thanks a lot.
Indeed, thanks alot. Someone really should explain to those damn spaniards the difference between a supernova and the moon! So, how do I now get that horrible image wiped off my retina?