I'd be pretty unhappy if my security company revealed over the phone to an anonymous stranger that I did or didn't have service with them... even if the caller did claim to be standing out the front of my property and claiming to see water pouring from the garage.
but what about when the cops decide to track your movements - just because they can
You don't work for the recording industry do you? They use the same sort of argument all the time. Just because something can be used for illicit purposes (be it tracking devices in cars or p2p filesharing software on your computer) doesn't mean that that's all it will be used for, and doesn't mean that it should be made illegal.
If the cops or the bad guys want to track your movements they'll covertly stick their own tracking device on your car anyway. Having your own tracking device already might make it easier for them but it wouldn't suddenly allow them to do something they couldn't do anyway.
Gotta love how things like that work in rural towns.
Would you expect it to be any other way? Being a cop in a rural community must be a really tricky job - having to book the same people that you'll probably be sharing a pub with at the end of the day.
you can be held seriously liable for claiming that you have surveillance video when you don't
Ah. You need one of my other stickers then... try one of the following:
"These labels were not placed here by the owner of this equipment"
"By reading this label, you agree not to bring any action against the owner of this equipment for any claims, false or otherwise, made by this or any other label on this equipment."
"This label and any others attached to this equipment is void in Texas and any other state with stupid laws."
"this device is not protected by gps and will not alert the authorities if it is moved"
Any electronic device that cost several thousand dollars will be expected to be wireless and have GPS.
And for devices under several thousand dollars, i'll make a fortune selling fake antennas and stickers that say "this device is protected by gps and will alert the authorities if it is moved", and "smile for the camera":)
Second, I disagree with the notion of what it's worth $50M.
You also don't understand 'worth' then. An item is worth precisely what someone is willing to pay for it, and unless you are the buyer, a bidder, or a highly influentual art critic, your input and understanding (or lack of) don't affect that in any way at all.
If an item, having been purchased for $50M, is suddenly discovered to be a fake - painted 3 weeks ago by a scan artist in a basement, it is probably going to now be worth a whole lot less for the precise reason that it is very unlikely that someone is going to pay $50M for it anymore.
You can speculate and disagree all you like about what you think something is worth, but as long as someone is willing to pay that price, you are wrong.
And there's no evil in Blizzard charging two cups of coffee for an extra layer of protection. I'm sure they've spent oodles and oodles of cash in the past dealing with these issues, so there's nothing wrong with recouping past costs and helping to avoid a portion of future expenditures.
I don't even think they are trying to recoup costs, it's just a token amount so that every single user doesn't click the 'give me a free token' button. People love getting free stuff, even if they don't need it (or is it just my wife that does that? Hi wife, if you are reading this:)
Yes, maybe if you handcraft them in Norway from reindeer horns and freshly clubbed seal, but in the rest of the world you can buy a USB memory for less than this.
Silliness aside, I think the person you responded to probably meant Blizzard's purchase price. For each device you build you have to compute and program the private key, then you have to record this key on a CD or in some other form to deliver to the customer (Blizzard in this case, not the end user), and additionally Blizzard then have to license the software to run it all and set it all up. It's possible Blizzard may have been able to negotiate a decent price for the token, but I think they would be selling them at a loss on the assumption that at a loss of (say) $20 per token, they'll save that much in sorting out the mess that becomes of 'stolen' accounts.
Nonsense, a sample size of 2 days is sufficient for predicting an ice age. It was 21C degrees yesterday, and 20C degrees today. Based on that trend, we'll all be frozen solid in a few weeks. Better start preparing now!
It would be too easy to defeat a player using one of these. Simply flash up a picture of a naked chick and all brain activity will cease as another body part will take over the 'thinking', and this device won't be able to pick anything up anymore.
On the subject we where really discussing, do you think it is impossible to subvert the certificate system if you have the resources of a nation behind you (think NSA)? (And no, I never mentioned communicating with my bank, other people did that).
If I gave the impression that I thought it was totally impossible then I apologize. For day to day working i'm happy to trust Verisign to protect the secrets that I want protected.
Given all the other possible avenues available to an organisation like the NSA, I'd be surprised if they chose that route though. And if the 'secrets' you are exchanging are important enough that the NSA might be interested in them then I agree with you that trusting verisign might not be the best thing to be doing.
For that reason, I don't really see that there is a problem.
But my standard answer to that sort of thing is that it doesn't matter how much technology you throw at keeping things secret, if 'they' want your secrets bad enough they'll put a gun to the kneecaps of your child/wife/husband/mother and demand that you give them up. That would work for me.
So in your hypothetical exploit, the following sequence of events would happen:
1. I sit down in an internet cafe with my laptop and connect via wireless to the internet using the provided wireless network. 2. The wireless network is being run by badguys, so when I type 'http://www.mybank.com.au', it does a redirection to 'www.mybank.com.su' (which I don't notice) and click the 'internet banking' link. 3. The internet banking link sends me to https://www.mybank.com.su/ which has a valid ssl cert for it (domain validated) 4. I still don't notice and enter my login details. 5. My login details are captured by the bad guys and the site reports 'Due to maintenance this site is unavailable. Please try again later'. 6. I think nothing of it and don't notice anything out of the ordinary until funds start disappearing from my account.
That would probably fool enough people to be worthwhile.
Things that would break it are: 1. Me paying attention to the URL (this wouldn't necessarily help if they did something tricky like have the fake.au site load the.su site in an IFRAME, although maybe my browser might pick this up) 2. Me verifying the certificate. The bad guys might be able to get a domain validated cert easy enough (www.mybank.com.su), which could easily be missed, but not a company name validated cert (My Bank Of Australia Pty Ltd), which aren't given out nearly so freely. They browser treats them the same way though. 3. Me verifying the fingerprint, as you suggested. Does the fingerprint change when the cert expires and gets renewed? 4. Me using a second authentication factor (which I do), and the bad guys not using my login details immediately (the second authentication factor is a token which presents a different 6 digit number every 90 seconds).
This would make a really cool security exercise, to reproduce the above scenario in a controlled environment and see how it pans out.
I guess at the end of the day, you have to make sure that you are not the 'low hanging fruit' that the bad guys will pick first. As long as there is someone easier to fool than you, you are probably safe.
It is somewhat bad form though, not showing that it's secure (ie having the login on HTTPS), but that example isn't actually doing anything wrong.
If you understood that the reasons for https extend beyond encryption then you would understand why it is wrong for them to do that. Please read the other posts about 'man in the middle' attacks.
The login page has already been sent to you, there is no information on there and doesn't need encryption. But when you do send the query with your login-info to them, then it has to be in an encrypted connection. That is what MelbournIT does, so ti is quite safe to use them.
Have you understood nothing?
Without the login page being https I cannot tell if I am really talking to MelbourneIT or if i'm really talking to a 'man in the middle'.
Let's say that your banks machine got compromised, no changes to its SSL cert, no changes its DNS? How does a CA's website verification help you in this situation?
It doesn't help you, but it's not designed to. It's designed to give you some confidence that it's actually the banks machine you are talking to.
If the banks machine is compromised then they've got bigger problems anyway. I don't think you quite understand the problem that ssl is trying to solve.
Your argument goes like this: Name one person who has been attacked by a bear. If you cant, then nobody has ever been attacked by a bear.
No. It doesn't. There is a difference between 'could possibly happen in theory', and 'has happened before'. Bear attacks have happened and there are plenty of examples of such attacks, but if there are no examples of something having happened then it must at least be unlikely, and perhaps has never happened before, in which case it's just speculation.
Anyway, I was more curious about a case study of subverted certificate, it would make an interesting read.
Do you absolutely trust Verisign?
I don't have to. My bank does, and they're the ones who will lose out if my money goes missing because their trust was misplaced. Their instructions to me are to check the certificate before I log in, which I do. I also use a 2nd authentication factor, also as per their recommendations.
If you check the login form's source you'll notice that it is being submitted to an https URL.
You don't quite get it then. By the time i've hit submit, i've already entered my username and password. It's too late by then to find out that i've just submitted my details to a 'man in the middle'.
Encryption is nice, but the more important value in ssl certs is that they verify who it is that you're talking to.
1) SSL certificates do get issued to phishing sites
I figured that would probably happen, but i'd never actually seen it. I don't make a habit of deliberately visiting phishing sites though.
2) Some banks have login forms on un-encrypted pages
I've not seen a bank do it, but these guys do, which I think is just insane, especially seeing as in all other respects (apart from price) they are an excellent domain registrar. Click the login link in the top left and you'll be presented with a non-https page with a username and password on it. I've emailed them about it but they just don't get it. Idiots.
I've stopped using MelbourneIT for new registrations on that basis. I suggest you do the same.
Slashdot Mirror
I'd be pretty unhappy if my security company revealed over the phone to an anonymous stranger that I did or didn't have service with them... even if the caller did claim to be standing out the front of my property and claiming to see water pouring from the garage.
You don't work for the recording industry do you? They use the same sort of argument all the time. Just because something can be used for illicit purposes (be it tracking devices in cars or p2p filesharing software on your computer) doesn't mean that that's all it will be used for, and doesn't mean that it should be made illegal.
If the cops or the bad guys want to track your movements they'll covertly stick their own tracking device on your car anyway. Having your own tracking device already might make it easier for them but it wouldn't suddenly allow them to do something they couldn't do anyway.
Would you expect it to be any other way? Being a cop in a rural community must be a really tricky job - having to book the same people that you'll probably be sharing a pub with at the end of the day.
Ah. You need one of my other stickers then... try one of the following:
"These labels were not placed here by the owner of this equipment"
"By reading this label, you agree not to bring any action against the owner of this equipment for any claims, false or otherwise, made by this or any other label on this equipment."
"This label and any others attached to this equipment is void in Texas and any other state with stupid laws."
"this device is not protected by gps and will not alert the authorities if it is moved"
"smile for the fake camera"
Oh how I wish I had some spare mod points for you. Where is the "+2 - Insightful and very Funny" option.
And for devices under several thousand dollars, i'll make a fortune selling fake antennas and stickers that say "this device is protected by gps and will alert the authorities if it is moved", and "smile for the camera" :)
Product placement on Slashdot? Who'd have thunked it?
You also don't understand 'worth' then. An item is worth precisely what someone is willing to pay for it, and unless you are the buyer, a bidder, or a highly influentual art critic, your input and understanding (or lack of) don't affect that in any way at all.
If an item, having been purchased for $50M, is suddenly discovered to be a fake - painted 3 weeks ago by a scan artist in a basement, it is probably going to now be worth a whole lot less for the precise reason that it is very unlikely that someone is going to pay $50M for it anymore.
You can speculate and disagree all you like about what you think something is worth, but as long as someone is willing to pay that price, you are wrong.
You're not a Perl programmer then are you?
Is there an animated goatse somewhere that we can redirect this guy to?
I don't even think they are trying to recoup costs, it's just a token amount so that every single user doesn't click the 'give me a free token' button. People love getting free stuff, even if they don't need it (or is it just my wife that does that? Hi wife, if you are reading this
Silliness aside, I think the person you responded to probably meant Blizzard's purchase price. For each device you build you have to compute and program the private key, then you have to record this key on a CD or in some other form to deliver to the customer (Blizzard in this case, not the end user), and additionally Blizzard then have to license the software to run it all and set it all up. It's possible Blizzard may have been able to negotiate a decent price for the token, but I think they would be selling them at a loss on the assumption that at a loss of (say) $20 per token, they'll save that much in sorting out the mess that becomes of 'stolen' accounts.
Hey were you the subject of a Dilbert comic a while back?
Nonsense, a sample size of 2 days is sufficient for predicting an ice age. It was 21C degrees yesterday, and 20C degrees today. Based on that trend, we'll all be frozen solid in a few weeks. Better start preparing now!
Correct. I'm quite sure an amphibious bear-frog will be evolving over the next few years, just as Darwin predicted.
It would be too easy to defeat a player using one of these. Simply flash up a picture of a naked chick and all brain activity will cease as another body part will take over the 'thinking', and this device won't be able to pick anything up anymore.
Curiously, you also often hear both standard meanings of PoS applying to the same product.
In a meeting, I once very very nearly said 'Piece Of Shit' when I meant to say 'Point Of Sale' :)
If I gave the impression that I thought it was totally impossible then I apologize. For day to day working i'm happy to trust Verisign to protect the secrets that I want protected.
Given all the other possible avenues available to an organisation like the NSA, I'd be surprised if they chose that route though. And if the 'secrets' you are exchanging are important enough that the NSA might be interested in them then I agree with you that trusting verisign might not be the best thing to be doing.
For that reason, I don't really see that there is a problem.
But my standard answer to that sort of thing is that it doesn't matter how much technology you throw at keeping things secret, if 'they' want your secrets bad enough they'll put a gun to the kneecaps of your child/wife/husband/mother and demand that you give them up. That would work for me.
So in your hypothetical exploit, the following sequence of events would happen:
1. I sit down in an internet cafe with my laptop and connect via wireless to the internet using the provided wireless network.
2. The wireless network is being run by badguys, so when I type 'http://www.mybank.com.au', it does a redirection to 'www.mybank.com.su' (which I don't notice) and click the 'internet banking' link.
3. The internet banking link sends me to https://www.mybank.com.su/ which has a valid ssl cert for it (domain validated)
4. I still don't notice and enter my login details.
5. My login details are captured by the bad guys and the site reports 'Due to maintenance this site is unavailable. Please try again later'.
6. I think nothing of it and don't notice anything out of the ordinary until funds start disappearing from my account.
That would probably fool enough people to be worthwhile.
Things that would break it are: .au site load the .su site in an IFRAME, although maybe my browser might pick this up)
1. Me paying attention to the URL (this wouldn't necessarily help if they did something tricky like have the fake
2. Me verifying the certificate. The bad guys might be able to get a domain validated cert easy enough (www.mybank.com.su), which could easily be missed, but not a company name validated cert (My Bank Of Australia Pty Ltd), which aren't given out nearly so freely. They browser treats them the same way though.
3. Me verifying the fingerprint, as you suggested. Does the fingerprint change when the cert expires and gets renewed?
4. Me using a second authentication factor (which I do), and the bad guys not using my login details immediately (the second authentication factor is a token which presents a different 6 digit number every 90 seconds).
This would make a really cool security exercise, to reproduce the above scenario in a controlled environment and see how it pans out.
I guess at the end of the day, you have to make sure that you are not the 'low hanging fruit' that the bad guys will pick first. As long as there is someone easier to fool than you, you are probably safe.
If you understood that the reasons for https extend beyond encryption then you would understand why it is wrong for them to do that. Please read the other posts about 'man in the middle' attacks.
Have you understood nothing?
Without the login page being https I cannot tell if I am really talking to MelbourneIT or if i'm really talking to a 'man in the middle'.
It doesn't help you, but it's not designed to. It's designed to give you some confidence that it's actually the banks machine you are talking to.
If the banks machine is compromised then they've got bigger problems anyway. I don't think you quite understand the problem that ssl is trying to solve.
No. It doesn't. There is a difference between 'could possibly happen in theory', and 'has happened before'. Bear attacks have happened and there are plenty of examples of such attacks, but if there are no examples of something having happened then it must at least be unlikely, and perhaps has never happened before, in which case it's just speculation.
Anyway, I was more curious about a case study of subverted certificate, it would make an interesting read.
I don't have to. My bank does, and they're the ones who will lose out if my money goes missing because their trust was misplaced. Their instructions to me are to check the certificate before I log in, which I do. I also use a 2nd authentication factor, also as per their recommendations.
You don't quite get it then. By the time i've hit submit, i've already entered my username and password. It's too late by then to find out that i've just submitted my details to a 'man in the middle'.
Encryption is nice, but the more important value in ssl certs is that they verify who it is that you're talking to.
I figured that would probably happen, but i'd never actually seen it. I don't make a habit of deliberately visiting phishing sites though.
I've not seen a bank do it, but these guys do, which I think is just insane, especially seeing as in all other respects (apart from price) they are an excellent domain registrar. Click the login link in the top left and you'll be presented with a non-https page with a username and password on it. I've emailed them about it but they just don't get it. Idiots.
I've stopped using MelbourneIT for new registrations on that basis. I suggest you do the same.