It’s amazing how on a daily basis there’s a story about someone’s identity or data being stolen, personal info being misused, or just getting screwed via the Internet. Most of the time it’s due to a complete lack of standards regarding how people treat their digital property and identity. It’s the electronic equivalent of leaving your home and not locking the door. Anyone can come in and take what they want.
Tag: ssl
I just found out the other day I found my first bug worthy of being a CVE (Common Vulnerabilities and Exposures) Candidate: CVE-2008-3747. Low profile, but I guess still a potential vulnerability.
I must admit I didn’t know that the database is funded by the National Cyber Security Division of the United States Department of Homeland Security. I did know US-CERT was.
There’s an interesting discussion on Slashdot about SSL certificates. It brings up two valid points:
- Invalid certificates, while providing a secure mechanism between the client/server are extremely annoying to use in Firefox 3 for many people because of the multi-step process. Previously it was just a warning dialog.
- There are no free SSL certificates that are really “usable” (not throwing up warnings in a many browsers). CAcert.org has likely gotten the most inclusion, but it’s barely anywhere.
Certificates not signed by a trusted certificate authority (CA) give up a warning because of the idea that a certificate authority verifies the certificate belongs to the person whose name is on the certificate. This concept was busted a while back as CA’s started doing “domain validation” to offer lower prices. To “remedy” this, they created EV SSL. EV SSL requires more background checking, but at a higher cost. This means there are three tiers of SSL:
- Untrusted/Self Signed – Free – The user is strongly discouraged from visiting a site with one of these. Indicates the technologically the channel is secure only.
- Signed By CA – Variable Pricing – The user is told this is secure.
- EV SSL – Expensive – The user is told these sites are super awesomely amazing and can cure cancer.
Essentially EV SSL is nothing more than a scheme to charge more. EV SSL is supposed to do what a signed certificate should have been doing all along. By 2012 I’d bet there will be a SEV SSL(Super Extended Validation Certificate). Maybe that would require a DNA and fingerprints to prove identity.
The Problem
It’s 2008 (actually more than half way through it). I still can’t use a secure https connection without either throwing up an error to users (who are always confused by it), or paying a fee? It seems right to me it should be free to use https without any barrier for a technical level of security.
Why is “trust” bound so tightly to encryption? Why can’t a medium be encrypted without being trusted? The technology shouldn’t be tied the way it is to the business side of things.
Trust should be bound to encryption, but encryption should not be bound to trust. Trust is the “needy” individual in this relationship. Encryption is strong and confident. At least it should be…
A modest proposal
I propose that browsers should allow for self signed certificates to be used without any dialog, interstitial or other obstruction provided they are properly formed and not expired. The user interface should indicate that the channel is encrypted and communication is unlikely to be intercepted between the user and the server. It should note if there is any change (just like SSH notifies the user if the signature is changed between sessions). Other than that it should be transparent.
SSL certificates and EV SSL certificates should indicate in the user interface the the site being browsed is not only encrypted, but trusted by a third party the browser trusts. These are suitable for ecommerce, banking etc.
This would allow for things like intranets and other places where encryption is desired, paying for a CA to verify identity is overkill, and “domain verification” is just pointless.
Trust should be bound to encryption. Encryption shouldn’t be bound to trust. Encryption shouldn’t require verification. Encryption should be self-serve.
I’d be curious to know what others thought of the issue.
Categories
SSL Bug In Firefox 3b5
I’ve encountered this bug I just can’t quite figure out, so I figured I’d put it here. Hopefully with a broader audience someone else had encountered it and perhaps this will lead to the root cause being identified.
For some reason Firefox 3 can’t access Webmin on port 10000, which is how it’s setup on a box I have. It worked in Firefox 2.0, but not 3.0. I’m not sure if it’s something to do with Perl’s Net::SSLeay, which Webmin uses for SSL support, or the port number being 10000. I’ve tinkered a little bit with SSL settings, but so far haven’t been able to figure out exactly what’s going on. It seems to be a regression in NSS.
Anyone notice a regression like this using nightly builds somewhere else? This is the only case I’ve personally experienced it. If you have, then visit bug 423499 and let us know.
Edit [5/4/08 @ 11:30 PM EST]: No idea what’s going on here, but apparently nobody else can reproduce, so calling it quits for now.
As of yesterday SafePasswd.com is now suggesting passwords over SSL for better security. Seems like a good idea right?
In other news, there is now a SafePasswd.com blog. The focus is quite simple. Bring better security to the masses.
Check it out, add the feed to your favorite rss reader, bookmark it.
I didn’t find this anywhere online, so I thought I’d post it. Norton AntiVirus up to and including 2007 doesn’t support POP3 over SSL. That’s a problem since sending mail without SSL is insecure, and sending mail over SSL with no virus scanning is also insecure. There is a fix.
Please note these directions, and intended to be a casual guide for experienced individuals. I’m not providing assistance or support.