Comments on: Broken Browsers Part Two

By: Digital Dreamspace

Digital Dreamspace — Fri, 17 Jul 2009 22:35:28 +0000

Wow this is gonna be so cool.

By: Josh

Josh — Wed, 08 Jul 2009 08:37:05 +0000

The software will then conveniently provide you with text files containing the whole encrypted conversation – in plain text, that is. This man-in-the-middle attack can be done by any 12-year-old on their windows home network.

By: Megan

Megan — Wed, 08 Jul 2009 08:32:45 +0000

If cert vendor X says someone has passed a background check, why should I trust that? I don’t know what their background check is, so why would I want to pay for someone else’s background check? The background check doesn’t benefit me, my users won’t know exactly what is being checked so they have no reason to trust it

By: Soma

Soma — Sat, 04 Jul 2009 15:42:05 +0000

its a very complicated process to be a “trusted” (one that would not issue any warning on any browser) CA, so this kind of guarantee to the user they can trust the CA methods, as they already have to be part of a network of “trusted” CAs.

By: marcusbacus

marcusbacus — Tue, 30 Jun 2009 01:11:53 +0000

It’s not $100 a year, for sure. It’s “just” $47 which is the price of the unique IP. This ruined any possible technical explanation of the “benefits” of buying DH’s SSL that came later. If even the price isn’t right, the technical details provided by DH are much probably wrong as well.

By: Jeff R

Jeff R — Fri, 19 Jun 2009 02:54:10 +0000

Too bad it still requires a $3.95/year IP, even for certs “you can use elsewhere” – I guess I’ll pop over to The Planet to save that!

By: Maarten

Maarten — Thu, 11 Jun 2009 06:51:24 +0000

There is a plugin called “Perspectives” that both suppresses the annoying warnings when using self-signed certificates and, as a bonus, prevents you from MITM-attacks. http://securityandthe.net/2008/10/20/bypassing-https-warnings-in-firefox/

By: Craig C. Kip

Craig C. Kip — Sat, 06 Jun 2009 04:10:07 +0000

This post is remarkably retarded. Without trusted signing, encryption doesn’t -mean- anything. An attacker can encrypt a web-site, too.

As for “I’m not sure there’s ever been a reported case of a third party sniffing sensitive information on the Internet as it passed through their routers”, are you completely daft?

As a teenager I regularly used arp spoofing to MITM, sniff, and forward network traffic on the local LAN. Nowdays I could do the same in a coffee shop or at a conference, if I was so inclined.

Seeing as this remarkably ignorant drivel is coming from the CEO of DreamHost, I think it’s pretty clear that I shouldn’t trust your services to be even remotely secure.

By: vinicius

vinicius — Thu, 04 Jun 2009 00:42:18 +0000

Hi, many of the commenters already stated above, and they’re right.

SSL certificates are still a great way of knowing whether your communication is being intercepted or not.

If anyone can ARP spoof you (what is 99.999999% of the time possible) they can forge their own certificate and decrypt your communication, even though your browser shows a padlock.

By: Deekoo L.

Deekoo L. — Wed, 03 Jun 2009 03:59:01 +0000

Hear, hear!

A customer of mine has had an SSL cert for their domain for several years in spite of the fact that the ONLY evidence he provided the cert vendor that he owned the domain was the fact that his email address is located at the domain he bought the cert for. Oh, and that he had twenty dollars more before he bought the cert than afterwards. Now, while it actually is his domain, I can’t see any way for the cert vendor to have known it – his credit card’s under a different name than the whois info for the domain, the whois info itself points at a mailbox he hasn’t had for years, the mailing address on the domain is similarly outdated and doesn’t match his credit card… I actually had more sanity-checking done on my identity when I bought a domain out of a Monaconese registrar that can’t even manage to stop their order forms from switching into French at random!

However, blindly accepting all certs is not the best solution – it will make monkey-in-the-middle attacks almost as easy (if a bit more CPU-intensive) as intercepting plaintext, and unencrypted traffic is widely intercepted by potentially-hostile parties (If you want an example, there is a spamvertised domain at http://www.tradeim.com/ , hosted in China. Their site currently loads a nice ugly webpage. Once you’ve verified that it works, go to http://www.tradeim.com/?Falun+Gong . Your connection will be broken, and you will be unable to load webpages from http://www.tradeim.com until China’s firewall forgets about your fascination with the Falun Gong. Keep it up and they’ll even block SSH connections to http://www.tradeim.com.)

IMO, the Right Way to handle SSL certificates is not to blindly Trust, but rather to treat them ALL as untrustworthy and show you the certificate chain and fingerprint info for each new cert you encounter, much like SSH or the Yeemp instant messenger do. (Which reminds me, I really should reactivate my Yeemp server sometime.) – then cache the accepted certs forever and warn you in great firy letters of DOOM if the cert changes. If I inspected the cert chain for bankofthewest.com and accepted it, the mere fact that pankofthewest.com has a new cert should make me blink and double-check before logging in.