If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Some Guy)   There is nothing to add that can make this funny: 90% of SSL-encrypted secure web sites aren't   (trustworthyinternet.org) divider line 24
    More: Scary, SSL Labs, internet, historic value, data points  
•       •       •

3733 clicks; posted to Geek » on 01 May 2012 at 12:59 PM (2 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



24 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
ZAZ [TotalFark]
2012-05-01 12:02:52 PM
SSL serves two purposes: protection from passive attacks and protection from active attacks. Active attacker = guy providing the free wifi. Passive attacker = Google van. Man in the middle attacks require an active attacker, not a snooper.

(Here I count authentication of party at other end of connection as protection against active attacks, but you can call it a third purpose if you like.)
 
2012-05-01 01:20:09 PM
Did you try adding clowns?
 
2012-05-01 01:28:55 PM

dittybopper: Did you try adding clowns?


Insecure clowns are just.... sad.
 
2012-05-01 01:29:08 PM

ZAZ: SSL serves two purposes: protection from passive attacks and protection from active attacks. Active attacker = guy providing the free wifi. Passive attacker = Google van. Man in the middle attacks require an active attacker, not a snooper.

(Here I count authentication of party at other end of connection as protection against active attacks, but you can call it a third purpose if you like.)


SSL does not protect against free wifi guy at all - e.g. attacker poisons DNS, and attaches his own CA chain to your repository. You're then totally farked.
 
2012-05-01 01:33:56 PM
While it is possible today to deploy SSL and to deploy it well, the process is difficult: the default settings are wrong, the documentation is lacking, and the diagnostic tools are inadequate.

Maybe if you're an idiot. My moderate experience in the web hosting business tells me that, in fact, most people are idiots.

But simple, effective SSL deployment is trivially easy.
 
2012-05-01 01:39:44 PM
Your blog sucks.
 
2012-05-01 01:43:39 PM
Having worked with several enterprise-level portal software packages for awhile, many of them have poor support to allow proper implementation of SSL throughout the application and plugins. However, as the site says, implementation has been getting better.
 
ZAZ [TotalFark]
2012-05-01 01:46:35 PM
Shazam999

I meant to say insecure SSL does protect you against Google but not against rogue WiFi hotspot. So it's not perfect and it's not worthless.
 
2012-05-01 02:04:18 PM

Shazam999: SSL does not protect against free wifi guy at all - e.g. attacker poisons DNS, and attaches his own CA chain to your repository. You're then totally farked.


Therein lies the rub. How would the attacker get you to do that?

Adding new root certs without the system owner's consent is not something trivially done.
 
2012-05-01 02:30:28 PM
Beast attack?
www.mtgmintcard.com
 
2012-05-01 03:19:02 PM

Honest Bender: Maybe if you're an idiot. My moderate experience in the web hosting business tells me that, in fact, most people are idiots.


There's really no excuse for back office IT professionals in a decently sized company not to know about things like this, but consider something like Server 2003 in a small business that can't afford a real IT staff and is running a website and shopping cart package they bought online for $40. By default, Server 2003 supports 40-bit keys and you have to edit registry settings to fix that problem.

You think Mary, the front desk girl, who really only knows how to turn the computer off and on again when it's running slow, is going to be able to do that?
 
2012-05-01 03:19:23 PM

Splinshints: dittybopper: Did you try adding clowns?

Insecure clowns are just.... sad.


True, but on the plus side, they are easily laid.
 
2012-05-01 03:36:04 PM

heypete: Shazam999: SSL does not protect against free wifi guy at all - e.g. attacker poisons DNS, and attaches his own CA chain to your repository. You're then totally farked.

Therein lies the rub. How would the attacker get you to do that?

Adding new root certs without the system owner's consent is not something trivially done.


Yeah, because people totally don't ignore UAC.
 
2012-05-01 04:16:36 PM

Shazam999: heypete: Shazam999: SSL does not protect against free wifi guy at all - e.g. attacker poisons DNS, and attaches his own CA chain to your repository. You're then totally farked.

Therein lies the rub. How would the attacker get you to do that?

Adding new root certs without the system owner's consent is not something trivially done.

Yeah, because people totally don't ignore UAC.


Wait - there are people that don't disable UAC immediately?
 
2012-05-01 04:32:08 PM

cmunic8r99: Shazam999: heypete: Shazam999: SSL does not protect against free wifi guy at all - e.g. attacker poisons DNS, and attaches his own CA chain to your repository. You're then totally farked.

Therein lies the rub. How would the attacker get you to do that?

Adding new root certs without the system owner's consent is not something trivially done.

Yeah, because people totally don't ignore UAC.

Wait - there are people that don't disable UAC immediately?


There are now a number of viruses that can write directly to Windows' boot sector. UAC is the only thing that can stop them.
 
2012-05-01 05:03:54 PM

Shazam999: cmunic8r99: Shazam999: heypete: Shazam999: SSL does not protect against free wifi guy at all - e.g. attacker poisons DNS, and attaches his own CA chain to your repository. You're then totally farked.

Therein lies the rub. How would the attacker get you to do that?

Adding new root certs without the system owner's consent is not something trivially done.

Yeah, because people totally don't ignore UAC.

Wait - there are people that don't disable UAC immediately?

There are now a number of viruses that can write directly to Windows' boot sector. UAC is the only thing that can stop them.


Even for GPT partitions?
 
2012-05-01 05:34:55 PM
If you're a windows user who disables UAC and then complains that windows isn't "immune" to viruses like macs are, you should be shot.
 
2012-05-01 05:37:23 PM

cmunic8r99: Shazam999: heypete: Shazam999: SSL does not protect against free wifi guy at all - e.g. attacker poisons DNS, and attaches his own CA chain to your repository. You're then totally farked.

Therein lies the rub. How would the attacker get you to do that?

Adding new root certs without the system owner's consent is not something trivially done.

Yeah, because people totally don't ignore UAC.

Wait - there are people that don't disable UAC immediately?


I leave it enabled. Windows 7 is not terribly annoying with UAC now that programs play nice. I also come from a *nix background and having to elevate for root privileges is common and normal.

That said, is there any malware in the wild that tries to add root certs? I've never heard of that happening. Windows is pretty paranoid about that and it requires more than just a UAC prompt to add new roots.
 
2012-05-01 06:02:05 PM
The reason computer security is in this huge mess, is because people (and major software developers) choose convenience and "rapid development" over security.

M$ once thought it a good idea to allow ActiveX programs, loaded from a remote web server, access to the web browser's local drive. It was all in the name of Convenience, because God forbid anyone have to use a secure FTP program to transfer important company files, or have a tech actually be present in the office to download and install important software updates.

NO, it's better if we let them just make a web page to do it all for them! No one would EVER dream of exploiting ActiveX's local drive access to remotely install viruses on end-users machines!

/end rant
 
2012-05-01 06:04:22 PM

Honest Bender: While it is possible today to deploy SSL and to deploy it well, the process is difficult: the default settings are wrong, the documentation is lacking, and the diagnostic tools are inadequate.

Maybe if you're an idiot. My moderate experience in the web hosting business tells me that, in fact, most people are idiots.

But simple, effective SSL deployment is trivially easy.


Maybe if you're an idiot (which most people are).
 
2012-05-02 03:42:58 AM
Honest Bender

While it is possible today to deploy SSL and to deploy it well, the process is difficult: the default settings are wrong, the documentation is lacking, and the diagnostic tools are inadequate.

Maybe if you're an idiot. My moderate experience in the web hosting business tells me that, in fact, most people are idiots.

But simple, effective SSL deployment is trivially easy.


No, it isn't. Either you don't know what trivial means, or you're doing it wrong too.

If you give me the fqdn for a site you set up with SSL I'll tell you which one it is.
 
2012-05-02 11:33:00 AM

WayToBlue: If you give me the fqdn for a site you set up with SSL I'll tell you which one it is.


Link
 
2012-05-02 02:23:59 PM

cmunic8r99: Shazam999: cmunic8r99: Shazam999: heypete: Shazam999: SSL does not protect against free wifi guy at all - e.g. attacker poisons DNS, and attaches his own CA chain to your repository. You're then totally farked.

Therein lies the rub. How would the attacker get you to do that?

Adding new root certs without the system owner's consent is not something trivially done.

Yeah, because people totally don't ignore UAC.

Wait - there are people that don't disable UAC immediately?

There are now a number of viruses that can write directly to Windows' boot sector. UAC is the only thing that can stop them.

Even for GPT partitions?


Just look up the details for the Alureon virus.
 
2012-05-02 08:47:17 PM
Honest Bender

WayToBlue: If you give me the fqdn for a site you set up with SSL I'll tell you which one it is.

Link


Overall looks good with some minor room for improvement:

1. in general * certs are evil
2. No EC cipher suites which are preferable for mobile device users
3. No TLS v1.2 support - the future is now!
4. OCSP is preferable to CRLs
5. MD5 should be considered dead. I will say right up front there is no specific concern with using it in this context, but it really needs to just be gone. Even if you really need backwards compatibility, RC4-SHA should do you.
6. DHE should be preferred over RSA, imo. This one is pretty debatable so I'm putting it last. This is excluding RC4 listed first for BEAST reasons (an overblown threat, again imo).

My $0.02.
 
Displayed 24 of 24 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report