[ALUG] Mozilla will obsolete HTTP
Andreas Tauscher
ta at geuka.net
Sun May 3 14:36:19 EAT 2015
Am 05/03/2015 um 11:54 AM schrieb Tim Schofield via Linux:
> This "feels" wrong to me. It seems like another way to move the web
> into being owned by governments and corporations and away from it's
> free, open and transparent founding principles.
I understand your concerns. At the moment the CA infrastructure is
somehow broken. If I count 300+ CAs in the OS/browser trust store
something is wrong.
And where do I get a certificate?
Many hosting providers offering certificates for free for the domains
registered with them. Some CAs are offering certificates for free like
StartSSL and WoSing. Mid of the year letsencrypt.org will go operational
also offering free certificates.
The next component is DANE [1] what has to arrive in the client software.
With DANE the client can verify certificates by DNS lookups. I have only
to publish fingerprints or certificates as TLSA records in my DNSSEC
secured zone.
Not only the clients can verify even my self signed certificate: I can
also run my own CA without having my root certificate in the client's
trust store.
But for the moment DANE is only supported by postfix 2.11+ and with
plugins by Chrome and Firefox. For Thunderbird (Linux only) is a crutchy
workaround available.
With DANE nothing is given to governments or corporations.
> Yes there are sites that should obviously be https only, but there
> are also sites where it would be unnecessary.
It is necessary for all pages!
It is not only that nobody can read what I enter. It is also for the
site owner to ensure that the content arrives unmodified.
Comcast is injecting advertisement in web traffic. [2]
AT&T/Verizon is injecting tracking cookies in web traffic. [3]
Who wants a third party modifying my content without my permission?
If I care about my content arrives unmodified I have to encrypt.
> It is not up to the likes of Google/NSA/Mozilla to force this onto
> us.
If Google is trustworthy: Different problem. But somebody has to start.
And now Google and Mozilla starting from this end.
Last year thousands of mailing lists exploded because Yahoo started to
verify DKIM signatures. Outdated or wrong configured mailing list
software is breaking this signature: Reject or Spamfolder depending
which DMARC policy was published.
Big crying. But sorry: If you operate a mailing list and you have no
idea what your software is doing with mails: You are in the wrong business.
Giving recommendations is obvious not working. As long there are so many
host/post/web/whatever masters having no clue what they are doing, being
ignorant or simply stupid the only way I see is to bring more pressure
on them: You get your crap fixed and meeting actual standards or you are
out. There was more than enough time.
> They would be better looking at the insecurities in their
> JS/ActiveX engines that allow malware to get installed if a user goes
> to an insecure site.
That is a different problem.
IMHO the most blame has be brought to the webmasters/webdesigners.
As long I find thousands of websites using a million years old version
of wordpress, phpBB, drupal or whatever, most web"designer" even having
no idea what XSS or SQL injection is, as long bastards like ebay
ignoring XSS issues for over one year [4] (when I search the full
disclosure mailing list for ebay: Amazing. They are real experts in
creating XSS holes. Nobody having this much CVE numbers related to XSS),
wordpress needing over one year to fix XSS vulnerabilities and then a
few days later exploding again with an even more worse stored XSS,
advertisement networks like AOL's advertise.com are frequently abused to
distribute maleware and Adobe never getting fixed their crap flash
player and Mircosoft is not getting an update mechanism for software
working:
The best and most secure js engine can not protect me. It can only limit
the damage already done by others.
It is like blaming the car manufacturer for failing breaks when driving
200 on a slippery road.
Andreas
[1] http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
[2]
http://arstechnica.com/tech-policy/2014/09/08/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
[3] https://www.eff.org/de/deeplinks/2014/11/verizon-x-uidh
[4]
https://grahamcluley.com/2014/09/ebay-password-stealing-security-hole-existed-months/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150503/a89410a6/attachment.pgp>
More information about the Linux
mailing list