[ALUG] Mozilla will obsolete HTTP

Andreas Tauscher ta at geuka.net
Sun May 3 19:24:12 EAT 2015


And when I'm already in the mood bashing. Another one on paypal:

In 2010 I ordered a few gadgets. Payable with paypal. My problem was: I
could not change the shipping address from Germany to Tanzania.
After several mails to paypal support and getting useless answers I had
an closer look on the web forms.
Plenty of hidden elements, and some crappy, obfuscated java script.
Firebug, a few changes in the page code and I had my shipping address in TZ.
Verification done on the client side? WTF?
paypal was informed about this problem and the proof was my changed
profile holding a shipping address which should not be possible.
They ignored it. Never got any reply on this issue and it took nearly
two years until this bastards fixed it.
And such (fill in very strong word) idiots I should trust in any way?

When they put the key under the doormat encryption is snakeoil.

But back to the topic:

With DANE and DNSSEC I have powerful tools to get more control and I
become more independent from more or less reliable institutions.
In a DNSSEC signed zone I can safe publish information like
fingerprints, public keys, certificates and plenty of configuration stuff.
If somebody is interested: Do on your gateway or name server a ngrep on
port 53 (Oh, and if sometimes things are loading slow check if port 53
is open for UDP and TCP. Nowadays DNS replies can be bigger than 512Byte
and then DNS switches to TCP). You will see queries the names starting
with _ (absolutely forbidden for hostnames!) all this are queries for
configurations published in the DNS. Windows Server 2012 for example is
using it a lot. Have a look on a DC in the DNS. You will find there
zones like _tcp _udp _msdcs.

In a net without DNSSEC I can do really funny things with a little bit
DNS spoofing. Funny or not depends on the point of view. The victim
surely will not be amused.

The open source community provided now all bolts and nuts. It is now on
the software developers to implement all this gadgets to make
communication more secure and regaining control.

But: It will get tough for some guys. Proper set up encryption on a
server is not a piece of cake. It is more than only copying a key and
certificate file. If something is not working debugging needs a
understanding what is going on and how all the systems are playing together.

Andreas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150503/770ef260/attachment.pgp>


More information about the Linux mailing list