ADMIN - Explore the new world of system administration! ADMIN is a smart, technical magazine for IT pros on heterogeneous networks. Each issue delivers technical solutions to the real-world problems you face every day. Learn the latest techniques for better:
network security
system management
troubleshooting
performance tuning
virtualization
cloud computing
on Windows, Linux, Solaris, and popular varieties of Unix.
Find out why you can’t trust your web browser or certificate authorities.
If you’re reading this magazine, a large portion of your life is likely handled through a web browser. Online banking, shopping, bill payment, social networks, news – you name it and chances are you can do it with a web browser. To do these things safely (especially the things like banking), you need to trust your web browser. However, your web browser can’t magically verify that yourbank.com is actually your bank, which is why SSL was invented.
From Verisign (Bug 556468):
=======================
Hi, I did want to provide an update from our side and say that VeriSign will be
removing the following generic approver email options for GeoTrust and RapidSSL
as of tonight or tomorrow night:
- ssladmin, sysadmin, and info
We did have these planned for removal in our upcoming release, but have
acceralated that to tonight or tomorrow night. We will post an update once
these are removed.
Our hope is that Mozilla will work with the other CAs who use these options for
domain validated certs to have them remove these asap as well.
=======================
However this means that "domain verification" still consists of checking one email address and nothing else, but at least the easily obtained email addresses have been removed. If anyone knows of other CA's still using addresses such as ssladmin@ please contact me at kurt@seifried.org.
Turktrust and government
Kurt Seifried
Apr 19, 2010 8:43pm GMT
Turktrust lives and operates in Turkey. Thus the Turkish government can order/force/etc. certificates to be issued (for example to intercept communications between say a PKK website and its members). Or for anything really. If a company like Turktrust was restricted to issuing certificates for Turkish entities with domains names only ending in .tr (not .tk as I originally said, my bad) then I would have very little trust issues with them, but since those types of restrictions are not currently supported a root CA can do anything they please. Thus certificate authorities in countries with governments that are less open and subject to fewer checks and balances are potentially very dangerous to users of Firefox worldwide.
TurkTrust
Kayra Akman
Apr 19, 2010 8:05am GMT
TurkTrust is a private company which is entitled to issue sertificates according to their web site. I don't have a clue about how good they do their job. But I don't see the connections you are making between TurkTrust, Turkish government or .tr/.tk whatever domain. AFAIK being CA and giving out domain names ending with .tr or any other country code are different matters.
tk/tr - my bad
Kurt Seifried
Apr 18, 2010 8:38pm GMT
Apologies, that was a typo, I was specifically talking about the Turktrust certificate (first one listed in the certificate store if you look), I should have double checked the TLD I typed but my brain told me .tk so I typed .tk, mea culpa.
An industry problem with DV certs
SilkySmooth
Apr 18, 2010 3:38pm GMT
This is the problem with DV (Domain Validated) certs. You don't know who you are dealing with. (How can you trust what you can't really see? ) DV certs need to die a horrible death. There is only a few places where a DV cert is worthwhile. That is on your website's control panel (or anywhere that isn't intended for other users than yourself or a few "employees".) or your company's webmail (for employees, not customers). Because if you can't trust your own company to exist or be who they say you are, who can you trust?
The place to get these DV certs out of the industry is the CA/Browser forum(cabforum.org). It's because of Companies like Verisign (Owners of RapidSSL) and GoDaddy that DV certs are popular because they are so "inexpensive". Other CAs are FORCED into offering them and unfortunately it is a dog eat dog world out there.
There is one minor browser vendor (Comodo, which is also a CA) trying to do some good to get these certs out of the way by displaying a little warning about any DV cert it comes across. There may be a few false positives with it, but over all it works pretty well in my uses. Sites that I didn't think would use DV certs DO! (Twitter and Facebook come to mind and that's pretty sad). Here's a link to the writeup that Netcraft recently wrote up on said browser (Comodo Dragon).
Get 3 Issues + 3 DVDs for the price of a single issue!
Let Linux Magazine's hands-on, technical articles guide you in your daily Linux use. Check out bonus DVDs like Ubuntu, SUSE, or Fedora and save the download.
Only available for a limited time. Don't miss out!
Comments
Good news - Verisign removes dangerous addresses
Kurt Seifried Apr 19, 2010 9:03pm GMT
From Verisign (Bug 556468):=======================
Hi, I did want to provide an update from our side and say that VeriSign will be
removing the following generic approver email options for GeoTrust and RapidSSL
as of tonight or tomorrow night:
- ssladmin, sysadmin, and info
We did have these planned for removal in our upcoming release, but have
acceralated that to tonight or tomorrow night. We will post an update once
these are removed.
Our hope is that Mozilla will work with the other CAs who use these options for
domain validated certs to have them remove these asap as well.
=======================
However this means that "domain verification" still consists of checking one email address and nothing else, but at least the easily obtained email addresses have been removed. If anyone knows of other CA's still using addresses such as ssladmin@ please contact me at kurt@seifried.org.
Turktrust and government
Kurt Seifried Apr 19, 2010 8:43pm GMT
Turktrust lives and operates in Turkey. Thus the Turkish government can order/force/etc. certificates to be issued (for example to intercept communications between say a PKK website and its members). Or for anything really. If a company like Turktrust was restricted to issuing certificates for Turkish entities with domains names only ending in .tr (not .tk as I originally said, my bad) then I would have very little trust issues with them, but since those types of restrictions are not currently supported a root CA can do anything they please. Thus certificate authorities in countries with governments that are less open and subject to fewer checks and balances are potentially very dangerous to users of Firefox worldwide.TurkTrust
Kayra Akman Apr 19, 2010 8:05am GMT
TurkTrust is a private company which is entitled to issue sertificates according to their web site. I don't have a clue about how good they do their job. But I don't see the connections you are making between TurkTrust, Turkish government or .tr/.tk whatever domain. AFAIK being CA and giving out domain names ending with .tr or any other country code are different matters.tk/tr - my bad
Kurt Seifried Apr 18, 2010 8:38pm GMT
Apologies, that was a typo, I was specifically talking about the Turktrust certificate (first one listed in the certificate store if you look), I should have double checked the TLD I typed but my brain told me .tk so I typed .tk, mea culpa.An industry problem with DV certs
SilkySmooth Apr 18, 2010 3:38pm GMT
This is the problem with DV (Domain Validated) certs. You don't know who you are dealing with. (How can you trust what you can't really see? ) DV certs need to die a horrible death. There is only a few places where a DV cert is worthwhile. That is on your website's control panel (or anywhere that isn't intended for other users than yourself or a few "employees".) or your company's webmail (for employees, not customers). Because if you can't trust your own company to exist or be who they say you are, who can you trust?The place to get these DV certs out of the industry is the CA/Browser forum(cabforum.org). It's because of Companies like Verisign (Owners of RapidSSL) and GoDaddy that DV certs are popular because they are so "inexpensive". Other CAs are FORCED into offering them and unfortunately it is a dog eat dog world out there.
There is one minor browser vendor (Comodo, which is also a CA) trying to do some good to get these certs out of the way by displaying a little warning about any DV cert it comes across. There may be a few false positives with it, but over all it works pretty well in my uses. Sites that I didn't think would use DV certs DO! (Twitter and Facebook come to mind and that's pretty sad). Here's a link to the writeup that Netcraft recently wrote up on said browser (Comodo Dragon).
http://news.netcraft.com/ar...f_ssl_sites_may_be_unsafe.html
If we all voice our thoughts, we can get these pathetic excuses for a cert OUT of the marketplace!
.tk
Kayra Akman Apr 18, 2010 12:41pm GMT
tk -> TokelauHow much time does it take to check what .tk stands for?
Domain .tk
Kayra Akman Apr 18, 2010 12:35pm GMT
.tk is not Turkey. .tr is.