Impersonating secure web servers
BREACH OF TRUST
Find out why you can’t trust your web browser or certificate authorities.
If you’re reading this magazine, a large portion of your life is likely handled through a web browser. Online banking, shopping, bill payment, social networks, news – you name it and chances are you can do it with a web browser. To do these things safely (especially the things like banking), you need to trust your web browser. However, your web browser can’t magically verify that yourbank.com is actually your bank, which is why SSL was invented.
Good news - Verisign removes dangerous addressesFrom Verisign (Bug 556468):
Hi, I did want to provide an update from our side and say that VeriSign will be
removing the following generic approver email options for GeoTrust and RapidSSL
as of tonight or tomorrow night:
- ssladmin, sysadmin, and info
We did have these planned for removal in our upcoming release, but have
acceralated that to tonight or tomorrow night. We will post an update once
these are removed.
Our hope is that Mozilla will work with the other CAs who use these options for
domain validated certs to have them remove these asap as well.
However this means that "domain verification" still consists of checking one email address and nothing else, but at least the easily obtained email addresses have been removed. If anyone knows of other CA's still using addresses such as ssladmin@ please contact me at firstname.lastname@example.org.
Turktrust and governmentTurktrust lives and operates in Turkey. Thus the Turkish government can order/force/etc. certificates to be issued (for example to intercept communications between say a PKK website and its members). Or for anything really. If a company like Turktrust was restricted to issuing certificates for Turkish entities with domains names only ending in .tr (not .tk as I originally said, my bad) then I would have very little trust issues with them, but since those types of restrictions are not currently supported a root CA can do anything they please. Thus certificate authorities in countries with governments that are less open and subject to fewer checks and balances are potentially very dangerous to users of Firefox worldwide.
TurkTrustTurkTrust is a private company which is entitled to issue sertificates according to their web site. I don't have a clue about how good they do their job. But I don't see the connections you are making between TurkTrust, Turkish government or .tr/.tk whatever domain. AFAIK being CA and giving out domain names ending with .tr or any other country code are different matters.
tk/tr - my badApologies, that was a typo, I was specifically talking about the Turktrust certificate (first one listed in the certificate store if you look), I should have double checked the TLD I typed but my brain told me .tk so I typed .tk, mea culpa.
An industry problem with DV certsThis is the problem with DV (Domain Validated) certs. You don't know who you are dealing with. (How can you trust what you can't really see? ) DV certs need to die a horrible death. There is only a few places where a DV cert is worthwhile. That is on your website's control panel (or anywhere that isn't intended for other users than yourself or a few "employees".) or your company's webmail (for employees, not customers). Because if you can't trust your own company to exist or be who they say you are, who can you trust?
The place to get these DV certs out of the industry is the CA/Browser forum(cabforum.org). It's because of Companies like Verisign (Owners of RapidSSL) and GoDaddy that DV certs are popular because they are so "inexpensive". Other CAs are FORCED into offering them and unfortunately it is a dog eat dog world out there.
There is one minor browser vendor (Comodo, which is also a CA) trying to do some good to get these certs out of the way by displaying a little warning about any DV cert it comes across. There may be a few false positives with it, but over all it works pretty well in my uses. Sites that I didn't think would use DV certs DO! (Twitter and Facebook come to mind and that's pretty sad). Here's a link to the writeup that Netcraft recently wrote up on said browser (Comodo Dragon).
If we all voice our thoughts, we can get these pathetic excuses for a cert OUT of the marketplace!
.tktk -> Tokelau
How much time does it take to check what .tk stands for?
Domain .tk.tk is not Turkey. .tr is.
Richard Stallman calls for the W3C to remain independent of vendor interests.
The new release supports nine architectures, 73 human languages, and zero non-Free components.
Fedora developers release the first alpha version of Fedora 19, known as Schrödinger’s Cat, for general testing. The final release is expected in July 2013.
ack is a grep-like, command-line tool that has been optimized for programmers to search large trees of source code.
New features in SUSE Studio 1.3 include enhanced cloud integration, VM platform support, and lifecycle management.
The Linux Foundation recently announced that the Xen Project is becoming a Linux Foundation Collaborative Project.
Open source version of LiveCode is now available for developing apps, games, and utilities for all major platforms.
OpenDaylight is an open source software-defined networking project committed to furthering adoption of SDN and accelerating innovation in a vendor-neutral and open environment.
The new Gnome release includes privacy and sharing settings, allowing more user control over access to personal information.
Mozilla is collaborating with Samsung on a new web browser engine called Servo.