Your web development opinions

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Your web development opinions

Tomas Vavrys
Hi,

what does OpenBSD community think about new trends in web development
HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do
you mind to turn it on sometimes? What browser do you use (lynx,
firefox, chromium, ...)?

I am learning Django at the moment and I would like to know more about
the nature of common OpenBSD user and how could I contribute to
project with my webdev skills.

Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

Kevin Chadwick-2
On Wed, 23 Feb 2011 11:04:58 +0100
Tomas Vavrys wrote:

> Hi,
>
> what does OpenBSD community think about new trends in web development
> HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do
> you mind to turn it on sometimes? What browser do you use (lynx,
> firefox, chromium, ...)?
>
I like html5 just because it allows videos that can be viewed
universally and hopefully one day to demote flash to easy to do basic
animation as was originally intended before the apple vs microsoft
format and patent wars and regain the oodles of power wasted by flash,
especially on Linux. Hopefully a video format that is as free as we can
get will stop this kind of video war with dire consequences in terms of
owned boxes via flash ads etc., happening again. I am concerned about
the data storage and other functions of html5 and privacy, though.

Javascript does annoy me a great deal especially when they say it's
required to click a link or download a pdf. I was shown a link the
other day saying install flash 8?!?! or greater to download this pdf
about a product. Have they not heard of w3c and audience maximisation.

Generally I leave javascript off, it even annoys me on google searches
 but I occasionally turn it on when it's not required to get
 functionality on sites I trust. I use noscript in firefox but also
 have a disable button. Chromium availability has just come back, I
 think on OpenBSD. I may use chromium and/or xxxterm at times or in
 the future.

Almost forgot all the exploits in browsers, related to javascript.

> I am learning Django at the moment and I would like to know more about
> the nature of common OpenBSD user and how could I contribute to
> project with my webdev skills.

Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

Marc Espie-2
In reply to this post by Tomas Vavrys
On Wed, Feb 23, 2011 at 11:04:58AM +0100, Tomas Vavrys wrote:
> Hi,
>
> what does OpenBSD community think about new trends in web development
> HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do
> you mind to turn it on sometimes? What browser do you use (lynx,
> firefox, chromium, ...)?

They're a fucking disaster security-wise.

In general, blocking javascript won't get you too far, because most of the
issues are not in the client, but rather in the use that's made of javascript.

In particular, login stuff, https, ajax, and cookies are a total mess, which
in general leads to xss and whatnot.

You have your choice of:
- leaking your user info from one site to the next.
- having several stupid apps hosted on the same server so that any hole in one
app spills to the next, thanks to httpd brainless security model.
- trying to do https and having to deal with corrupt certificate authorities
that don't guarantee too much in the end.

Just for starters...

Any recent attempt to mitigate that amounts to not having any control over
the risks, deploying loads of vm to try to partition stuff, and falling into
deep shit since it doesn't address the main problem, which is functional bugs
in gigantic framework.

Don't get me started on web services and xml, especially the part where all
xml parsers out there are DoS-able, at least, if not downright prone for
buffer overflows...

Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

Ana Zgombic
In reply to this post by Tomas Vavrys
On Wed, Feb 23, 2011 at 6:04 PM, Tomas Vavrys <[hidden email]> wrote:
> Hi,
>
> what does OpenBSD community think about new trends in web development
> HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do

lots of code. lots of untested code.

yes, i block javascript. my blood temp rises a bit when a site makes
it a requirement.

> you mind to turn it on sometimes? What browser do you use (lynx,
> firefox, chromium, ...)?

not much choice. firefox.

>
> I am learning Django at the moment and I would like to know more about
> the nature of common OpenBSD user and how could I contribute to
> project with my webdev skills.
>
>

the common openbsd user is male, closet romantic, mildly aggressive,
mildly masochistic, highly opinionated, loves to use the word 'fuck'
and definitely does the act more than linux users.

Ana

--
http://nybl.info

CPB
Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

CPB
In reply to this post by Marc Espie-2
> They're a fucking disaster security-wise.

+1

> In general, blocking javascript won't get you too far, because most of the
> issues are not in the client, but rather in the use that's made of javascript.

I basically block javascript to stop some adveritising and keep some sites from crashing firefox.
But many, many sites require javascript to even login (i.e. many bank websites!)

> - trying to do https and having to deal with corrupt certificate authorities
> that don't guarantee too much in the end.

CA's cannot be trusted to even pay attention to carefully securing your certificate.
Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you)

I sign my own certificates, post a copy of serial number and correct name and IP address on my websites using them. I explain to every customer that I do not trust external CA's and that I am only using https for encryption of passwords and paid content.
No one has complained.

Some have told me that I am risking a man-in-the-middle attack. Perhaps. But I see little reason to trust the CA man-at-the-end!

Chris Bennett

Reply | Threaded
Open this post in threaded view
|

OT: Risks of CAs (Re: Your web development opinions)

Olivier Mehani
Just some OT thoughts.

On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote:
> CA's cannot be trusted to even pay attention to carefully securing
> your certificate.  Here in the US, the government can simply ask for
> your certificate and get it ( and possibly even use it to impersonate
> you)

The government would have the certificate, but not the private key, so
I'm not sure how they can impersonate you with it.

However, they can just get their own key to *any* shoddy CA included in
browsers, and get a certificate linking that key to your services
without much problem.

The problem is not really whether there is a trust relationship between
your CA provider and you, it's whether at least *one* CA is laxist
enough that they give out certificates without thorough checking.

Even with your self-signed approach, somebody could get a CA to issue a
certificate that their key is good for your website, and impersonate it
to any of your new-coming customers who haven't been exposed to your
official key yet.

I may also be wrong in my analysis, but as far as my understanding goes,
it's correct.

--
Olivier Mehani <[hidden email]>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655

[demime 1.01d removed an attachment of type application/pgp-signature]

Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

Hugo Osvaldo Barrera
In reply to this post by CPB
On 02/23/2011 10:35 AM, Chris Bennett wrote:

>> They're a fucking disaster security-wise.
>
> +1
>
>> In general, blocking javascript won't get you too far, because most of the
>> issues are not in the client, but rather in the use that's made of javascript.
>
> I basically block javascript to stop some adveritising and keep some sites from crashing firefox.
> But many, many sites require javascript to even login (i.e. many bank websites!)
>
>> - trying to do https and having to deal with corrupt certificate authorities
>> that don't guarantee too much in the end.
>
> CA's cannot be trusted to even pay attention to carefully securing your certificate.
> Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you)
>
> I sign my own certificates, post a copy of serial number and correct name and IP address on my websites using them. I explain to every customer that I do not trust external CA's and that I am only using https for encryption of passwords and paid content.
> No one has complained.
>
> Some have told me that I am risking a man-in-the-middle attack. Perhaps. But I see little reason to trust the CA man-at-the-end!
>
> Chris Bennett
>

Supposing that's the case, the government can just request a CA a
certificate for your domain, and do a man-in-the middle.  User's won't
get any prompt for invalid cert, and the same "vulnerability" you
described using still exists.

Additionally, you have to make users accept the cert manually the first
time (checking it, of course).  It may not be much of a fuss, but I
don't see you actually fixing any security holes.

--
Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

Hugo Osvaldo Barrera
In reply to this post by Ana Zgombic
On 02/23/2011 08:59 AM, Ana Zgombic wrote:
>> > you mind to turn it on sometimes? What browser do you use (lynx,
>> > firefox, chromium, ...)?
> not much choice. firefox.
>

Regrettably, it is.

Firefox is now more about:

 * "users are too stupid to read"
 * "let's not have any buttons so user's don't click one they shouldn't"
 * "features confuse user, it's better to remove them/hide them".

The only plus side, is that standard-complaint browsers with market
share this way (a plus for web developers and standard-compliance).

I remember firefox sync used to have an encryption passphrase for
syncing data.  Now that's gone, and users are motivated to PRINT an
auto-generated one, because "they can't remember the one that they set",
and "printing it is the safest way to make sure they don't loose it".
Of course, if you CAN remember passphrases, you can't set your own any more.

This stuff is happening all the time with firefox, and I hope some
OpenBSD-like developers branch firefox some day.  "A browser for people
who can read" would be a great slogan.

--
Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

Daniel Ouellet
On 2/23/11 5:34 PM, Hugo Osvaldo Barrera wrote:

> On 02/23/2011 08:59 AM, Ana Zgombic wrote:
>>>> you mind to turn it on sometimes? What browser do you use (lynx,
>>>> firefox, chromium, ...)?
>> not much choice. firefox.
>>
>
> Regrettably, it is.
>
> Firefox is now more about:
>
>   * "users are too stupid to read"
>   * "let's not have any buttons so user's don't click one they shouldn't"
>   * "features confuse user, it's better to remove them/hide them".
>
> The only plus side, is that standard-complaint browsers with market
> share this way (a plus for web developers and standard-compliance).
>
> I remember firefox sync used to have an encryption passphrase for
> syncing data.  Now that's gone, and users are motivated to PRINT an
> auto-generated one, because "they can't remember the one that they set",
> and "printing it is the safest way to make sure they don't loose it".
> Of course, if you CAN remember passphrases, you can't set your own any more.
>
> This stuff is happening all the time with firefox, and I hope some
> OpenBSD-like developers branch firefox some day.  "A browser for people
> who can read" would be a great slogan.

You can always try xxxterm from Marco for a more secure browser.

It really isn't bad at all! Very Fast, small and I would say more
trusted then firefox or other, but sure no question, definitely more
trusted then IE. (;>

Doesn't support flash, but that's not a lost, I HATE flash! YMMV.

I am not going to say it's full feature and fully compliant, I never
tested it, but as long as it does what you need, who cares! May be some
journalist trying to write an article, but then what....

Just a thought. My son use it and preach it! Yeap!!!

Haven't been able to compile it on mac yet, but when time allow may be
in 20 years or so! (:>

Reply | Threaded
Open this post in threaded view
|

Re: OT: Risks of CAs (Re: Your web development opinions)

Andres Perera-4
In reply to this post by Olivier Mehani
On Wed, Feb 23, 2011 at 9:21 AM, Olivier Mehani <[hidden email]> wrote:

> Just some OT thoughts.
>
> On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote:
>> CA's cannot be trusted to even pay attention to carefully securing
>> your certificate. B Here in the US, the government can simply ask for
>> your certificate and get it ( and possibly even use it to impersonate
>> you)
>
> The government would have the certificate, but not the private key, so
> I'm not sure how they can impersonate you with it.

it's a little more detailed than that

they gov could say revoke his cert on the crl, and assign the next iteration
to
me with my arbitrary req generated with my arbitrary key

at that point it would not matter if they don't have *his* private key

if he controls the ca, then the gov/whoever is forced to do true mitm

the big problem with the first is that chances are that your ca company is
american/european (no bullet proof host), and they will give in like paypal
wrt
wikileaks

>
> However, they can just get their own key to *any* shoddy CA included in
> browsers, and get a certificate linking that key to your services
> without much problem.
>
> The problem is not really whether there is a trust relationship between
> your CA provider and you, it's whether at least *one* CA is laxist
> enough that they give out certificates without thorough checking.
>
> Even with your self-signed approach, somebody could get a CA to issue a
> certificate that their key is good for your website, and impersonate it
> to any of your new-coming customers who haven't been exposed to your
> official key yet.
>
> I may also be wrong in my analysis, but as far as my understanding goes,
> it's correct.
>
> --
> Olivier Mehani <[hidden email]>
> PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE B F5F9 F012 A6E2 98C6 6655
>
> [demime 1.01d removed an attachment of type application/pgp-signature]

Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

Andres Perera-4
In reply to this post by Hugo Osvaldo Barrera
On Wed, Feb 23, 2011 at 5:57 PM, Hugo Osvaldo Barrera
<[hidden email]> wrote:
> On 02/23/2011 10:35 AM, Chris Bennett wrote:
>>> They're a fucking disaster security-wise.
>>
>> +1
>>
>>> In general, blocking javascript won't get you too far, because most of
the
>>> issues are not in the client, but rather in the use that's made of
javascript.
>>
>> I basically block javascript to stop some adveritising and keep some sites
from crashing firefox.
>> But many, many sites require javascript to even login (i.e. many bank
websites!)
>>
>>> - trying to do https and having to deal with corrupt certificate
authorities
>>> that don't guarantee too much in the end.
>>
>> CA's cannot be trusted to even pay attention to carefully securing your
certificate.
>> Here in the US, the government can simply ask for your certificate and get
it ( and possibly even use it to impersonate you)
>>
>> I sign my own certificates, post a copy of serial number and correct name
and IP address on my websites using them. I explain to every customer that I
do not trust external CA's and that I am only using https for encryption of
passwords and paid content.
>> No one has complained.
>>
>> Some have told me that I am risking a man-in-the-middle attack. Perhaps.
But I see little reason to trust the CA man-at-the-end!
>>
>> Chris Bennett
>>
>
> Supposing that's the case, the government can just request a CA a
> certificate for your domain, and do a man-in-the middle. B User's won't
> get any prompt for invalid cert, and the same "vulnerability" you
> described using still exists.
>

that's flawed because you're assuming his users are trusting equifax,
cacert.org, and the countless of others that get bundled in certs packages
for
unix, or worse, his users are ussing a browser that comes bundled with its
own
set of certs and ssl library (firefox).

when you download openssh, does it come with bundled with a known hosts file?

no, you go to the site and look at their public key. if they delegated their
public keys to a central authority they excert no control over, they don't
have
the power to shutdown their site when it becomes compromised to display bogus
public keys, or worse

simlarly, i dont feed the cert bundle to sendmail, but instead feed it a
*single* cert that i'm vary wary of if it changes

"ssl everywhere" is a stupid concept because of this. you should only ssl
select communications so that managing the certs is plausible

> Additionally, you have to make users accept the cert manually the first
> time (checking it, of course). B It may not be much of a fuss, but I
> don't see you actually fixing any security holes.
>
> --
> Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

Hugo Osvaldo Barrera
On 23/02/11 20:56, Andres Perera wrote:

> On Wed, Feb 23, 2011 at 5:57 PM, Hugo Osvaldo Barrera
> <[hidden email]> wrote:
>> On 02/23/2011 10:35 AM, Chris Bennett wrote:
>>>> They're a fucking disaster security-wise.
>>>
>>> +1
>>>
>>>> In general, blocking javascript won't get you too far, because most of the
>>>> issues are not in the client, but rather in the use that's made of javascript.
>>>
>>> I basically block javascript to stop some adveritising and keep some sites from crashing firefox.
>>> But many, many sites require javascript to even login (i.e. many bank websites!)
>>>
>>>> - trying to do https and having to deal with corrupt certificate authorities
>>>> that don't guarantee too much in the end.
>>>
>>> CA's cannot be trusted to even pay attention to carefully securing your certificate.
>>> Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you)
>>>
>>> I sign my own certificates, post a copy of serial number and correct name and IP address on my websites using them. I explain to every customer that I do not trust external CA's and that I am only using https for encryption of passwords and paid content.
>>> No one has complained.

A simple man-in-the middle of that site, and replacing it's content
would open the door for every site you refer to.
If it's an SSL website, you're in and endless loop without a CA or
trusted third party.

>>>
>>> Some have told me that I am risking a man-in-the-middle attack. Perhaps. But I see little reason to trust the CA man-at-the-end!
>>>
>>> Chris Bennett
>>>
>>
>> Supposing that's the case, the government can just request a CA a
>> certificate for your domain, and do a man-in-the middle.  User's won't
>> get any prompt for invalid cert, and the same "vulnerability" you
>> described using still exists.
>>
>
> that's flawed because you're assuming his users are trusting equifax,
> cacert.org, and the countless of others that get bundled in certs packages for
> unix, or worse, his users are ussing a browser that comes bundled with its own
> set of certs and ssl library (firefox).

That means you'd have to physically give the certificate to every user,
with no trusted authority, or trusted third party, you have no way of
establishing a secure (authenticated) communication, except physically
being with that person.

How do you then pay your taxes?  Check your bank account, etc?  I don't
like having to trust dozens of CA and it's definitely not the best
solution, but I don't see any alternative for this sort of thing.

>
> when you download openssh, does it come with bundled with a known hosts file?
>
> no, you go to the site and look at their public key. if they delegated their
> public keys to a central authority they excert no control over, they don't have
> the power to shutdown their site when it becomes compromised to display bogus
> public keys, or worse
>
> simlarly, i dont feed the cert bundle to sendmail, but instead feed it a
> *single* cert that i'm vary wary of if it changes
>
> "ssl everywhere" is a stupid concept because of this. you should only ssl
> select communications so that managing the certs is plausible
>
>> Additionally, you have to make users accept the cert manually the first
>> time (checking it, of course).  It may not be much of a fuss, but I
>> don't see you actually fixing any security holes.
>>
>> --
>> Hugo Osvaldo Barrera
>>
>>


--
Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: Your web development opinions

Andres Perera-4
On Wed, Feb 23, 2011 at 9:20 PM, Hugo Osvaldo Barrera
<[hidden email]> wrote:
> On 23/02/11 20:56, Andres Perera wrote:
>> On Wed, Feb 23, 2011 at 5:57 PM, Hugo Osvaldo Barrera
>> <[hidden email]> wrote:
>>> On 02/23/2011 10:35 AM, Chris Bennett wrote:
>>>>> They're a fucking disaster security-wise.
>>>>
>>>> +1
>>>>
>>>>> In general, blocking javascript won't get you too far, because most of
the
>>>>> issues are not in the client, but rather in the use that's made of
javascript.
>>>>
>>>> I basically block javascript to stop some adveritising and keep some
sites from crashing firefox.
>>>> But many, many sites require javascript to even login (i.e. many bank
websites!)
>>>>
>>>>> - trying to do https and having to deal with corrupt certificate
authorities
>>>>> that don't guarantee too much in the end.
>>>>
>>>> CA's cannot be trusted to even pay attention to carefully securing your
certificate.
>>>> Here in the US, the government can simply ask for your certificate and
get it ( and possibly even use it to impersonate you)
>>>>
>>>> I sign my own certificates, post a copy of serial number and correct name
and IP address on my websites using them. I explain to every customer that I
do not trust external CA's and that I am only using https for encryption of
passwords and paid content.
>>>> No one has complained.
>
> A simple man-in-the middle of that site, and replacing it's content
> would open the door for every site you refer to.
> If it's an SSL website, you're in and endless loop without a CA or
> trusted third party.

i hope that you realize that the loop applies to the initial
distribution of the bundle aswell and that the difference after that is
one is centralized (bigger target) and the other one isn't

you're going to get their crl from them, right? like the millions of
other people that trust them should?

>
>>>>
>>>> Some have told me that I am risking a man-in-the-middle attack. Perhaps.
But I see little reason to trust the CA man-at-the-end!

>>>>
>>>> Chris Bennett
>>>>
>>>
>>> Supposing that's the case, the government can just request a CA a
>>> certificate for your domain, and do a man-in-the middle. B User's won't
>>> get any prompt for invalid cert, and the same "vulnerability" you
>>> described using still exists.
>>>
>>
>> that's flawed because you're assuming his users are trusting equifax,
>> cacert.org, and the countless of others that get bundled in certs packages
for
>> unix, or worse, his users are ussing a browser that comes bundled with its
own

>> set of certs and ssl library (firefox).
>
> That means you'd have to physically give the certificate to every user,
> with no trusted authority, or trusted third party, you have no way of
> establishing a secure (authenticated) communication, except physically
> being with that person.
>
> How do you then pay your taxes? B Check your bank account, etc? B I don't
> like having to trust dozens of CA and it's definitely not the best
> solution, but I don't see any alternative for this sort of thing.

my bank account and other items would never account for the plethora of
bundled certs, nor with the inability of a client to associate cacerts
with specific hosts. the latter is why your argument is flawed, and it
has nothing to do with self-singing

a cert pool should have varying degrees of trust and reach. if firefox
doesn't do this, the problem is firefox and not the server's cert
distribution model

>
>>
>> when you download openssh, does it come with bundled with a known hosts
file?
>>
>> no, you go to the site and look at their public key. if they delegated
their
>> public keys to a central authority they excert no control over, they don't
have
>> the power to shutdown their site when it becomes compromised to display
bogus

>> public keys, or worse
>>
>> simlarly, i dont feed the cert bundle to sendmail, but instead feed it a
>> *single* cert that i'm vary wary of if it changes
>>
>> "ssl everywhere" is a stupid concept because of this. you should only ssl
>> select communications so that managing the certs is plausible
>>
>>> Additionally, you have to make users accept the cert manually the first
>>> time (checking it, of course). B It may not be much of a fuss, but I
>>> don't see you actually fixing any security holes.
>>>
>>> --
>>> Hugo Osvaldo Barrera
>>>
>>>
>
>
> --
> Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: OT: Risks of CAs (Re: Your web development opinions)

Marc Espie-2
In reply to this post by Andres Perera-4
I think your guys are into elaborate schemes and totally forgetting low-level
tech/social engineering attack.

Remember that most people out there don't understand https, they will just see
that little lock and think "I'm secure"... yeah, sure, from 3rd party. But
it's so easy to set up a fake site, get some valid credentials from any CA
that accepts it for money, and lure people in. Between OpenID, facebook, and
heck, the fact that most people reuse the same password, you can harvest a lot
of valid accounts on a lot of sites. And then the real fun begins.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Risks of CAs (Re: Your web development opinions)

Kevin Chadwick-2
On Thu, 24 Feb 2011 10:16:36 +0100
Marc Espie wrote:

> the fact that most people reuse the same password,

You hear about that now said to be non existent security firm that was
helping the fbi track down a support group of wkileaks called anonymous
and ended up with all their email on wikileaks because the security
firms bosses use the same pass on their email as found on their web
CMS.

"http://www.h-online.com/security/news/item/More-background-on-the-US-security-firm-break-in-1191797.html"

That made me chuckle.

Atleast thanks to wikileaks, the fbi have had it drummed into them that
data was insecure for crying out loud, they should stop pointing the
finger outbound and get their house in order. Also sometimes seeing
reactions to information without knowing why leads to horrible
assumptions and reactions instead of the response "well I don't agree
but I see why you did that." and "well that was obviously a corrupt
individual or group"


Sorry for changing the subject.

>>I don't like having to trust dozens of CA and it's definitely not the best
>>solution, but I don't see any alternative for this sort of thing.

DNScurve/DNSSEC have been suggested, but how secure is the DNS
infrastructure? I hate paying for ssl certs, just to get rid of the
warnings.

CPB
Reply | Threaded
Open this post in threaded view
|

Re: OT: Risks of CAs (Re: Your web development opinions)

CPB
In reply to this post by Marc Espie-2
I am going to point out another factor in my reasoning:
Basically, there is no reason to assume that my self-signed certificate is any less secure than paying someone who is in a browsers root certificates.

As a contractor in construction, one article I wrote for my potential customers is how to decide if you should do the work yourself `or hire someone else to do it.

In this case, if I hire someone as a CA, I have just spent money. That comes straight out of my wages. I have to now earn this money back or not eat, pay rent, etc.
If I self-sign, I now get to keep that money. In fact, I may now be able to spend additional time improving security on my websites and my programming. I could potentially end up improving users security by NOT having to earn back spent money.

It is not my fault if some users are stupid. I actually spent some time making security details available to my users. If they care, they are now educated, if not, what can you do?

Chris Bennett

Reply | Threaded
Open this post in threaded view
|

Re: OT: Risks of CAs (Re: Your web development opinions)

Hugo Osvaldo Barrera
On 02/24/2011 11:59 AM, Chris Bennett wrote:
> I am going to point out another factor in my reasoning:
> Basically, there is no reason to assume that my self-signed certificate is any less secure than paying someone who is in a browsers root certificates.
>
> As a contractor in construction, one article I wrote for my potential customers is how to decide if you should do the work yourself `or hire someone else to do it.
>
> In this case, if I hire someone as a CA, I have just spent money. That comes straight out of my wages. I have to now earn this money back or not eat, pay rent, etc.
> If I self-sign, I now get to keep that money. In fact, I may now be able to spend additional time improving security on my websites and my programming. I could potentially end up improving users security by NOT having to earn back spent money.

http://www.startssl.com/
Why pay if you can have one for free trusted by every major browser?
Sure, the "class 2" ones are pay-for, but the free one works as well as
a self-signed one (except for the "CA sells out like paypal" idea, which
I admit is possible, though, in the US, the government can just push any
CA to give them a valid cert anyway.


>
> It is not my fault if some users are stupid. I actually spent some time making security details available to my users. If they care, they are now educated, if not, what can you do?

Nothing, educating is the only solution, if they don't care, it's their
problem.

>
> Chris Bennett
>


--
Hugo Osvaldo Barrera

CPB
Reply | Threaded
Open this post in threaded view
|

Re: OT: Risks of CAs (Re: Your web development opinions)

CPB
> http://www.startssl.com/
> Why pay if you can have one for free trusted by every major browser?
> Sure, the "class 2" ones are pay-for, but the free one works as well as
> a self-signed one (except for the "CA sells out like paypal" idea, which
> I admit is possible, though, in the US, the government can just push any
> CA to give them a valid cert anyway.
> --
> Hugo Osvaldo Barrera
>

That's a seemingly good idea except that they don't return any attempt to get a certificate.
So I gave up on them a long time ago.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Risks of CAs (Re: Your web development opinions)

Alexander Hall-3
On 02/24/11 17:50, Chris Bennett wrote:

>> http://www.startssl.com/
>> Why pay if you can have one for free trusted by every major browser?
>> Sure, the "class 2" ones are pay-for, but the free one works as well as
>> a self-signed one (except for the "CA sells out like paypal" idea, which
>> I admit is possible, though, in the US, the government can just push any
>> CA to give them a valid cert anyway.
>> --
>> Hugo Osvaldo Barrera
>>
>
> That's a seemingly good idea except that they don't return any attempt to get a certificate.
> So I gave up on them a long time ago.

The free certs or the government? :-)

Reply | Threaded
Open this post in threaded view
|

Re: OT: Risks of CAs (Re: Your web development opinions)

Hugo Osvaldo Barrera
In reply to this post by CPB
On 02/24/2011 01:50 PM, Chris Bennett wrote:

>> http://www.startssl.com/
>> Why pay if you can have one for free trusted by every major browser?
>> Sure, the "class 2" ones are pay-for, but the free one works as well as
>> a self-signed one (except for the "CA sells out like paypal" idea, which
>> I admit is possible, though, in the US, the government can just push any
>> CA to give them a valid cert anyway.
>> --
>> Hugo Osvaldo Barrera
>>
>
> That's a seemingly good idea except that they don't return any attempt to get a certificate.
> So I gave up on them a long time ago.
>

I use their web interface to generate them.  It gets stuck sometime, buy
usually works. (Yeah, it's definitely not the best).

--
Hugo Osvaldo Barrera

12