On 01/08/12 05:01, Rumoseh, Loros wrote: > Good morning Everybody. > > Q1: Correct me If I'm wrong, but AFAIK the OpenBSD team is not trusting the > CA/HTTPS modell on security side. That's why www.openbsd.org isn't > available over HTTPS [?].
Dude, it's an OPEN SOURCE project. We got no secrets. IF someone were to manage to hijack www.openbsd.org, and advise you add users by doing "rm -rf" and you follow it without thinking...well, call it a learning experience, which has little to do with domain hijacking. (though based on the number of people who chose to follow crappy stuff they find on the 'net, it appears to be a lesson in need of more learning.) > ---off--- > Q2: Then why is: > https://lists.openbsd.org/cgi-bin/mj_wwwusr?user=&passw=&func=lists-long-full&extra=misc > using an invalid certificate? :O > ---on--- why not? > ------------------------------------------------- > > The main questions/RFC's: > I recently heard about Convergence, the website that features a firefox > plugin (client code) and a notary (server code) is here: > http://convergence.io/ ... > Q3: So what does the OpenBSD team think about this great [?] idea? Is it a > viable solution? Is this the future or just a dead end? Speaking purely for myself, allow me to sum up my (and maybe ONLY my) feelings as: "yawn". You can quote me on that. Encryption of security-related data in transit is important. (Encryption of non-security-related data in transit is irrelevant.) HOWEVER, when you consider the vast majority of end users can't understand the difference between an authenticated website and a .gif file of a lock and the text "This is a secure website", we got bigger problems. When many web developer's answer to "how is your website secure?" starts (and usually ends) with "it's encrypted", we got bigger problems (to that response, I usually respond, "Stop there, save your breath. I've just lost all confidence in your operations") When many people don't understand why they shouldn't enter their webmail and bank ID and password into a form located at "https://FreeWebFormsAre.us";, and that no, Microsoft does not run "Internet lotteries", we got bigger problems. When many people working in medical, banking, insurance and other fields don't understand why they shouldn't hand their work laptop over to their kid to keep them quiet and "out of trouble", we got bigger problems. Practically speaking, the amount of data stolen by MITM, data sniffing and domain hijacking is relatively small compared to that stolen by utterly stupid design errors, administration errors and user errors. >From what I've seen, the number of companies who really take their customers' data security seriously is very small. Small companies, who usually understand the importance of customer trust usually have to contract out to people who may or may not give a shit. Big companies are made up of lots of low-ranking people who may understand, but are being directed by managers who don't ("oh, security is important, of course, but it must be kept in perspective with other things...like profits, competitors who also don't care, and the CEO insists on a wireless connection for his laptop, iPad and phone, and do YOU want to tell him he's wrong?")...and all hope to be somewhere else before the shit hits the fan. Pity the poor person who asks me if it is safe to "buy on-line"...they usually get an earful (basic gist: maybe safer to buy on-line than locally, as it may be possible that some on-line businesses understand the importance of security than many big brick-and-mortar businesses). If I had the choice between a bank that followed OpenBSD style security EXCEPT all Internet banking was done over plain text vs. what I can guess is probably going on inside virtually all banks with a nice secure SSL certificate (or its replacement!), I'll take my chance with the plain text. So yes, an attempt to fix up the broken SSL system...poking at the very minor edges of a very massive problem. "yawn". Of course, user education, developer training, management responsibility, etc. isn't cool and doesn't get media attention, advanced degrees, etc. I would SO love to get to a point where the flaws in the certificate system were really important to security. What a beautiful day that would be. Nick.
