|
Mr Dog posted:the problem with ssl is it tries to be all things to all people and generally has way too many knobs on it (much like your mother etc etc) Thats the whole point though is that SSL should be so piss-easy that you don't have to think about it at all. If everyone important got on the same page about this we could have the following worked out in like 2 weeks: 1) Apache/nginx/IIS all create self-signed certificates on the fly whenever a clear text communication would take place. 2) Web browsers accept self-signed certificates without making GBS threads themselves about how insecure everything is. It kills me that you get no warning from a modern browser for submitting data in cleartext but you get sirens and poo poo if you try to use a self-signed certificate.
|
#
¿
Nov 19, 2014 01:52
|
|
|
|
| # ¿ May 19, 2025 12:34 |
|
|
Cocoa Crispies posted:you still need some semblance of this, like if you are at starbucks and convince somebody that you have a self-signed cert for citibank We currently don't have warnings about cleartext connections so why do we need them for self-signed connections?
|
|
#
¿
Nov 19, 2014 02:00
|
|
|
pseudorandom name posted:That's because transmitting data with no security is a valid use case but there's never a reason to use a self-signed certificate because they're vulnerable to MITM. Cleartext is objectively worse than self-signed. You can man in the middle even easier with cleartext. There is no reason to ever use cleartext.
|
|
#
¿
Nov 19, 2014 02:01
|
|
|
pram posted:because one of them is shown as implicitly 'secure' to the user No, the presentation to the user is: self-signed <<<<<<<<< cleartext < signed Which is obviously wrong because its really: cleartext < self-signed < signed
|
|
#
¿
Nov 19, 2014 02:02
|
|
|
pseudorandom name posted:Cleartext is known a priori to be insecure, self-signed is just as insecure but gives a completely false sense of security. No it isn't, you're making a strawman argument about some fictional "public at large" character that doesn't exist. You're assuming that there is no way imaginable that a browser could delineate between different levels of security for the end user. Your argument is clearly wrong because you're simultaneously assuming that the public at large knows that cleartext is insecure which I believe strongly is false.
|
|
#
¿
Nov 19, 2014 02:06
|
|
|
pram posted:they know. because secure sites have a green lockpad Right. The browser is designed to seamlessly communicate to the end-user how secure the connection is. That is how it should be. Now go use chrome of FF or whatever and visit these 3 types of sites: 1) cleartext 2) self-signed 3) signed And you will be able to observe that the browser communicates to you that self-signed is less secure than cleartext which it isn't. If we could get rid of this problem of communicating to users we could configure web servers very easily to encrypt all internet traffic automatically. It would be a trivial detail compared to getting browsers to play along. Imagine this, red bar crossed out for cleartext, yellow bar with an open padlock for self-signed, green bar with locked padlock for signed. Now we upgrade our servers and all our pages go from red to yellow.
|
|
#
¿
Nov 19, 2014 02:12
|
|
|
pram posted:self signed certs are not secure They're more secure than cleartext. The only metric you could possibly use for declaring them 'not secure' is if your goal is perfect security which flatly does not exist. Sniep posted:dude what the gently caress. It does need to be more secure as it would raise the cost of bulk data collection to the point of making it impossible. It's 2014 there is no reason to use cleartext for any service. Salt Fish fucked around with this message at 02:18 on Nov 19, 2014 |
|
#
¿
Nov 19, 2014 02:16
|
|
|
Captain Foo posted:salt fish u dumb Bruce Schnier and Poul-Henning Kamp are on my side and the NSA is on yours so I think perhaps I am right.
|
|
#
¿
Nov 19, 2014 02:22
|
|
|
pram posted:nice appeal to authority fuCker An appeal to authority is only a fallacy when the person isn't actually an authority. https://www.youtube.com/watch?v=fwcl17Q0bpk&t=897s
|
|
#
¿
Nov 19, 2014 02:24
|
|
|
bobbilljim posted:those self signed certs make it impossible for the NSA to get your data The point is that *nothing* makes it impossible for the NSA to get your data. You can only increase the cost of getting your data.
|
|
#
¿
Nov 19, 2014 02:26
|
|
|
pram posted:christ no one is talking about ssl to secure themselves from the nsa The NSA's stated goal (publicly stated) is to collect all internet communications. One of their publicly stated methods of doing this is by undermining encryption and encouraging the use of cleartext. SSL directly undermines their ability to do this.
|
|
#
¿
Nov 19, 2014 02:30
|
|
|
Sniep posted:PROS: Might make the NSA's job harder by 20% to get your data if they are interested in it That isn't how the NSA collection programs work. They don't have to target you or "want it" they automatically collect it by virtue of it being cleartext. They keep a list of every site you visit in cleartext for example. These lists are kept for multiple months and if you are on a list, for example by googling for tor or tails, then they keep it forever. Also, your grandma is going to fall victim to cleartext phishing if anything. Every phishing site I've basically ever seen (and I used to admin reseller servers so that is in the hundreds) has used cleartext. Probably 99% of phishing sites use cleartext.
|
|
#
¿
Nov 19, 2014 02:37
|
|
|
pram posted:none of this makes self signed certs good If I connect to web servers via self-signed certs the NSA cannot automatically record which domains I visited without doing a MITM attack which to my knowledge they are unable to automate. How is that moving goal posts? I'm still harping on cleartext < self-signed < signed.
|
|
#
¿
Nov 19, 2014 02:40
|
|
|
Sniep posted:right and that's because currently there's no way they can cheat out a "secure site" There isn't a badge. You're inventing a badge. Its a strawman UI design that I'm not going to defend. Interestingly enough your strawman indicates that you understand that browser UI can communicate security to people. Right now they're communicating that cleartext is fine and that isn't okay.
|
|
#
¿
Nov 19, 2014 02:41
|
|
|
So the entire argument against is literally "we would never be able to train the users!". It's handwaving away a technical solution because the UX is too hard. "Gosh, I just don't know how we'd make the UI, so lets just use cleartext" is actually what I'd expect from a group of OSX users and lazy programmers (IE yospos).
|
|
#
¿
Nov 19, 2014 02:57
|
|
|
pram posted:self signed certs are not secure Okay, so if I post a message encrypted with my self-signed cert you can decrypt it? Nothing is secure, there are just varying costs of breaking in. This is true for all security systems everywhere forever.
|
|
#
¿
Nov 19, 2014 03:01
|
|
|
pram posted:the person who made the cert can Can you?
|
|
#
¿
Nov 19, 2014 03:03
|
|
|
pram posted:no theyre good because some youtube guy said they stymie the NSA "Some youtube guy" okay, you're really showing off your credentials with that one.
|
|
#
¿
Nov 19, 2014 03:13
|
|
|
Keep loving cleartext guys, I just donated 250 dollars to the EFF so I could get one of their sweet hoodies (choose between 2XL and 3XL lol) so gently caress ya'll and gently caress the NSA bring back LF I'm out
|
|
#
¿
Nov 19, 2014 03:52
|
|
|
Notorious b.s.d. posted:unix desktops, then and now, are plagued by the fact that most of the users mostly want to arrange a bunch of terminal windows. if the graphical ui is half-baked no one really cares, as long as the core task of organizing xterms works out This is true but only if you add in a browser window with the terminals.
|
|
#
¿
May 9, 2015 03:55
|
|
|
ahmeni posted:I swapped my Linux drive into an old laptop to make a headless steambox and loving lol at the new xorg failure startup screen Why is the youtube logo frowning at me?
|
|
#
¿
Aug 30, 2015 05:10
|
|
|
ahmeni posted:it only does it when i has focus in osx so nope Wow thanks Steve, xeyes works great on Fedora 22
|
|
#
¿
Nov 20, 2015 17:52
|
|
|
I didn't read any of this thread but I want to say that SUSE sucks poo poo and anyone who uses this trash is a loving idiot. Good lord. I can tell their business model is 1) charge for support 2) make it unusable and ensure every feature of the OS is worse than their upstream so that you have to cut as many tickets as possible.
|
|
#
¿
Sep 10, 2020 20:36
|
|
|
|
| # ¿ May 19, 2025 12:34 |
|
|
Time to name our network management daemon. How about WICKEDD with two Ds? HELL YEAH Time to RIP THE CURL and watch my networking fail to come up 30% of the time for literally no reason. Wicked!!!
|
|
#
¿
Sep 10, 2020 20:38
|
|