SSL Still Mostly Misunderstood, Even By the Pros 292
An anonymous reader writes "People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know what SSL is and what it does. What is surprising and downright scary is that most IT professionals don't understand SSL, and many consider it to be the be-all, end-all of security in their organization. With all the tools out there to manipulate SSL connections, and the browser vendors unable to settle on a single method of showing if a site is secured by SSL or not, is it any wonder that no one gets it?"
Moderators, are you all friggin' retards? (Score:4, Insightful)
Who proofreads these article submissions, anyway? Does anyone?
Re: (Score:2)
Used to be able to tag a story with typo to let the editors know what's going on. Glad to see I'm not the only one jarred by the second their in the summary.
Re: (Score:3, Funny)
Re:Moderators, are you all friggin' retards? (Score:5, Funny)
I just consider this sort of typo a cheap and lazy form of story encryption...
Re: (Score:3, Funny)
Re:Moderators, are you all friggin' retards? (Score:5, Funny)
I just consider this sort of typo a cheap and lazy form of story encryption...
I just except the typos for what they are
Re: (Score:2)
You're doing it wrong (Score:5, Informative)
If you want to write a pretentious article about how people don't understand security of the interwebs, at least get the name right [wikipedia.org]. That's right, SSL hasn't been considered "secure" for at least a decade.
Re: (Score:3, Insightful)
Re:You're doing it wrong (Score:5, Insightful)
The article isn't even just pretentious, it's just pointless fluff. The entire thing could have been summarized as "many customers ignore security warnings in browsers and many web developers deploy SSL/TSL in vaguely unacceptable ways which we won't even begin to explain here".
Really, that article couldn't have been more pointless. WHAT are people doing that they shouldn't be? WHAT are people expecting SSL to do that it doesn't? If you're going to write an article about people's misconceptions of a technology, you could at least spend a single sentence explaining what some of those misconceptions are.
Pointless and uninformative article is pointless and uninformative.
Re: (Score:3, Insightful)
> "Reguly's survey found that while 83 percent of users check they're using an SSL-secured session before entering their credit card information on a Website, only 41 percent do so when typing in their passwords."
I found this one of the silliest parts of the story. First, to what type of sites does that 41% figure apply? Are they the same sites where people are entering credit card information? There are a number of sites where I enter passwords without SSL encryption, this site for one. Those are si
Re: (Score:2)
That it's pointless and doesn't work?
If your employees every day click on "Ignore self-signed cert" button, then they'll click on it the time when
Re: (Score:3, Insightful)
Then another time for the website, and another one for the IM server, another time for the VPN, and a couple times more when servers get replaced...
Setting up a CA is a long term solution that only needs to be done once. You can then generate a new cert that will be recognized as valid by somebody in another country.
Yes it does.
If you're lucky:
You go to h [example.com.]
Re:You're doing it wrong (Score:5, Informative)
If you want to write a pretentious response to a pretentious article, try reading the source you're linking to. SSL v2 hasn't been secure for a while, but SSL v3 is fine.
Re:You're doing it wrong (Score:5, Insightful)
No, I'm afraid it's not. It's still vulnerable to "Do you accept this made-up key" attacks where people have become far too accustomed to accepting unsigned keys, and to the purchase of centrally signed keys. Because the key signatures belong to a central signing authorities that rely on valid credit cards, not personal authentication, there is still only a pretense at genuine security.
There have been other tools proposed to address these issues, such as the PGP web-of-trust, and the Palladium project's hardware encryption, but they've broken down in practice on the problem of US encryption export regulations, poor closed source implementation that turns out to be easily virtualized, and many essentially social rather than technological issues. Even SSL was handicapped for years by the USA's insane 80-bit limit for SSL in exported software.
Re:You're doing it wrong (Score:4, Informative)
> Even SSL was handicapped for years by the USA's insane 80-bit limit for SSL
> in exported software.
It was 40-bits. Agree with your point...just sayin'.
Re:You're doing it wrong (Score:5, Insightful)
>No, I'm afraid it's not. It's still vulnerable to "Do you accept this made-up key" attacks where people have become far too accustomed to accepting unsigned keys, and to the purchase of centrally signed keys
Um, that's a social engineering attack, not a fault of the protocol itself. The protocol is secure, users aren't. To be fair, the browser manufacturers could do a better job of writing the warnings so that anyone could understand them. Again, this is not a fault of the protocol, rather how people use it.
And adding a layer of PGP to it, would have the _exact_ same issue. Instead of "Do you accept this SSL key" It would be "Do you accept this PGP key". In addition, adding PGP would introduce a whole new slew of security bugs related to added complexity of PGP support in browsers, along with all the bugs guaranteed to be introduced with the additional new code.
No thanks =D.
Re: (Score:2)
It's a social engineering attack, yes. It's one that is built into the current implementation of SSL: the central key authority has been over-trusted, and signed keys are far too easy to obtain.
And I'm sorry that I was confusing. It's not PGP that I was referring to as useful, but rather PGP's 'web-of-trust', where people whom you know personally sign keys for others whom they know personally, and you can trace that web to see who knows the final target's key owner. From my observation of the behavior of Ve
Re: (Score:2, Funny)
Re: (Score:2)
You didn't get it right either... try "HTTPS" (Score:5, Informative)
The correct term is "HTTPS". HTTPS, which can use various versions of SSL or TLS, is still mostly understood. Even by the pros.
Re: (Score:2)
I fall in the line of not having a clue what TLS is, or what it means.
Although i rarely wander out of the same usual sites these days.
Don't worry about it Grandpa (following story's ageist agenda)
TLS vs SSL (Score:2)
TLS 1.0 is based on SSL v3. TLS 1.0 is also called SSL 3.1 sometimes.
There isn't really a huge difference between TLS & SSL 3.0.
Re: (Score:2)
Re: (Score:2, Insightful)
I think the idea of a public revocation database has merit. How would I make sure that my connection to the database has not been tainted? How could this database as a business entity be designed in a way that's less vulnerable to social engineering attacks than the current system?
Re: (Score:2)
However, I don't think it can stop at a "revocation database". The database should list ALL the valid
SSL is dead for 10 years (Score:2, Insightful)
SSL is no more for 10 years.
You have to copy TLS 1000 times on the blackboard :
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://tools.ietf.org/html/rfc2246
SSL has 7 times as many hits as TLS (Score:5, Funny)
SSL is trying to do too much. (Score:5, Insightful)
Forcing people to implement both privacy and authentication in one package is half the problem with SSL. For most sites, it's more important to know that the site you're visiting is the same site you visited last time, than knowing that foo.example.com has a signed certificate approved by someone you never heard of. If these two functionalities were separated, so the browser just checked that a "non-certified" site's encryption key hadn't changed and let you through without comment if that was the case, then most sites using old or self-signed certificates would just use the encryption layer, and browsers COULD block access to sites with invalid certificates without causing people so much inconvenience they'd want to switch to a different browser that was less picky.
(yes, I know that this would probably be implemented using self-signed certificates, but it could be presented to the user as a "low security" site with an appropriate icon and at most a comment that "you haven't visited XXXX.example.com before, it is a low security site..." the first time you see it)
Re: (Score:2)
Re: (Score:2)
Self-signed certificates can be regenerated automatically, or simply set to have a renewal date after the world ends in 2038.
Re: (Score:3, Insightful)
So you are saying you shouldn't change the public/private key for for 20 something years?
If all you're securing is a session to a web forum where there are no assets at risk, sure.
It's more security than not using TLS at all.
Re:SSL is trying to do too much. (Score:4, Funny)
Everyone knows the world will end in 2012.
Oh come on, nobody's using that old stone circle computer technology any more. Half of the Machu Picchu site is missing, they've lost the Nazca Plain key server, Avesbury is completely trashed (half the stones there are uncalibrated replacements), and Stonehenge was originally just a backup ring in case the Avon flooded: I bet you couldn't get a millithaum per second out of it even on the equinox AND with a FULL team of chanters on hand.
Re:SSL is trying to do too much. (Score:5, Insightful)
Bug 215243 (Score:5, Informative)
By the way I use cacert to generate my certificates; it should be inlcuded in the default Firefox certification authorities list. I suspect there is money involved in getting into that list though.
CAcert failed a DRC audit. Bug 215243 comment 158 [mozilla.org] has the details.
Re: (Score:2)
Totally agree with this. If I dont want to spend money paying a certification authority I should be able to encrypt anyway without the browser warning the user in big red letters that I am a pirate.
Except, if you don't verify the identity of the recipient, encrypting data is as much use as putting a steel door on a tent. Maybe that's why encryption and authentication are joined at the hip?
The behaviour of Firefox is absolutely correct: it strongly discourages people who don't know any better from connecting to unverified sites, but does not prevent it.
If you want to run an encrypted site without shelling out for a certificate, then fine - but its up to you to reassure visitors that you're not evil.
Re: (Score:2)
If you want to run an encrypted site without shelling out for a certificate, then fine - but its up to you to reassure visitors that you're not evil.
There's nothing stopping an evil company from getting a certificate. Consider Microsoft as an example. Or Verisign. Or Aristotle.
What you mean to say is "it's up to you to convince your visitors that you're who you say you are".
If all I'm saying is "I'm a video game web forum" then my visitors don't need anything more than "I'm using the same self-signed certif
Re: (Score:2)
If all I'm saying is "I'm a video game web forum" then my visitors don't need anything more than "I'm using the same self-signed certificate I used the last time".
Frankly, a video game web forum doesn't need encryption except for the matter of identifying users, and something like OpenID could be used for that.
Re: (Score:2)
If all I'm saying is "I'm a video game web forum" then my visitors don't need anything more than "I'm using the same self-signed certificate I used the last time".
Frankly, a video game web forum doesn't need encryption except for the matter of identifying users, and something like OpenID could be used for that.
I thought the goal was to have everything encrypted, regardless of whether it's illegal and needs to be hidden, if for no other reason than to mildly annoy the NSA.
Re: (Score:2)
Any company can get a cert.
What's important is that they're not supposed to be able to get one for a domain not of their own. So for instance, a Microsoft employee can't get a cert for paypal.com then sit somewhere between your network and the internet and perform a man in the middle attack.
Re: (Score:3, Insightful)
Where have I suggested that Paypal should use self-signed certs?
The point is that there's thousands of sites... no, hundreds of thousands... that are wide open for sniffing that would be using TLS if it was possible to set it up as easily as you can set up SSH. This possibly didn't used to be an issue but is getting more so as more and more businesses provide things like free wifi.
For these sites the same level of authentication as SSH, "this is the same server as you visited last time", is adequate to dete
Re: (Score:2)
Here's a question:
When you're ssh-ing into your computer, how many precautions do you take?
Do you never, ever ssh from a device you don't personally trust completely?
Do you remember or have written down your SSH server's fingerprint so that you can tell it's the right one?
If you for instance go on vacation, ssh from your laptop to your server and get the wrong fingerprint, do you abort and wait until you get home to sort it out?
If you said no to any of these, you're not really very secure.
I do all these thi
Re: (Score:2)
It is not a hassle to "drill down" to find the name of the cert holder. Firefox puts it right there on the front of the security popup. And most verified certs are verified to some unknown corporate division anyway - I don't see your point.
As
Re: (Score:3, Interesting)
Except, if you don't verify the identity of the recipient, encrypting data is as much use as putting a steel door on a tent.
You know, you hit that analogy perfectly, but apparently did not bother think about it.
A steel door on a tent is much better than no door on a tent.
Let me guess: You think locking a car or house is a waste of time, because any fool can break in via windows? You think it would be better if we couldn't lock our car or house, because locking it gives us a false sense of security?
Per
Re: (Score:2)
What use is encryption if you can't guarantee that there's not a man in the middle? This is why self-signed certs are a bad idea. That is, unless you want your users calling you up to manually verify your key.
Re: (Score:2)
What use is encryption if you can't guarantee that there's not a man in the middle?
Unless your very first connection to the website and EVERY subsequent connection was intercepted by the SAME attacker, for every person in a position to detect the fraud, for the entire duration of the scam, simply verifying that the certificate is the same as the last time provides sufficient authentication to deter all but the most dedicated attacker.
So... sites where significant assets are involved would not use self-signe
Re: (Score:2)
What use is encryption if you can't guarantee that there's not a man in the middle? This is why self-signed certs are a bad idea. That is, unless you want your users calling you up to manually verify your key.
Or using something like Perspectives [cmu.edu] to get much the same effect.
Re: (Score:2, Flamebait)
The only sane reason I can come up with for the continuing insanity of the Firefox self signed cert warnings is direct kickbacks to the Mozilla foundation from Verisign and the like. I have little doubt that at the very least, "consultation" with Verisign and
Re: (Score:2)
My open university course makes this mistake right at the beginning. It specifically says that
Re: (Score:2)
Technically, you're correct. Technically, "this is the same site you visited the last time" is a very weak form of "authentication". Thing is, this is all the "authentication" most services need.
Re: (Score:2)
It's not that simple.
Yes, without authentication, you can be subjected to a man in the middle attack.
However, that attack is an active one.
Without encryption, you can be subjected to a simple passive sniffing attack. Put a hub somewhere in the connection and sniff every packet that goes by. No need for an active attack. No need to establish two encrypted sessions (one to victim, one to victims intended destination). No need to interpret and alter packets going between the victim and destination.
Does encrypt
Re: (Score:3, Informative)
All browsers would have each registrar's root CA certificates in their CA store. When a person registers a domain name, the registrar also gives them either an issuer certificate for that domain or a wild card certificate for that domain. The person could then either use the issuer certifcate to make more (www.example.com, store.example.com, etc.) or just use that wild card certificate (*.example.com).
Congratulations, you have just invented DNSSEC [dnssec.net].
Next task: Get root registrars to actually publish and i
Of course IT proffessionals don't get it (Score:5, Insightful)
Have you ever tried teaching yourself the basics behind SSL, such as PKI and X.509 certificates? In an industry full of jargon and technalese, the security people are some of the worst for explaining things. The documentation out there is poor and cryptic. Ever wonder why encrypted or signed email never took off? Look no further than GnuPG or the Enigmail plug-in for Mozilla. Try finding out what DER encoding is, or ASC.1, or what PKCS#7 means. None of it's straight-forward, even for technical people.
Of course astronauts don't get it (Score:2)
Yeah. Prostitutes don't understand SSL either.
Slashdot has a weird definition of "pro". I figured it meant cryptography professionals. But if the title came out and said "IT professionals" or "lumber professionals" then it would be obvious that the story has no value.
Re: (Score:2)
ASN.1
You almost had it :)
Re: (Score:3, Insightful)
I'd like to second that motion. The same thing goes for encryption used for wireless routers. When a non-tech friend is setting up a new wireless router and is setting up the encryption part, they just see a list of 3 and 4 letter words they don't understand. And the only reason I know which is the best to pick is reading around the web to know which are easy to crack.
Re: (Score:3, Funny)
No kidding. How hard would it be for the router to actually vaguely explain what OSes can be expected to understand each type of encryption, and which you should use unless you have Specific Older Device or have discovered that some device you have doesn't work. What, do they have 32k of firmware room and no space for explanations?
Of course, most router control panels appear designed by idiots anyway.
it's the browser implementation (Score:4, Insightful)
as the guy said in the article, it should kick you from a session at expired certs, not allow click through options
if the cert is expired/ unverifiable, the browser should simply kick the session, end of story
that should really be the only option available to anyone. its psychological: take this seriously, sorry for the inconvenience. otherwise, lazy admins will let their expired/ malformed certs hang out there for a lot longer (which i've seen even on a credit card site: capital one), because users just easily circumvent the roadblock. they'll definitely notice if no users can get through, and the angry emails pile in their inbox
i only allow https admin connections to my router, which of course means my browser screams about being unable to verify any certs... since i'm on a subnet. and i bet there are many other valid situations where expired/ unverified certs still represent a valid connection
however, add up all the valid situations where you want to continue an uncertified https connection, and you are left with nothing but a hill of beans in comparison to the mch more massive problem of psychologically just not taking https seriously enough
now you just have to convince the 3/4/5 major browser flavors to implement this new status quo
maybe the certificate authority should simply kick insecure browsers regardless (is that passed to the certificate authority during verification of cert?). that would get browser coders and vendors to notice. of course, what the browser report themselves can be hacked/ finessed, but if that's done maliciously, you're box is already owned, and its already game over regardless through a lot more powerful avenues
Re: (Score:2)
Q: And what about self-signed where you can verify the cert's sig? Some applications only require half-arsed.
A: There obviously needs to be a workaround; either manual typing or pre-load it or your corporate CA's cert into company intranet browsers. Do something that _forces_ comparison of the sigs, not click click click (click click click click click click for FF3).
Re: (Score:2)
it should kick you from a session at expired certs, not allow click through options
Given the following choices for a site that doesn't take credit cards:
Which would you choose?
Re: (Score:2)
Java 1.6 Upgrade 15 through 18 does this. If you try to access a site with an invalid or expired cert, it just exits. Unfortunately it doesn't say why, it just exits so there are lots of lookups for WTF Java is doing, is my machine broken, or what? And you can't disable 15 and go back to 14 or earlier as it still bails. You have to uninstall 15 to gain access.
Of course the real problem is that we never updated the certs on our Dell Remote Access Consoles since it worked anyway. Since all the systems are ins
Re: (Score:2)
I think there are two separate things:
-having my password be encrypted on the LAN cables
-having a site being signed by a third party
For some reason, the first thing can't be done independently from the second. If I understood correctly, at least. Anyway, is there a possibility for websites to give you a secure line to them, without depending on a third party? I don't care about signing, but I care about sniffing on LAN cables.
Re: (Score:2)
>as the guy said in the article, it should kick you from a session at expired certs, not allow click through options
>if the cert is expired/ unverifiable, the browser should simply kick the session, end of story
As long as that's a default setting you can override... Otherwise I have to have a valid paid cert on every one of my dev servers? F*** THAT.
Re: (Score:2)
Uh, no. Why should small businesses be forced to pay a certificate authority for certificates for appliances (spam filters, etc.), terminal services web pages, external access to webmail and intranet pages over SSL when a self-signed cert (even an expired one) will do? This is a user education issue, not a "let's get rid of it for everyone." It is for corporate use that you can optionally install self-signed certs into any of the mainstream browsers. There is a legitimate need for such things, and forcing e
wat (Score:2)
You're doing it wrong.
Whoever wrote this article does not know what he's talking about.
Re: (Score:2)
What the packets contain, on the other hand, won't be available to the person who now has them without a lengthy and large amount of computing power applied to it, plus a great deal of luck.
MITM attack on browser downloads (Score:5, Interesting)
Admittedly this would be very hard to do, but theoretically possible and with the resources of a nation state this may have already been done. As most machines are now built in the far east, what would stop the IE that ships with your computer from also having altered CA keys?
Would it even be possible to detect this? You could use MD5 checksums on your downloads, but most of the websites that show an MD5 are unsecure, so they could easily be showing a manipulated version of the checksum.
This strikes me as one of the biggest flaws of our reliance on SSL v2, v3, whatever.
Please tell me that this isn't possible.
Re: (Score:2)
Yes, and how do know that the browser that you originally installed with your operating system was not forged? How do you know your OS or your bios can be trusted? Hell, for that matter how do you know you can be trusted?
Ooooooohhh the horror!!!!
Not to be a troll, but you are really pushing that off in to fantasy land. My point it that security vulnerabilities based on 'just so' hypotheticals, are less likly to be a real world threat. Possible yes. Likely no.
Re: (Score:2)
If you wanted to watch online banking transactions to a major bank like HSBC would this not be a way to do it?S ure, it would be difficult and would take a while, but you would gather huge amounts of information that is potentially worth millions.
The only difference between this and a completely unsecure connection is that it would take more effort and organisation and it would be limited to those browsers that you've set up a MITM attack for and have been downloaded. You could set up a MITM attack befor
Re: (Score:2)
It's definitely possible. You can add CA's willy nilly to any install. This feature is present to allow companies to have self signed certificates used by their employees. You just need to have a server online that it contacts for the CA verification. You can check the list yourself and compare it to what it should be at:
http://www.microsoft.com/security/ [microsoft.com]
It will take some digging but it's in there. What's scary is that a hostile pc maker could replace the stock IE with their own that has hardcoded CA's whic
Re: (Score:2)
You have touched upon what for mean is the biggest argument against disallowing or downgrading self signed certs.
If someone has the resources to implement a man in the middle attack, what's to stop them doing so with your connection to the certification authority?
Personally, I believe that man in the middle attacks are little more than th
Re: (Score:2)
Maybe for large scale theft, or maybe to have access to bank account that can be used for money laundering.
Re: (Score:3, Interesting)
Blogs, forums, and wikis (Score:2)
A lot of non-SSL password forms are on small blogs, forums, or wikis that don't handle financial data. Might the widespread lack of SSL on password pages have something to do with the price of a certificate for each such site?
Re: (Score:2)
That, and the fact that the free ones you can get (e.g. startssl.com, who I use) aren't automatically accepted. Not a problem for my webmail and admin sections, which are only used by me and my family, but far more annoying if I had a wider range of users hitting "WE CAN'T VERIFY THE CERTIFICATE CHAIN!!!!!" messages when all I want to do is put HTTPS on my site.
SSL is about trust. (Score:2)
SSL is all about trust in the end.
The monster problem is arrogant security people don't trust the other arrogant security people. Trust is implemented via certificates. EG I certify that this thing is what I say it is.
Problem. Who trusts the guy who gives out the certificate. Well as it turns out. Not many trust the other guys certificate. This leads to a problem. You can't build a pyramid of trust when you can't really trust the other guy.
So basically it makes it fairly impossible to create something
Quote (Score:2)
"Using SSL to transfer information from server to server is analogous to using armored cars to transfer bags of money from one park bench to another."
We do expect average people to understand SSL (Score:3, Interesting)
"'People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know how to what SSL is and what it does"
Actually, everyone expects that grandpa nad grandma will understand SSL..if they want to do any secure transactions online.
Not matter how the browsers display certificates, unless people know what they are and why they are there then they won't be secure.
What percentage of people would call their bank to complain if they internet banking website didn't give an SSL certificate?
Browsers make a big deal about fake certificates, or self-signed certificates, but don't say anything when you go do an unencrypted site.
It's a terrible state of affairs, and until either secure transactions get eaiser or certificates are used widely enough that browsers can warn when a site isn't using one transactions of the average joe won't be secure at all.
- Jesse McNelis
Re: (Score:3, Informative)
caching.
Re:and WHY doesn't Slashdot use HTTPS? (Score:5, Informative)
How would HTTPS help? You'll still probably do an unencrypted DNS lookup for idle.slashdot.org.
Re: (Score:2, Informative)
Not to mention the fact that the GETs will have to have their endpoint identifiers unencrypted, and so the IP addresses will be available, which means they'll know how MANY requests you've made to /.
Re: (Score:3, Informative)
You haven't yet been modded overrated for not understanding DNS, but maybe someone with mod points will stop by...
Before you exchange certificates you need the IP address of the other end. If Anonymous Coward doesn't want anyone to know that he reads the "idle" section then he needs to get the IP address of idle.slashdot.org without doing an unencrypted DNS lookup for it. How common is encrypted DNS?
PS You forgot to mention
c) get a MITM-attacked connection which your browser thinks is fine because it appear
Re: (Score:3, Informative)
I know MD5 collisions wasn't my point - that's why I made that a PS - but you still haven't got what my point is. Ignoring insecurities in the PKI and TLS implementations, TLS can prevent eavesdroppers from knowing what data you're sending and receiving, but it can't prevent them from knowing with what server you're communicating. The eavesdropper can still sniff the IP address in the IP packets, and the DNS request which is necessary before you even send your SYN packet, which itself precedes certificate e
Re: (Score:2)
why doesn't Slashdot offer THEIR content over a secure HTTPS connection?
Probably because it'd be freakishly expensive to pay for that much computing horsepower for something that just doesn't matter. Don't want people to know you read idle? Then don't read idle from places where you don't want to be monitored. Honestly, it's not like someone's snooping your online banking.
Re: (Score:2)
Re: (Score:2)
It's ok for slashdot to inflict painful javascript [...] on us but if THEY have to implement a fairly light security system it's too much !
In other news, it's easier to distribute work across a million clients than to build one server to do the same amount of work.
[...] and useless CSS [...]
Oh, you're one of those table-layouters. I apologize for wasting your time with references to modern technology.
Re: (Score:2)
> it'd be freakishly expensive to pay for that much computing horsepower for
> something that just doesn't matter.
So what about the login/password?
Re: (Score:2)
So what about the login/password?
Now, that's a valid and appropriate use. It doesn't buy you much over digest authentication [wikipedia.org], though, and that's supported by almost everything but IE5.
Re: (Score:2)
Why not do what I do?
SSH tunnel into home, with Firefox pointed at a dynamic port forward to use as a SOCKS server. Then go into about:config and activate the setting for DNS lookups through proxy.
Voila, now all work can see is you transferring encrypted data to and from home. They may think you're into industrial espionage, but they'll never be able to tell you were visiting /.
Re: (Score:2)
There is a much larger processing requirement for transferring everything via https plus the bandwidth requirement is higher. Some days slashdot loads slow enough - do you really want to see a performance reduction? What you'll see is a return of ads to offset the increased server and bandwidth costs, and the ads will slow load time as well. (What, you still see ads here? Stop trolling, get your karma up then you can turn ads off)
I know, you're kidding, but a lot of people are going to take your comment ser
As usual, no one wants to be the leader. (Score:5, Interesting)
The Wikipedia explanation of SSL [wikipedia.org] helps. This explanation [ssl.com] helps, also.
The Do It Yourself SSL Guide [webopedia.com] is useful.
OpenSSL: [STILL INCOMPLETE] (Score:5, Funny)
Re: (Score:3, Funny)
Just modify the source until it does what you expected.
Re: (Score:3, Insightful)
I blame JAVA.
Java dev to any other IT dude: "I don't need to know about that the jvm abstracts that away for me. So buzz off and let me do real IT work. "
Just kidding :) Well actually I'm not. In general Java devs know ZIP about anything out side of a JAR file.
Re:As usual, no one wants to be the leader. (Score:4, Informative)
In general Java devs know ZIP about anything out side of a JAR file.
They may not even know that JAR files are ZIP format.
Re: (Score:2)
Years ago when I first set up SSL it was a pain in the neck. Installing third-party certs was a painful process with little, outdated docs on how to do it with Apache, but what was worse was I also had to set up self-signed certificates and that was an even more painful process because the documentation was so sparse there might not have been any. webmin didn't help much either, so I had to do a lot of searching and some reading of code in the supporting projects to figure it all out. Once I knew what neede
Re: (Score:3, Funny)
And neither the Slashdot summary or the article to which Slashdot links is willing to link to documentation.
Please stop anthropomorphizing the article and summary. They hate that!
Re: (Score:2)
This is SSL http://www.solid-state-logic.com/ [solid-state-logic.com]
Most pro's have never used one.
Re: (Score:3, Funny)
We will all mourn your sense of humour. What a pity...
Oh well, you can adopt another one. It will never be the same, but it'll be there when you need it!
Re: (Score:2)
Or you could just install a free copy of VMWare server, a free linux distro, and install the free apache software with the free OpenSSL on it, then configure a virtual server, create a csr, process it to build the cert, install the cert and learn all about how it works using the documentation and How To's.
I'll give you a little hint though. Just remember that the certificate negotiation is done at the lower layers in the OSI model, so to have multiple certs on one server, you need to put each cert on it's