The question Mozilla, Microsoft and Apple should be asking themselves now is:
Which other CA do they trust based on an audit by PwC? Their green light on DigiNotar was so flawed that I have serious doubts about anyone else they certified as a trustworthy CA.
This is a bit like the financial rating agencies at the height of the 2008 banking crisis: why the hell should I trust the audit/rating of someone who is paid by the people they are auditing/rating and who need an “all fine”/AAA result?
I finally bit he bullet and upgraded to Reader 10.x to get the security benefits of the sandbox.
But:
See also this thread in the Adobe forums.
Way to go, Adobe. Do you really think pissing of customers, especially security professionals is good company policy?
The story so far: WikiLeaks posted some secrets, the US governments throws a hissy fit and some spineless companies see it as their “patriotic duty” to withheld service from WikiLeaks. This doesn’t especially endear them to the 4chan/Anonymous crowd which then starts to DDoS the pushovers.
So how is a Civil Libertarian and Network Security guy supposed to react to that?
Two bads don’t make a right. There are better ways to show disgust of and punish those electronic money movers. Attacking their operation cannot be the right answer.
But: I’ve been arguing for years now that one of the few ways to actually shut down some of the real menaces (not the imagined ones like WikiLeadks) of the Internet like Spammers, Fake AV Software scams, Viagra/… sellers, and other frauds would be to deny them the credit card payment option.
Thus, MasterCard and Visa: If you are so eager to distance yourself from WikiLeaks, when nobody can even tell you what actual laws they are supposed to have violated, why are you not able to deny service to the frauds when it is absolutely clear that they violate laws and cost the worldwide economy huge sums of money to clean up their crap?
First of all, there are more security conferences in September and October in Europe than any sensible organization will ever want to send people to. Sorry.
Aggressive hard-sell phone calls will not help. Quite to the contrary.
And if you send email invitations, remember that you’re sending mail to security professionals. Including tracking images in the HTML version and linking to a tracked version of your conference website is considered rude in these circles.
Cut it out.
Laut FuZo baut die Türkei ein Zentrum für IP-Verfolgung. Gut für sie.
Aber könnten die bitte statt Zensur für die eigene Bevölkerung was zum Schutz des restlichen Internets vor Spam und script-kiddies mit Testosteron-Überproduktion aus dem türkischen Internet tun?
Danke.
Sometime the timing is just too perfect.
Yesterday I was trying to book a flight on Brussel Airlines and when I was trying to pay via credit card, they insisted on an on-the-fly enrollment to MasterCard SecureCode. I refused and booked via the AMEX Business Service.
Today a security analysis of the whole scheme was published by British scientists, confirming my reservations.
Money quotes:
“Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders.”
“So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.”
I can understand that they want to have a look at unknown (to them) software. But this?
I can’t be the first one to actually deploy the update from Adobe which finally fixed the bugs known since December.
Visiting DeepSec 2009 confirmed my impression from last year that speakers who are using their hacker nom-de-guerre are most likely hubristic buffons who re-tell old stuff in overblown rhetoric.
Translation: Due to multiple attacks by hackers we moved to www.pfarrebreitensee.at!
CAcert has tried for some time to provide free X.509 certificates based on automatic checks and a web of trust. They never managed to get the root certificate included in the default installations of the major browsers. As I read it, they’ve given up on Mozilla for now.
Aaron forwarded me a link to a blog post by StartCom where they announce that their CA will be included in IE soon. As they are already recognized by Mozilla and Safari, their certs are pretty much as good as any other commercial x.509 cert for servers.
In that respect, they are not unique, you can buy commercial grade certs from various sources, the most popular being Thawte, Equifax, Usertrust, Comodo, and Verisign.
What makes StartCom special is the fact that they give away free certificates similar to what CAcert is doing. Their enrollment at http://www.startssl.com/ is pretty much straight forward and getting certificates (both by uploading CSRs or by letting them generate a key) is painless.
Furthermore, they impressed me by:
Recommended.