Category: Internet

Free SSL/TLS certificates

Post author By otmar
Post date September 4, 2009

CAcert has tried for some time to provide free X.509 certificates based on automatic checks and a web of trust. They never managed to get the root certificate included in the default installations of the major browsers. As I read it, they’ve given up on Mozilla for now.

Aaron forwarded me a link to a blog post by StartCom where they announce that their CA will be included in IE soon. As they are already recognized by Mozilla and Safari, their certs are pretty much as good as any other commercial x.509 cert for servers.

In that respect, they are not unique, you can buy commercial grade certs from various sources, the most popular being Thawte, Equifax, Usertrust, Comodo, and Verisign.

What makes StartCom special is the fact that they give away free certificates similar to what CAcert is doing. Their enrollment at http://www.startssl.com/ is pretty much straight forward and getting certificates (both by uploading CSRs or by letting them generate a key) is painless.

Furthermore, they impressed me by:

Adding priv.at as a valid domain suffix within a few hour after I mailed them.
Checking the server for which you requested a cert and giving you hints if you made a configuration mistake.

Recommended.

Internet Pet Peeves

Zeger reitet wieder

Post author By otmar
Post date July 22, 2009

Um sein GeschÃ¤ft mit X.509 Zertifikaten anzukurbeln, schreibt er eine Pressemeldung, die auch prompt von der Fuzo Ã¼bernommen wird.

Es scheint um X.509 Zertifikate fÃ¼r SMTP/STARTTLS zu gehen, also die VerschlÃ¼sselung des Transportweges beim Mailversand.

Was ist da dran alles falsch?

IETF Internet

DNSSEC and large packets

Post author By otmar
Post date June 22, 2009

In the wake of .org going signed, we finally have good data what that means for the authoritative nameservers. Duane gave a good talk at the recent NANOG event, showing the increase of TCP connections.

So what is the problem?

In a nutshell: Packet sizes. DNS responses containing the DNSSEC specific RRSETs are larger, and setting the DO bit that triggers their inclusion is almost default these days. So we’re now routinely exceeding the 512 bytes that the original DNS spec required. Over the years, the IETF defined EDNS0 which allowed clients to announce their support for larger responses via UDP. Not this is finally really put to the test and we can see how fallback to TCP we still observe.

Internet Pet Peeves

Heise, Slashdot, Broken Records, and DNSSEC

Post author By otmar
Post date June 19, 2009

Almost whenever a security event involving Windows is featured on Slashdot or Heise, some Linux fanboys will invariably post their cocky “that would not have happened with Linux” messages.

I start to see the same thing with DNS incidents and DNSSEC.

This is just as childish and stupid, especially as the voices writing such notes are often enough established engineers and not your average adolescent geek.

In reality most of the recent DNS hacks were not perpetrated by crafting forged DNS responses to poison caches but were successful attacks against the Registrar/Registrant interfaces. No, DNSSEC would not have helped in such a case.

The same is true for DNSSEC and the domain-based censorship which was just passed by the German government. DNSSEC will not help here. It is no panacea against meddling with DNS answers. It depends on who is doing the validation and whether the offending domains are actually signed or not (not likely these days):

DNSSEC validation is done at the ISP resolver:
DNSSEC doesn’t help the end-user here at all.
DNSSEC validation in the client, ISP recursor is used:
If the domain is signed, then the user will get a NXDOMAIN (or maybe a better error-reporting) instead of the IP address of the STOP-sign website.

So the censuring still works, just the alerting of the user (and the logging of the STOP-sign access) does not.
DNSSEC validation in the client, full recursion at the client
Censorship is ineffective. Just the same as when the local recursor does no DNSSEC checking.

Remember: DNSSEC is not about the availability part of security, it’s only about the integrity. Censorship does not really need to attack the integrity, it’s all about availability.

Internet Pet Peeves

Bad timing, Last.fm

Post author By otmar
Post date May 25, 2009

Date: Wed, 20 May 2009 14:05:42 +0000
To: @bofh.priv.at
From: “Last.fm”
Subject: Your free trial to Last.fm Radio is over. Did you enjoy it?

Hi XYZ,

Your free trial to Last.fm Radio is about to end. If you’re enjoying it, why not
subscribe for only â‚¬3.00/month and continue listening to non-stop personalised
radio.

http://www.last.fm/subscribe

Best Regards,
The Last.fm Team

and

Deny This, Last.fm
by Michael Arrington on May 22, 2009

A couple of months ago Erick Schonfeld wrote a post titled â€œDid Last.fm Just Hand Over User Listening Data To the RIAA?â€ based on a source that has proved to be very reliable in the past. All hell broke loose shortly thereafter.

I was inclined to pay them the 3â‚¬, partly because I’ve listened a lot to a stream from them, but after this breach of their privacy agreement?

Sorry, no deal guys.

[Update: yes, I know that LastFM is disputing this story.]

Internet

A Picture from Amsterdam

Post author By otmar
Post date May 11, 2009

The Internet Community thanks the RIPE staff for their dedicated work during the RIPE and OARC meeting:

Donating to RIPE

Internet

Some thoughts on .tel

Post author By otmar
Post date December 4, 2008

Last week Carsten Schiefner talked about .tel at the nic.at Registrartag in Vienna. Now that .tel has finally launched, here are my thoughts on this new TLD: