From the people who brought you "referer"...
-
@pie_flavor said in From the people who brought you "referer"...:
some idiot
@pie_flavor said in From the people who brought you "referer"...:
said idiot
You just, on a fundamental level, just do not fucking get it, do you.
Computers aren't just for you. They're for some idiot, too. When I was growing up with them that was kind of a big deal.
-
@blakeyrat said in From the people who brought you "referer"...:
@pie_flavor said in From the people who brought you "referer"...:
some idiot
@pie_flavor said in From the people who brought you "referer"...:
said idiot
You just, on a fundamental level, just do not fucking get it, do you.
Computers aren't just for you. They're for some idiot, too. When I was growing up with them that was kind of a big deal.
If you were critiquing a computerized money system, you'd expect it to somehow make it impossible for some idiot to give their money to a scammer. And that simply can't be done. Idiots are simply better at being idiots than you are at making things idiot-proof. You can certainly try, but there's only so much you can do, whereas human stupidity on the other hand is limitless.
-
@anotherusername "The system can't be 100% perfect, so just throw your arms up in the air and give up on improving it entirely!"
Great fucking attitude.
-
@blakeyrat that's not what I said, and I think you know it.
My actual opinion is more like "what you're talking about wouldn't actually make things more secure or more idiot-proof; you're just bikeshedding."
-
@zemm said in From the people who brought you "referer"...:
@gąska said in From the people who brought you "referer"...:
Except the general public is currently conditioned to look for green padlock specifically. Not institution name. Green padlock.
The general population thinks that icon is a handbag.
Security is hard, lets go shopping.
-
@hungrier said in From the people who brought you "referer"...:
@zemm said in From the people who brought you "referer"...:
@gąska said in From the people who brought you "referer"...:
Except the general public is currently conditioned to look for green padlock specifically. Not institution name. Green padlock.
The general population thinks that icon is a handbag.
Security is hard, lets go shopping.
More like: this website is safe to go shopping! Also, when you see the broken handbag it's warning you to stop buying cheap knockoffs from China.
-
@blakeyrat said in From the people who brought you "referer"...:
@pie_flavor said in From the people who brought you "referer"...:
some idiot
@pie_flavor said in From the people who brought you "referer"...:
said idiot
You just, on a fundamental level, just do not fucking get it, do you.
Computers aren't just for you. They're for some idiot, too. When I was growing up with them that was kind of a big deal.
When I say 'some idiot' here, it is done affectionately. Now answer the goddamn question.
-
@cartman82 said in From the people who brought you "referer"...:
The entire internet security mindset and landscape is entirely broken.
It is. It was never really designed, it just happened.
@dkf said in From the people who brought you "referer"...:
The encryption is done via a higher-level library and is really very good indeed, along with the system for negotiating the keys and ensuring that the client can make a sensible (but machine-readable) statement about the identity of who it is talking to. That machine-readable statement is in a horrible format (an X.509 certificate encoded in a nasty format) so it needs to be presented very carefully to users
The encryption is the easy part. Hard part is the trust and that sucks. There is just one signature chain and the certification authorities have no limits to their authority, so any authority can certify anything and it will be trusted by everybody. Which means the authorities need to be trustworthy and they are not.
@gąska said in From the people who brought you "referer"...:
That's all assuming lack of trust is a real problem worth solving.
I don't see anybody trying to solve that.
Average Joe User certainly does not lack trust. They'll trust almost anything. The goal is to protect them from attacks.
And since Average Joes connect from random, poorly secured public Wi-Fis and similar, equally poorly secured networks, using https does protect them from a large class of attacks. And it makes it harder for the Great Firewall of China. So it is still worth pushing https everywhere.
However:
https://github.com/w3ctag/design-principles/pull/75 said:
New capabilities added to the Web should be available only in secure contexts. Exposing them in non-secure contexts is discouraged and requires strong justification.
I do think that this is wrong. Making everything require https, even if there are no security implications, is trying to fix a people problem with technical solution and that is never a good thing. That said:
@dcoder said in From the people who brought you "referer"...:
All the APIs that were deprecated or disabled have severe security implications when used without authentication. They are the APIs where user must grant a permission for the web application and without authenticating the origin that would break.
@the_quiet_one said in From the people who brought you "referer"...:
Whether that means any company, including tiny businesses should jump through those hoops to accept payment info out of fear they'll discourage patronage by having an orange lock symbol is hard to say, though.
Most companies that want to accept payment info should be doing that through a payment gateway and those should definitely jump through those hoops. No local e-shop ever asked me for the card number and the three or four payment gateways they use do have EV.
@greybeard said in From the people who brought you "referer"...:
Someone was able to get an EV certificate for "Stripe, Inc." for the cost of $177 and two hours of time. They did it by incorporating a "Stripe, Inc." in Kentucky.
That is a people problem and should be solved with a court ruling and a SWAT team. And if he actually used that certificate to steal money or damage the better known Stripe, Inc., I am quite confident such solution would be put in place.
Though if the US government is willing to accept different company registrations under the same name in different states, then there is a bigger problem. Either that practice needs to change or the extended verification needs to include the state name—though I am not sure the non-US world will be able to remember the difference between US-CA and US-KY.
-
@bulb said:
Most companies that want to accept payment info should be doing that through a payment gateway and those should definitely jump through those hoops. No local e-shop ever asked me for the card number and the three or four payment gateways they use do have EV.
Really? In my experience, they often use their own payment processing. It's an easy-to-install feature in any e-commerce system like Magento. They typically use a payment gateway like Authorize.Net on the server-side via API calls. It's up to them to be PCI compliant and not do stupid shit like saving credit card numbers and CVVs on their local databases as they call those APIs.
@bulb said in From the people who brought you "referer"...:
@greybeard said in From the people who brought you "referer"...:
Someone was able to get an EV certificate for "Stripe, Inc." for the cost of $177 and two hours of time. They did it by incorporating a "Stripe, Inc." in Kentucky.
That is a people problem and should be solved with a court ruling and a SWAT team. And if he actually used that certificate to steal money or damage the better known Stripe, Inc., I am quite confident such solution would be put in place.
How easy is it for a foreign entity that's harder to catch to spoof this in a similar way, though?
Though if the US government is willing to accept different company registrations under the same name in different states, then there is a bigger problem. Either that practice needs to change or the extended verification needs to include the state name—though I am not sure the non-US world will be able to remember the difference between US-CA and US-KY.
Trademark law is all about sectors. If someone tries to found a payment processing company called Stripe, they'll be rejected almost instantaneously. If, on the other hand, someone founds a painting company called Stripe, that will likely be accepted because it's in a business that's not at all competing against the Stripe we all know, and assuming they actually do business as such, there wouldn't be confusion by reasonable people. There are just easy ways to found a company with a similar name to a trademarked brand if you're a local business.
-
@the_quiet_one said in From the people who brought you "referer"...:
Really? In my experience, they often use their own payment processing. It's an easy-to-install feature in any e-commerce system like Magento. They typically use a payment gateway like Authorize.Net on the server-side via API calls.
Around here, a fairly significant portion of the small businesses have switched to payment gateways. In part, it's probably due to the extra services that third-party payment gateways offer (such as being able to pay by invoice after the fact); in part, banks around here now frequently require additional authentication (where you get redirect to a page from the bank that implements e.g. proper(-ish) two-factor auth ... I'm imagining that this can be a bit of a pain to implement properly).
(Personally, I've started avoiding small businesses that try to handle payments by themselves. The major third party gateways have much better service and are easier to get in touch with should something not work out.)
-
@bulb said in From the people who brought you "referer"...:
Though if the US government is willing to accept different company registrations under the same name in different states
The US federal government is simply not involved in company registration. That is a state-level concern.
The researcher that did that registration mentioned that the individual identity verification done was weak to nonexistent.
-
@bulb said in From the people who brought you "referer"...:
Though if the US government is willing to accept different company registrations under the same name in different states, then there is a bigger problem.
... no? It's always worked that way, and it's not those States' fault that the Internet "security" design didn't take into account the way the world worked at the time it was designed.
Trademark law is national, though.
-
I especially like how this topic's title is a complaint about a thing done in an internet protocol in order to maintain backwards compatibility and it's a rant about how browsers are supposedly going to destroy backwards compatibility by adding two words to the address bar.
-
@gąska said in From the people who brought you "referer"...:
@greybeard said in From the people who brought you "referer"...:
@gąska said in From the people who brought you "referer"...:
green padlock = security
Not so much. Someone was able to get an EV certificate for "Stripe, Inc." for the cost of $177 and two hours of time. They did it by incorporating a "Stripe, Inc." in Kentucky.
That's exactly the problem I was talking about. Seriously, is there a single person in this entire forum that reads what others write?
For what it's worth, I do not think I've tried that particular kind of pastry.
-
@the_quiet_one said in From the people who brought you "referer"...:
Really? In my experience, they often use their own payment processing.
It is country-dependent. Here the internet business started a bit later, so they did learn some lessons from abroad. Basically since some banks offered the service from the start, it was much easier for the shops to contract it than go through all the compilance paperwork.
@the_quiet_one said in From the people who brought you "referer"...:
How easy is it for a foreign entity that's harder to catch to spoof this in a similar way, though?
Everybody is under some jurisdiction and most jurisdictions won't protect fraud. The “legal assistance” does not always work smoothly, but if the fraud was significant size, it would eventually work anywhere (perhaps except North Korea, but I don't think they have any certification authority anybody would trust anyway).
@the_quiet_one said in From the people who brought you "referer"...:
Trademark law is all about sectors.
Trademark law yes. But the register still shouldn't allow duplicate entries.
@cvi said in From the people who brought you "referer"...:
in part, banks around here now frequently require additional authentication (where you get redirect to a page from the bank that implements e.g. proper(-ish) two-factor auth ... I'm imagining that this can be a bit of a pain to implement properly)
This is called “3-D secure”. It is optional from the side of the store or payment gateway, but shields them from liability, so they generally do it.
@greybeard said in From the people who brought you "referer"...:
The US federal government is simply not involved in company registration. That is a state-level concern.
Ok, then the extended verfification should include the state, i.e. say “Stripe, Inc. [US-CA]” (and “Stripe, Inc. [US-KY]”). Because “Stripe, Inc. [US]” is not a unique identification and was not actually meant to be.
@greybeard said in From the people who brought you "referer"...:
The researcher that did that registration mentioned that the individual identity verification done was weak to nonexistent.
That is a problem with the system. The certification authorities should have some legal obligations and responsibilities (I imagine they should have similar standing as public notaries—after all, it's public notaries who verify signatures on documents and this is electronic equivalent).
-
@bulb said in From the people who brought you "referer"...:
The certification authorities should have some legal obligations and responsibilities
They should also have a “zone of expertise”. The set of CAs I'd trust for talking about, say, US commercial sites is quite different to the set of CAs I'd trust for talking about, e.g., Chinese government sites.
-
@dkf Yes. I touched that already
@bulb said in From the people who brought you "referer"...:
There is just one signature chain and the certification authorities have no limits to their authority, so any authority can certify anything and it will be trusted by everybody.
The tricky part would be defining that authority, because the locality of the registration often has nothing in common with locality of the domain—the generic
.com
,.org
and.net
are used by persons¹ from all over the world as are some tlds of the smaller countries, e.g..io
,.sh
or.tv
, and the new-fangled free-form ones—so checking whether given authority should certify given person's signature would be complicated.
¹ In legalese, person covers both individuals (natural persons) and organizations (legal persons).
-
@bulb said in From the people who brought you "referer"...:
so checking whether given authority should certify given person's signature would be complicated
Well, a CA could make a statement that it validates certificates for any domain, or that it specifically excludes some, or that it specifically only does a small set, or …, and root CAs would be binding upon their sub-CAs, and so on. Those with the more restrictive policies would be more trustworthy within the domain of those policies. The main reason it is awkward right now is that nobody's done it so far and some of the CAs have instead built up businesses around serving all comers.
But hey, you have to break a few eggs to make an omelette.
-
@dkf Actually, there are two cases. The basic verification and the extended verification. As shown by letsencrypt, the basic verification can be done automatically, so there is not much problem for certifying any domain. And for extended verification, the country and region in the information is what should be restricted. That is, normally an authority should only do extended verification for residents of the same country where it has good access to corresponding registers and legal bodies—and can be reached by the same if it screws up.
-
@bulb said in From the people who brought you "referer"...:
@greybeard said in From the people who brought you "referer"...:
The US federal government is simply not involved in company registration. That is a state-level concern.
Ok, then the extended verfification should include the state, i.e. say “Stripe, Inc. [US-CA]” (and “Stripe, Inc. [US-KY]”). Because “Stripe, Inc. [US]” is not a unique identification and was not actually meant to be.
That really wouldn't help. Most people don't know in which state Stripe is incorporated.
-
@carnage it's nipple tape, not a pastie.
-
@cvi said in From the people who brought you "referer"...:
Meh. If more sites had switched to https proactively instead of waiting until it's forced down their throat, maybe we wouldn't be in this situation.
Sounds like someone has been reading a lot of Troy Hunt's retweets...
-
@ben_lubar said in From the people who brought you "referer"...:
@cvi said in From the people who brought you "referer"...:
Meh. If more sites had switched to https proactively instead of waiting until it's forced down their throat, maybe we wouldn't be in this situation.
Sounds like someone has been reading a lot of Troy Hunt's retweets...
We did his "Hack yourself first" course and it was interesting. He only lives about 40 km from me.
-
-
@pie_flavor said in From the people who brought you "referer"...:
What's that in normal units?
40km.
-
@pie_flavor said in From the people who brought you "referer"...:
@zemm said in From the people who brought you "referer"...:
40 km
What's that in normal units?
40,000 metres.
-
@bulb said in From the people who brought you "referer"...:
The certification authorities should have some legal obligations and responsibilities
The CA validated the TLS key to the corporation as required. It’s just that the entities involved in the registration of the corporation did little to no validation of the individuals listed as controlling the corporation.
-
@ben_lubar I don't twitter, but I'm sure I'm not the only one with that opinion.
-
@cvi said in From the people who brought you "referer"...:
@ben_lubar I don't twitter, but I'm sure I'm not the only one with that opinion.
It's not an opinion, it's evidence like this:
-
@ben_lubar wow, I watch Lunduke sometimes and sometimes he has some pretty paranoid opinions, but that's some extreme paranoia there.
-
@hungrier said in From the people who brought you "referer"...:
has a green padlock, that means I can enter all my banking information into it!"
To be fair though, the banks themselves basically tell you that.
So, the only difference is that there's no EV tag on the fake impersonator, but who is going to make sure that the green bar is big with specific words?
-
@tsaukpaetra If an impersonator can get a valid certificate for www.bankofamerica.com, they can probably forge their own EV certificate.
-
@ben_lubar said in From the people who brought you "referer"...:
@tsaukpaetra If an impersonator can get a valid certificate for www.bankofamerica.com.aerovaer.9vareuna35gvarv8.pl, they can probably forge their own EV certificate.
Sure, why not?
-
@tsaukpaetra said in From the people who brought you "referer"...:
@ben_lubar said in From the people who brought you "referer"...:
@tsaukpaetra If an impersonator can get a valid certificate for www.bankofamerica.com.aerovaer.9vareuna35gvarv8.pl, they can probably forge their own EV certificate.
Sure, why not?
That's why browsers should show the TLD+1 in a different color than the rest of the domain.
-
@ben_lubar said in From the people who brought you "referer"...:
@tsaukpaetra said in From the people who brought you "referer"...:
@ben_lubar said in From the people who brought you "referer"...:
@tsaukpaetra If an impersonator can get a valid certificate for www.bankofamerica.com.aerovaer.9vareuna35gvarv8.pl, they can probably forge their own EV certificate.
Sure, why not?
That's why browsers should show the TLD+1 in a different color than the rest of the domain.
And users totally know to look for that.
-
@masonwheeler said in From the people who brought you "referer"...:
Try reading The Cuckoo's Egg sometime, if you haven't already. It's the true story of an ordinary university sysadmin in the 1980s who found someone in his system, and spent months tracking him back and back through multiple links and networks before finally uncovering the hacker's identity. A lot's changed since then, but there's a lot that hasn't too, and it's one of those books that everyone in our business ought to read.
Dude! This is one great book! I followed your recommendation and am now halfway through. It’s a real freaking thriller!
-
@kt_ I know, right? You wouldn't expect it from the description, the way it's a true story and all, but it's kind of a real-life spy thriller story. (Except that there isn't any point where Cliff gets shot at. :P )
-
@masonwheeler said in From the people who brought you "referer"...:
@kt_ I know, right? You wouldn't expect it from the description, the way it's a true story and all, but it's kind of a real-life spy thriller story. (Except that there isn't any point where Cliff gets shot at. :P )
Exactly. And the best thing — it’s available in the Open Library, so I grabbed a copy from there, while I’m waiting for Book Depository to deliver a physical copy.
It’s full of twists and turns, I’m just sucked in, can’t stop reading. Extremely good thing, much recommended.
-
@bulb said in From the people who brought you "referer"...:
public notaries
Ugh. My one encounter with an American notary involved a bizarre statement on his part.
My university insisted that I got Document X notarised (sorry, I don't remember what it was), so off I went in search of a notary. I found one near where I lived, and went to see him.
He went through what needed to be done, and then said that I had to sign the paper in front of him. OK, fair enough, that way he knows that I signed it. So I signed it in the real-world equivalent of "S T Cynic", which he didn't like. So far, so ... um ... whatever.
Then he complained that "S T Cynic" was "not a signature". He didn't say, "Sorry, I meant that you have to sign your full name," or something like that. No, he decided that something that the INS (for my pink laminated plastic thing(1)), the British passport authorities, all my banks, my credit cards, American Express(2), and in fact every "authority" situation I had encountered since I was about seven years old ALL accepted as my signature was, in fact, NOT a signature.
(1) Better known as a "green card" although at the time I got mine, 1984 or so, none of it was green and it wasn't made of card either.
(2) I got my first American Express green card (while I was still a student) by signing a document and returning it to them. A gold card followed a year later on exactly the same basis. I went in a PC-parts shop after the green one arrived and presented it to pay for whatever it was I bought. The guy treated it exactly the same as if I had presented him a week-dead fish.
-
@masonwheeler said in From the people who brought you "referer"...:
Except that there isn't any point where Cliff gets shot at
Yeah, but his poor shoes!
-
@greybeard said in From the people who brought you "referer"...:
@masonwheeler said in From the people who brought you "referer"...:
Except that there isn't any point where Cliff gets shot at
Yeah, but his poor shoes!
Exactly. He violated the code of a shoe owner!