Facebook security chap finds 10 Superfish sub-species Facebook security researcher Matt Richard says The Social NetworkTM has found at least ten more outfits using the library that gave the Superfish bloat/ad/malware its nasty certificate-evading powers. Richard, a “threats researcher” on Facebook's security team, writes that in 2012 Facebook “... started a project with …
Yep, the whole problem with SSL is it is based on 100% Trust.
I can trust someone 100%, but I don't trust their judgement on other people 100%.
Take a look at any browser certificates and you'll see a whole lot of companies you would never personally trust, you are just taking Firefox/Chrome/IEs word for it. Unsurprisingly this is how the browser makers make some of their income.
"Take a look at any browser certificates and you'll see a whole lot of companies you would never personally trust, "[...]
I think you may be making some incorrect assumptions about what these certificates mean. They are purely and simply there to certify that a given web site belongs to a given organisation. They are not there in order to imply "trust" in any more general sense.
"[...] you are just taking Firefox/Chrome/IEs word for it. Unsurprisingly this is how the browser makers make some of their income."
Umm, no. The browser makers do not issue certificates or make any money from them. They can block fraudulent certificates, and they can require certain information from certificate issuers to insure that the certificates they issue are valid.
> I think you may be making some incorrect assumptions about what these certificates mean. They are purely and simply there to certify that a given web site belongs to a given organisation.
Yes, but they don't do this directly. The entire system is based on the fact that there is a "trusted authority" which can attest that the entire certificate chain from root to signer is valid. You implicitly have to trust everyone in that chain not to have leaked a key, or the security of the chain is DOA.
The entire scheme is trust based, and the OP is correct - most of those certificate signers I wouldn't trust at all (I have never head of them, so why would I trust them or their processes to keep their signing keys safe?). However, as most websites are only signed via one CA you don't get a choice - you either accept the certificate or go elsewhere (which is a choice, just not a very useful one).
Personally I would say that there isn't enough visibility of how any of the certificate vendors or their processes actually work, so the security processes involved are totally opaque. That's not really trust - that's just taking everything on faith - and that's no real way to build a security system.
It should be made illegal for Windows to be pre-installed on any device not made by Microsoft.
By pre-installed I mean already licensed, AKA the Windows tax.
So when booting up your new device you would have the option to pay and use a bloatware free version of Windows or just delete the lot and install Linux.
Ideally, a menu would offer the following options, "Pay £100 and use Windows or pay £0 and use Linux".
Do we have any politicians that care for anything other than their own interests?
Better ideas would be for Microsoft to make it a condition of sale to OEMs, to make it a a breach of T&Cs to preinstall any software that changes the root certificates which Microsoft distributes. Or even better, to make it a breach of T&Cs to preinstall any software at all, other than that explicitly requested by the purchaser. Or to insist that every system comes with a DVD that will reinstall to a Microsoft-only configuration, so every user can do what well-informed corporates routinely do: nuke and reinstall from trusted media on receipt.
Failing which, governments should legislate against preinstalled software that makes privileged changes to an operating system or which are otherwise non-trivial to perfectly un-install.
Wonder if there's any chance of a class action against Microsoft, for not taking any steps to pre-emptively avoid this disaster?
Yes, the "Windows tax" rankles with me too, but a heck of a lot less than the implications of this particular bit of brain-dead slimeware.
I would not count on that. Technically and legally, up to these days Microsoft can not force a manufacturer to install only Windows (hint: undisclosed discounts on Windows license pricing that will be revoked if they don't play nice). That doesn't mean they are not blocking OEMs from installing other OS. Let's not be silly!
So you're saying we should have a compulsory duopoly by law? Linux or Windows. Nice.
Every person buying a computer, before they can even start to use it, has to spend two hours setting up the OS, making decisions that they generally haven't a clue about. Also nice.
And at what point would they pay the £100?
And why not any BSD or even another OS? Is Linux the only other choice? And what distro of Linux? Not every distro costs nothing, after all. Only "free" ones should be allowed? And if so, why? Such an approach would be "religious", not "commercial", sorry.
I could agree that PC should be sold - or at least available - without a pre-installed OS - I use Windows, but usually don't use the OEM license that comes with them especially when it's an "home" one and I have my full pro/ultimate ones (my PC upgrades usually don't match OS ones).
But most people in the non-IT market want a PC they turn on and works - without going through a lengthy install process. Tablet and phones made them also more used to a "turn on and use" approach.
That's why PC aimed at business user can be ordered without an OS license - someone will take care to install the OS, but most of consumer ones can't.
PS: sorry, but a Windows OEM license is cheaper than £100.
If you have a Windows PC on a corporate domain then odds are the IT department is doing exactly the same thing. The firewall is almost certainly decrypting your SSL sessions, checking the content and re-encrypting the content before sending it to the original site.
If you are lucky they might have white listed major financial institutions.
It's actually fairly easy to set up DNSSEC...
dnssec-keygen -K <keydir> -a RSASHA256 -b 2048 -f KSK mydomain.com
dnssec-keygen -K <keydir> -a RSASHA256 -b 2048 mydomain.com
dnssec-signzone -e +1y -K <keydir> -o mydomain.com zoneFile
And past the output of this in the parent zone (alongside your NS record).
dnssec-dsfromkey <KSK.key>
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
