Welcome to the php ebenezer's messageboard
see bottom for more info

HOME



back to main board collapse thread
ssl (20/09/17 18:15:11) Reply
    I found two interesting development in treating web traffic. Browsers in the very near future want to force everything thru https - basically disabling any http traffic to non-technical people. The good side is that your data - particularly anything a user submit through a form - should be more secure than sending it in plain.
    The not as good side is that all websites need to:
    -spend money on certificates.
    -reveal their identity
    -or spend more money on hiding their identity.
    ( Roll back the clock to '95. There wouldn't be Fravia - at least not for long.)

    Now the OTHER thing seems to be more interesting and maybe solving the top problem together with others. The Certification Authority Authorization (CAA), specified in RFC 6844 in 2013 - targets the problem that Certification authorities are scopeless - basically ANY CA on your browsers built-in list can validate ANY website - which is pretty brainless IMO. CAA supposed to solve this, by giving the CAs scope:

    "CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames. It operates via a new DNS resource record (RR) called CAA (type 257). Owners can restrict certificate issuance by specifying zero or more CAs; if a CA is allowed to issue a certificate, their own hostname will be in the DNS record."

    Now it seems that if a website owner want to issue a certificate, the only thing they need to control is their DNS - which looks more friendly right now.

    I for one have a RootCA generating Intermediates to my .nets and .orgs, whom generate certs to all the subdomains. BUT because my RootCA is selfvalidated as well if any of my friends want to get to those sites they need to be able and willing to import my CA (chain) to their browser ( inconvenient/difficult/could be even risky ). Now if my DNS could define my CA that would be wonderful.
have

Re: ssl (20/09/17 21:29:47) Reply
    Wow.

    Does this mean that new communities need to begin by people knowing each other first? No way of repeating the fravia (initial honeypot)->inux-seeker-newbie-ebmb cluster development?
e

Re: ssl (23/10/17 22:44:04) Reply
    Browsers in the very near future want to force everything thru https - basically disabling any http traffic to non-technical people.

    This *is* good. Although you should keep in mind, that TLS is only as strong an encryption as the ciphers and hash-algos you use.


    The not as good side is that all websites need to:
    -spend money on certificates.


    Nope. Unfortunately StartSSL damaged the field very bad. But there's still https://letsencrypt.org" and cacert.org. Most unfortunately, the latters are not welcomed by the major browsers. Letsencrypt, though, *is*. So you do have free certificates at your hands. Most professional web hosting companies do offer comparably cheap "professional" certificates as well.

    -reveal their identity
    Why? When you order an TLS certificate, you can create your own CSR. What information you put into that request, is your choice.


    -or spend more money on hiding their identity.
    ( Roll back the clock to '95. There wouldn't be Fravia - at least not for long.)


    IBTD. Especially Fravia would have found enough people helping out. Ever searched whois for the different domains you could then use to get access to his website?

    "CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames. It operates via a new DNS resource record (RR) called CAA (type 257). Owners can restrict certificate issuance by specifying zero or more CAs; if a CA is allowed to issue a certificate, their own hostname will be in the DNS record."

    Hadn't seen this before. Will have to read up.

    Later,
    GS
gs


come again

messageboard's PHP script is a courtesy of Laurent

 This board has been visited 88682 timesCurrent time is 17/12/17 23:49:47