A couple of years back a random sprout appeared in the yard. It looked like a volunteer avocado and grew bizarrely fast. After a few years, it is about 15′ tall and this year it fruited for the first time. It really is an avocado tree.
I’m dealing with the hassle of setting up certs for a new site over the last few days. It means using startcom’s certs because they’re pretty good (only one security breach) and they have a decently low-hassle free certificate that won’t trigger BS warnings in browsers marketing fake cert mafia placebo security products to unwitting users. (And the CTO answers email within minutes well past midnight.)
And in the middle of this, news of another breach to the CA system was announced on the heels of Lenovo’s SuperFish SSL crack, this time a class break that resulted in a Chinese company being able to generate the equivalent of a lawful intercept cert and provided it to a private company. Official lawful intercept certificates are a globally used tool to silently crack SSL so official governments can monitor SSL encrypted traffic in compliance with national laws like the US’s CALEA.
But this time, it went to a private company and they were using it to intercept and crack Google traffic, and Google found out. The absurdity is to presume that this is an infrequent event. Such breaches (and a “breach” isn’t a lawful intercept tool, which are in constant and widespread use globally, but such a tool in the “wrong” hands) happen regularly. There’s no data on the ratio of discovered breaches to undiscovered breaches, of course. While it is possible that they are always found, seemingly accidental discoveries suggest far wider misuse than generally acknowledged.
The cert mafia should be abolished. Certificate authorities work for authoritarian environments in which a single entity is trusted by fiat as in a dictatorship or a company. The public should trust public opinion and a tool like Perspectives would end these problems as well as significantly lower the barrier to a fully encrypted web as those of us trying to protect our traffic wouldn’t need to choose between forking over cash to the cert mafia for fake security or making our users jump through scary security messages and complex work-arounds.
- CoreELEC/Kodi on a Cheap S905x Box
- WebP and SVG
- Dealing with Apple Branded HEIF .HEIC files on Linux
- Integrate Fail2Ban with pfSense
- Save your email! Avoid the Thunderbird 68 update
- Frequency of occurrence analysis in LibreOffice
- Lets encrypt with security/dehydrated (acme-client is dead)
- Update Waterfox with the new PPA on Mint 19.1
- 1976 GMC Suburban
- Ruby config options fail
- Recent Comments
- Post History