Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^8: SSL on PerlMonks

by Your Mother (Archbishop)
on Sep 27, 2017 at 15:09 UTC ( [id://1200205]=note: print w/replies, xml ) Need Help??


in reply to Re^7: SSL on PerlMonks
in thread SSL on PerlMonks

Proof that using more secure technology makes the web less secure. It's completely counter intuitive to me, like saying pouring more water on something makes it drier. So I would like to see some external, objective validation of the assertion instead of anecdote and conjecture.

Replies are listed 'Best First'.
Re^9: SSL on PerlMonks
by Anonymous Monk on Sep 27, 2017 at 15:25 UTC
    "The more you tighten your grip, the more systems will slip through your fingers." -- Princess Leia
[reply]
Re^9: SSL on PerlMonks
by perl-diddler (Chaplain) on Sep 29, 2017 at 22:41 UTC
    If using the "more secure" technology results in more "Entities" intercepting and bumping SSL traffic, then security has been lowered. I'm not saying "how much" it is lowered. It's like open-source If you have specific needs or wants, you are welcome to submit your own work. Your attitude feels a bit demanding -- because you don't like that more people are routinely breaking open SSL streams, you want figures on how much. I'd like to see those too -- so if you want to find out and share the information with us, that'd be great!

    In addition to the uptick in those asking how to do SSL bumping (start w/squid-users list and its archives and view the number asking for how to do it, or look at the squid-cache wiki and see the info on how to set it up and note that it wasn't available 10 years ago. People wouldn't take the time to publish how-to's in a wiki if there was no demand. Five-ten years ago, most of the questions were about how to cache various types of content or block it. Now a fair percentage is related to SSL bumping. If you want exact percentages, you are welcome to peruse the archives or google search for those making mistakes with certs.

    Dell, for example, installed a root-cert with the private key on all Dell computers that is reinstalled via their update service (https://www.grc.com/sn/sn-535-notes.pdf). Other discussions are going on about whether or not USA certs are trustworthy with the CIA, apparently being caught with more than one suborned root-cert (https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/istISpHpMqE). I've seen articles that talk about companies (including some ISP's) purchasing suborned root-certs for their network/customers.

    Since https has become more common, more entities have decided to find ways to intercept and crack that traffic. If you want details as to amounts, you are welcome to contribute... You should feel lucky -- it's not like it is a closed-project where you can't contribute.

[reply]

      I find the assertion that the more https traffic goes through the web, the less secure the web is to be in the same realm as “the Earth is flat.” It’s an outrageous assertion from my perspective and requires evidence, not conjecture, or it should be dismissed outright. Consider a corollary to your assertion: If all https traffic were switched to http, the web would be more secure.

[reply]

In Section Perl Monks Discussion

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1200205]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having a coffee break in the Monastery: (6)
As of 2024-04-25 08:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found