Comments on: SSL Infoporn http://blog.johnath.com/2007/08/20/ssl-infoporn/ johnath in blog form Thu, 26 Jan 2012 13:11:15 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: [cite required] « Dan Kaminsky's Blog http://blog.johnath.com/2007/08/20/ssl-infoporn/comment-page-1/#comment-215515 [cite required] « Dan Kaminsky's Blog Mon, 29 Nov 2010 18:21:31 +0000 http://blog.johnath.com/index.php/2007/08/20/ssl-infoporn/#comment-215515 [...] in my Black Hat 2008 slides.  I went and tracked this down, and I actually picked this up from the Meandering Wildly blog.  Looks like I misread this a bit — a previous dataset had come from Consumer Reports, [...] [...] in my Black Hat 2008 slides.  I went and tracked this down, and I actually picked this up from the Meandering Wildly blog.  Looks like I misread this a bit — a previous dataset had come from Consumer Reports, [...]

]]> By: meandering wildly » SSL Infoquickie (with Bonus Firefox Pro-Tip!) http://blog.johnath.com/2007/08/20/ssl-infoporn/comment-page-1/#comment-211301 meandering wildly » SSL Infoquickie (with Bonus Firefox Pro-Tip!) Tue, 21 Oct 2008 13:35:31 +0000 http://blog.johnath.com/index.php/2007/08/20/ssl-infoporn/#comment-211301 [...] with some interesting figures, and occasionally makes some of that data public, and I’ve blogged about other sources in the past, but in general, it’s pretty sparse. I keep meaning to do something coordinated [...] [...] with some interesting figures, and occasionally makes some of that data public, and I’ve blogged about other sources in the past, but in general, it’s pretty sparse. I keep meaning to do something coordinated [...]

]]> By: Royal Pingdom » New SSL policy in Firefox hurting tens of thousands of sites http://blog.johnath.com/2007/08/20/ssl-infoporn/comment-page-1/#comment-195226 Royal Pingdom » New SSL policy in Firefox hurting tens of thousands of sites Tue, 19 Aug 2008 08:34:45 +0000 http://blog.johnath.com/index.php/2007/08/20/ssl-infoporn/#comment-195226 [...] SSL certificates are actually quite common. According to a study by Venafi, referenced here, as many as 18% of the Fortune 1000 websites have expired SSL [...] [...] SSL certificates are actually quite common. According to a study by Venafi, referenced here, as many as 18% of the Fortune 1000 websites have expired SSL [...]

]]> By: shirish http://blog.johnath.com/2007/08/20/ssl-infoporn/comment-page-1/#comment-73307 shirish Sun, 09 Sep 2007 17:59:01 +0000 http://blog.johnath.com/index.php/2007/08/20/ssl-infoporn/#comment-73307 Hi all, I'm from a developing country, India, and trying with small businesses to help them set them set up things right. The problem for small businesses is mani-fold. The growing pains are unbelievable. Unlike big businesses, they can't buy domains for n no. of years and even that is a questionable decision in themselves. For e.g. I know one business who has been in the local mkt. (City-based) for 8-9 yrs, now if he wants to make an on-line presence how much time it would take? Right from domain charges, SSL charges (now is that multi-yr. or what)? Also who is a good CA? How does one define that? An EV SSL would be something to the tune of Rs. 125000 is his income for a yr. Again he doesn't get any promise for better return on his money rather than say E-bay or something more community-oriented where atleast the possibility of 10 people saying that you are good/bad seller is there. Comments, suggestions all welcome. Hi all,
I’m from a developing country, India, and trying with small businesses to help them set them set up things right. The problem for small businesses is mani-fold. The growing pains are unbelievable. Unlike big businesses, they can’t buy domains for n no. of years and even that is a questionable decision in themselves. For e.g. I know one business who has been in the local mkt. (City-based) for 8-9 yrs, now if he wants to make an on-line presence how much time it would take? Right from domain charges, SSL charges (now is that multi-yr. or what)? Also who is a good CA? How does one define that? An EV SSL would be something to the tune of Rs. 125000 is his income for a yr. Again he doesn’t get any promise for better return on his money rather than say E-bay or something more community-oriented where atleast the possibility of 10 people saying that you are good/bad seller is there. Comments, suggestions all welcome.

]]> By: Johnath http://blog.johnath.com/2007/08/20/ssl-infoporn/comment-page-1/#comment-67273 Johnath Thu, 23 Aug 2007 14:28:20 +0000 http://blog.johnath.com/index.php/2007/08/20/ssl-infoporn/#comment-67273 Dolske, I agree. I think consumer reports sort of dropped the ball on that one, because there is a real cost, even to end users, for the tools you mention. And Iang - I like that life calculus! I feel a little like I'm being baited with Iang's other question, since I read his blog too, and he knows plenty about SSL, but I'll dive in anyhow. The problem I have with expired certs is that we lose revocation. With live certs from root CAs, we have (in theory) OSCP responders or CRLs to check. In practice, support for these is spotty, but one of the positive aspects of EV certs is that they compel CAs to create a better revocation infrastructure, so hooray for that. Nevertheless, expired certs don't get carried on CRLs or kept in OCSP dbs, so treating expiration more weakly than revocation creates the potential for exploitation of that difference, and impairs the ability to mitigate mistakenly issued certs. Dolske, I agree. I think consumer reports sort of dropped the ball on that one, because there is a real cost, even to end users, for the tools you mention. And Iang – I like that life calculus!

I feel a little like I’m being baited with Iang’s other question, since I read his blog too, and he knows plenty about SSL, but I’ll dive in anyhow. The problem I have with expired certs is that we lose revocation. With live certs from root CAs, we have (in theory) OSCP responders or CRLs to check. In practice, support for these is spotty, but one of the positive aspects of EV certs is that they compel CAs to create a better revocation infrastructure, so hooray for that. Nevertheless, expired certs don’t get carried on CRLs or kept in OCSP dbs, so treating expiration more weakly than revocation creates the potential for exploitation of that difference, and impairs the ability to mitigate mistakenly issued certs.

]]> By: Iang (manual trackback to blog post) http://blog.johnath.com/2007/08/20/ssl-infoporn/comment-page-1/#comment-67262 Iang (manual trackback to blog post) Thu, 23 Aug 2007 13:44:42 +0000 http://blog.johnath.com/index.php/2007/08/20/ssl-infoporn/#comment-67262 I agree that the spam cost can be measured ... it's easy. Take the time it takes someone to deal with a spam message, and extrapolate over the day's loss. Before thunderbird got good at spam detection, I was spending around 20 mins a day on it. Now it's down to 2 mins a day. Which means for every 720 users like me, the spammers owe us a life. I agree that the spam cost can be measured … it’s easy. Take the time it takes someone to deal with a spam message, and extrapolate over the day’s loss. Before thunderbird got good at spam detection, I was spending around 20 mins a day on it. Now it’s down to 2 mins a day. Which means for every 720 users like me, the spammers owe us a life.

]]> By: Iang http://blog.johnath.com/2007/08/20/ssl-infoporn/comment-page-1/#comment-67230 Iang Thu, 23 Aug 2007 10:25:12 +0000 http://blog.johnath.com/index.php/2007/08/20/ssl-infoporn/#comment-67230 Good post, many questions ... Just one for the moment: What is wrong with an expired cert? Good post, many questions … Just one for the moment:

What is wrong with an expired cert?

]]> By: Justin Dolske http://blog.johnath.com/2007/08/20/ssl-infoporn/comment-page-1/#comment-66567 Justin Dolske Mon, 20 Aug 2007 21:01:55 +0000 http://blog.johnath.com/index.php/2007/08/20/ssl-infoporn/#comment-66567 Mmm, info porn. More hot bell-curves next time? I'm into standard deviations like that. :-) But seriously... The "not applicable" for the cost of Spam seems wrong to me. While the "per incident" cost to an individual is probably effectively zero, there certainly is an aggegrate cost. I suppose Consumer Reports didn't consider things such as providers buying anti-spam tools, their time (labor) spent implementing and dealing with spam attacks, and the bandwidth and storage costs associated with all that spam. Mmm, info porn. More hot bell-curves next time? I’m into standard deviations like that. :-) But seriously…

The “not applicable” for the cost of Spam seems wrong to me. While the “per incident” cost to an individual is probably effectively zero, there certainly is an aggegrate cost. I suppose Consumer Reports didn’t consider things such as providers buying anti-spam tools, their time (labor) spent implementing and dealing with spam attacks, and the bandwidth and storage costs associated with all that spam.

]]> By: Jeremy Morton http://blog.johnath.com/2007/08/20/ssl-infoporn/comment-page-1/#comment-66546 Jeremy Morton Mon, 20 Aug 2007 19:27:23 +0000 http://blog.johnath.com/index.php/2007/08/20/ssl-infoporn/#comment-66546 I don't know where you get the idea that FF3 is taking a 'harsher' stance on bad SSL certs. The harshest thing you can do is popup a big warning dialog, which is what FF2 does. FF3 is going to be using a new identity system, which doesn't do that, and which I think is more sensible. I don’t know where you get the idea that FF3 is taking a ‘harsher’ stance on bad SSL certs. The harshest thing you can do is popup a big warning dialog, which is what FF2 does. FF3 is going to be using a new identity system, which doesn’t do that, and which I think is more sensible.

]]>