Announcement

Collapse
No announcement yet.

We need to make certs free and deprecate HTTP in favour of HTTPS with AES/TLS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • We need to make certs free and deprecate HTTP in favour of HTTPS with AES/TLS

    Seems like the tech community at large is strongly in favour of depreciating HTTP for HTTPS with AES/TLS. Like how we depreciated telnet and rsh for SSH a while back.

    Some useful utilities in light of Harper's new Internet Surveillance Law:

    HTTPS Everywhere (Firefox): http://www.eff.org/https-everywhere

    KB SSL Enforcer (Chrome): https://chrome.google.com/webstore/d...ianiofphddckof

    -----

    My Internet Privacy Platform: https://www.pirateparty.ca/forum/index.php?topic=898.0

    -----

    We need to make certs free (provided by a crown corporation) and deprecate HTTP in favour of HTTPS with AES/TLS.

    https://www.eff.org/pages/how-deploy-https-correctly

  • #2
    And they'll also be paying for the SSL certificates I would then need, right? Nah, didn't think so.

    Comment


    • #3

      The substance of the proposals that have the potential to fundamentally reshape the Internet in Canada. The bills contain a three-pronged approach focused on information disclosure, mandated surveillance technologies, and new police powers.

      The first prong mandates the disclosure of Internet provider customer information without court oversight. Under current privacy laws, providers may voluntarily disclose customer information but are not required to do so. The new system would require the disclosure of customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers.

      While some of that information may seem relatively harmless, the ability to link it with other data will often open the door to a detailed profile about an identifiable person. Given its potential sensitivity, the decision to require disclosure without any oversight should raise concerns within the Canadian privacy community.

      The second prong requires Internet providers to dramatically re-work their networks to allow for real-time surveillance. The bill sets out detailed capability requirements that will eventually apply to all Canadian Internet providers. These include the power to intercept communications, to isolate the communications to a particular individual, and to engage in multiple simultaneous interceptions.

      Moreover, the bill establishes a comprehensive regulatory structure for Internet providers that would mandate their assistance with testing their surveillance capabilities and disclosing the names of all employees who may be involved in interceptions (and who may then be subject to RCMP background checks).

      The bill also establishes numerous reporting requirements including mandating that all Internet providers disclose their technical surveillance capabilities within six months of the law taking effect. Follow-up reports are also required when providers acquire new technical capabilities.

      The requirements could have a significant impact on many smaller and independent Internet providers. Although the bill grants them a three-year implementation delay, the technical capabilities extend far beyond most of their commercial needs. Indeed, after years of concern over the privacy impact associated with deep-packet inspection of Internet traffic (costly technologies that examine Internet communications in real time), these bills appear to require all Internet providers to install such capabilities.

      Having obtained customer information without court oversight and mandated Internet surveillance capabilities, the third prong creates a several new police powers designed to obtain access to the surveillance data. These include new transmission data warrants that would grant real-time access to all the information generated during the creation, transmission or reception of a communication including the type, direction, time, duration, origin, destination or termination of the communication.

      Law enforcement could then obtain a preservation order to require providers to preserve subscriber information, including specific communication information, for 90 days. Finally, having obtained and preserved the data, production orders can be used to require the disclosure of specified communications or transmission data.

      While Internet providers would actively work with law enforcement in collecting and disclosing the subscriber information, they could also be prohibited from disclosing the disclosures as court may bar them from informing subscribers that they have been subject to surveillance or information disclosures.

      Few would argue that it is important to ensure that law enforcement has the necessary tools to address online crime issues. But these proposals come at an enormous financial and privacy cost, with as yet limited evidence that the current legal framework has impeded important police work. In fact, when then Public Safety Minister Peter Van Loan tried to justify his lawful access package, he pointed to an emergency situation that I later revealed (via access to information) had nothing to do with the Internet.

      Now here is my 2 cents.

      To all of us who have been paying attention to what is happening to our country, this should come as no surprise. This bill was actually introduced in November of 2010, but it did not move forward. Until now, when Harper has his majority and can push through whatever he wants. Another secret initiative with no substance behind the official explanation for it.

      The reality is that the ruling class of this world are not happy about the internet and its freedoms. Alternative media has risen to all time highs and only continues to grow. Their control is being broken. Issues like the North American Security Perimeter, the NAU, and the total clearance sale of every fundamental piece of our sovereignty are being blown wide open!

      In the elites eyes, this must be stopped. So why not make it a crime, and totally monitor the internet for political dissidents. Only makes sense right?

      We have got one hell of a fight starting, on countless fronts! Are you ready for it? Or are you going to go quietly into the night?

      CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). CAcert has nearly 150,000 verified users and has issued over 548,000 certificates as of January 2010[update].

      These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet. Any application that supports the Secure Socket Layer (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.

      Comment


      • #4
        Think of the crown corporation as more of a non-partisan website licensing board than anything. It would be similar to the accessibility regulations. It should also only apply to websites owned by businesses with more than 10 employees.

        Comment


        • #5
          Not that I don't welcome security, but I tried going to cacert.org, and:


          lol. Yeah, getting a certificate from there is just as useful as creating my own

          Comment


          • #6
            Just convince Microsoft/Mozilla/Google/OpenSSL to include the CAcert root certificate in an software update and we're golden. It's the addition of one file in the program directory.

            As of January 2010[update], certificates issued by CAcert are not as useful in web browsers as certificates issued by commercial CAs such as VeriSign, because most installed web browsers do not distribute CAcert's root certificate. Thus, for most web users, a certificate signed by CAcert behaves like a self-signed certificate. There was discussion for inclusion of CAcert's root certificate in Mozilla and derivatives (such as Mozilla Firefox) but CAcert withdrew its request for inclusion at the end of April 2007. This was after an audit was suspended in December 2006 because CAcert needed to improve their management system. There has been progress toward this and a new request for inclusion may be expected in the future. Getting the CAcert root cert included into Mozilla is probably CAcert's largest challenge right now, but one in which they are actively engaged. CAcert is committed to giving more transparency in its management system.

            The following operating systems or distributions include the CAcert root certificate:

            * Arch Linux
            * Ark Linux
            * CentOS
            * Debian
            * FreeWRT
            * Gentoo
            * Maemo (installed on Nokia Internet Tablets)(not on Nokia N900)
            * Knoppix
            * Mandriva Linux
            * MirOS BSD
            * OpenBSD

            Comment


            • #7
              Originally posted by darkphoenix22 View Post
              Just convince Microsoft/Mozilla/Google/OpenSSL to include the CAcert root certificate in an software update and we're golden. It's the addition of one file in the program directory.
              I disagree. What we must do is convince browser makers that not all SSL certificates are there to authenticate the site. For example, I use them only to encrypt login passwords. But the stupid warning screen of browsers drives users into paranoia ("ZOMG your site was hacked!!!1"). Am not claiming to be someone my users should trust. All I want is for their password to be transmitted encrypted. That's all.

              This whole HTTPS thing is messed up and badly designed. I can't even have basic encryption without needing a freaking SSL certificate. This needs to stop. It's just brain damaged.

              Comment


              • #8
                It's about the same with SSH keys. The only alternative would be to encrypt websites using passwords. Which is a HORRIBLE idea.

                We have HTTPS with AES/TLS in all major browsers already. We can worry about making something "better" later.

                Comment


                • #9
                  Originally posted by darkphoenix22 View Post
                  It's about the same with SSH keys. The only alternative would be to encrypt websites using passwords. Which is a HORRIBLE idea.
                  The certificate itself is not there just for encryption. It's mostly there for verifying that I am who I claim I am. SSH keys don't have that.

                  Very bright idea that one, make it impossible to use the one (encryption) without the other (identity verification). People who design this stuff are usually very intelligent, but when seeing things like that, you sometimes have to wonder...

                  Comment


                  • #10
                    There are separate SSL classes already, with differences in the way they are shown in the browser. Level 1 could just be classified as being encryption only and shown as such in the browser.

                    Comment

                    Working...
                    X