Re: OT: Risks of CAs (Re: Your web development opinions)
On Wed, 1 Jun 2011 14:51:42 + Kevin Chadwick wrote: > Can someone confirm that they have a default Opera working with a > startcom ssl certificate via relayd. Does anyone know if Iphones should work too? Though i don't know if they even have the root cert.
Re: OT: Risks of CAs (Re: Your web development opinions)
On Thu, 24 Feb 2011 13:05:09 -0300 Hugo Osvaldo Barrera wrote: > http://www.startssl.com/ > Why pay if you can have one for free trusted by every major browser? > Sure, the "class 2" ones are pay-for, but the free one works as well as I have it working on relayd with a clean firefox profile automatically importing the intermediate and it works on chromium and IE (not checked how likely an IE user is to have the root certs update, default win7 doesn't have them but my gaming XP box does but I selected the update). However no matter what I do I can't get Opera to automatically import the "StartCom Class 1 Primary Intermediate Server CA" certificate. Can someone confirm that they have a default Opera working with a startcom ssl certificate via relayd.
Re: OT: Risks of CAs (Re: Your web development opinions)
On Tue, Mar 22, 2011 at 05:33:01PM +0200, Ciprian Dorin Craciun wrote: > >> CA's cannot be trusted to even pay attention to carefully securing > >> your certificate. B Here in the US, the government can simply ask > >> for your certificate and get it ( and possibly even use it to > >> impersonate you) > > The problem is not really whether there is a trust relationship > > between your CA provider and you, it's whether at least *one* CA is > > laxist enough that they give out certificates without thorough > > checking. Even with your self-signed approach, somebody could get a > > CA to issue a certificate that their key is good for your website, > > and impersonate it to any of your new-coming customers who haven't > > been exposed to your official key yet. > There is a project (which I'm contributing to so take this with a > grain of salt) -- Perspectives http://www.networknotary.org/ -- that > is trying to solve this problem: how to detect a MITM attack or a > "rogue" CA. > > The idea is quite simple: provide a Firefox (and in short time a > Chrome) plug-in that contacts a series of "trusted" (see below) notary > servers that give back their SSL certificate finger-print > "observations". If the browser's observed SSL certificate "matches" > the ones provided by the notaries -- with a sensible time frame -- > that everything is Ok (there could be false positives though). If not > it triggers an alarm (which could be a false negative). Therefore this > works with all kind of certificates -- self-signed, trusted CA's or > untrusted CA's. (In fact the notaries are able to "observe" both SSH > or arbitrary TLS/SSL based services certificates.) > > The trust moves from the CA to a set of peer-to-peer, geographically > distributed, independently run, notary servers (with a quorum > decision). (But like in the case of Tor (or other peer-to-peer > security systems) you could be in trouble if someone is able to take > over a great deal of the nodes.) > > Also because this is more for MITM attacks, rogue CA's can be detected > only if the "government" isn't able to redirect all traffic to the > rogue server for a large time frame. (Thus for example if government X > is able to impersonate the server only in region X, but not in other > regions, notaries in those others regions will signal the possible > rogue CA / servers.) This is an interesting approach, I'll see if I can do something with it (; However, it also reminds me a lot of MonkeySphere [0], which leverages the PGP WoT, and allow host keys (SSH, SSL) to be signed with the admin's PGP key. This also has the effect of decentralising the key management. However, I suspect there is a risk of false positive/negative, and I'm not sur which one is the worst. I think this is definitely the problem of those decentralised approaches. Note that somebody paying a CA to issue a false certificate would be a false positive anyway... [0] http://web.monkeysphere.info/ -- Olivier Mehani PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OT: Risks of CAs (Re: Your web development opinions)
On Wed, Feb 23, 2011 at 15:51, Olivier Mehani wrote: > Just some OT thoughts. > > On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote: >> CA's cannot be trusted to even pay attention to carefully securing >> your certificate. B Here in the US, the government can simply ask for >> your certificate and get it ( and possibly even use it to impersonate >> you) > > The government would have the certificate, but not the private key, so > I'm not sure how they can impersonate you with it. > > However, they can just get their own key to *any* shoddy CA included in > browsers, and get a certificate linking that key to your services > without much problem. > > The problem is not really whether there is a trust relationship between > your CA provider and you, it's whether at least *one* CA is laxist > enough that they give out certificates without thorough checking. > > Even with your self-signed approach, somebody could get a CA to issue a > certificate that their key is good for your website, and impersonate it > to any of your new-coming customers who haven't been exposed to your > official key yet. > > I may also be wrong in my analysis, but as far as my understanding goes, > it's correct. > > -- > Olivier Mehani There is a project (which I'm contributing to so take this with a grain of salt) -- Perspectives http://www.networknotary.org/ -- that is trying to solve this problem: how to detect a MITM attack or a "rogue" CA. The idea is quite simple: provide a Firefox (and in short time a Chrome) plug-in that contacts a series of "trusted" (see below) notary servers that give back their SSL certificate finger-print "observations". If the browser's observed SSL certificate "matches" the ones provided by the notaries -- with a sensible time frame -- that everything is Ok (there could be false positives though). If not it triggers an alarm (which could be a false negative). Therefore this works with all kind of certificates -- self-signed, trusted CA's or untrusted CA's. (In fact the notaries are able to "observe" both SSH or arbitrary TLS/SSL based services certificates.) The trust moves from the CA to a set of peer-to-peer, geographically distributed, independently run, notary servers (with a quorum decision). (But like in the case of Tor (or other peer-to-peer security systems) you could be in trouble if someone is able to take over a great deal of the nodes.) Also because this is more for MITM attacks, rogue CA's can be detected only if the "government" isn't able to redirect all traffic to the rogue server for a large time frame. (Thus for example if government X is able to impersonate the server only in region X, but not in other regions, notaries in those others regions will signal the possible rogue CA / servers.) Ciprian.
Re: OT: Risks of CAs (Re: Your web development opinions)
Am 28.02.2011 um 03:10 schrieb Hugo Osvaldo Barrera: > You CAN submit the CSR through the web interface. Nobody doubted that. -- Jonathan [demime 1.01d removed an attachment of type application/pgp-signature which had a name of PGP.sig]
Re: OT: Risks of CAs (Re: Your web development opinions)
On 26/02/11 19:21, Jonathan Schleifer wrote: > Am 24.02.2011 um 18:34 schrieb Hugo Osvaldo Barrera: > >> I use their web interface to generate them. It gets stuck sometime, buy >> usually works. (Yeah, it's definitely not the best). > > Letting them generate one is a stupid idea - then they got your private key. > Better is it to just send them a CSR. > > -- > Jonathan > > [demime 1.01d removed an attachment of type application/pgp-signature which > had a name of PGP.sig] > You CAN submit the CSR through the web interface. -- Hugo Osvaldo Barrera
Re: OT: Risks of CAs (Re: Your web development opinions)
Am 24.02.2011 um 18:34 schrieb Hugo Osvaldo Barrera: > I use their web interface to generate them. It gets stuck sometime, buy > usually works. (Yeah, it's definitely not the best). Letting them generate one is a stupid idea - then they got your private key. Better is it to just send them a CSR. -- Jonathan [demime 1.01d removed an attachment of type application/pgp-signature which had a name of PGP.sig]
Re: OT: Risks of CAs (Re: Your web development opinions)
On 02/24/2011 01:50 PM, Chris Bennett wrote: >> http://www.startssl.com/ >> Why pay if you can have one for free trusted by every major browser? >> Sure, the "class 2" ones are pay-for, but the free one works as well as >> a self-signed one (except for the "CA sells out like paypal" idea, which >> I admit is possible, though, in the US, the government can just push any >> CA to give them a valid cert anyway. >> -- >> Hugo Osvaldo Barrera >> > > That's a seemingly good idea except that they don't return any attempt to get > a certificate. > So I gave up on them a long time ago. > I use their web interface to generate them. It gets stuck sometime, buy usually works. (Yeah, it's definitely not the best). -- Hugo Osvaldo Barrera
Re: OT: Risks of CAs (Re: Your web development opinions)
On 02/24/11 17:50, Chris Bennett wrote: >> http://www.startssl.com/ >> Why pay if you can have one for free trusted by every major browser? >> Sure, the "class 2" ones are pay-for, but the free one works as well as >> a self-signed one (except for the "CA sells out like paypal" idea, which >> I admit is possible, though, in the US, the government can just push any >> CA to give them a valid cert anyway. >> -- >> Hugo Osvaldo Barrera >> > > That's a seemingly good idea except that they don't return any attempt to get > a certificate. > So I gave up on them a long time ago. The free certs or the government? :-)
Re: OT: Risks of CAs (Re: Your web development opinions)
> http://www.startssl.com/ > Why pay if you can have one for free trusted by every major browser? > Sure, the "class 2" ones are pay-for, but the free one works as well as > a self-signed one (except for the "CA sells out like paypal" idea, which > I admit is possible, though, in the US, the government can just push any > CA to give them a valid cert anyway. > -- > Hugo Osvaldo Barrera > That's a seemingly good idea except that they don't return any attempt to get a certificate. So I gave up on them a long time ago.
Re: OT: Risks of CAs (Re: Your web development opinions)
On 02/24/2011 11:59 AM, Chris Bennett wrote: > I am going to point out another factor in my reasoning: > Basically, there is no reason to assume that my self-signed certificate is > any less secure than paying someone who is in a browsers root certificates. > > As a contractor in construction, one article I wrote for my potential > customers is how to decide if you should do the work yourself `or hire > someone else to do it. > > In this case, if I hire someone as a CA, I have just spent money. That comes > straight out of my wages. I have to now earn this money back or not eat, pay > rent, etc. > If I self-sign, I now get to keep that money. In fact, I may now be able to > spend additional time improving security on my websites and my programming. I > could potentially end up improving users security by NOT having to earn back > spent money. http://www.startssl.com/ Why pay if you can have one for free trusted by every major browser? Sure, the "class 2" ones are pay-for, but the free one works as well as a self-signed one (except for the "CA sells out like paypal" idea, which I admit is possible, though, in the US, the government can just push any CA to give them a valid cert anyway. > > It is not my fault if some users are stupid. I actually spent some time > making security details available to my users. If they care, they are now > educated, if not, what can you do? Nothing, educating is the only solution, if they don't care, it's their problem. > > Chris Bennett > -- Hugo Osvaldo Barrera
Re: OT: Risks of CAs (Re: Your web development opinions)
I am going to point out another factor in my reasoning: Basically, there is no reason to assume that my self-signed certificate is any less secure than paying someone who is in a browsers root certificates. As a contractor in construction, one article I wrote for my potential customers is how to decide if you should do the work yourself `or hire someone else to do it. In this case, if I hire someone as a CA, I have just spent money. That comes straight out of my wages. I have to now earn this money back or not eat, pay rent, etc. If I self-sign, I now get to keep that money. In fact, I may now be able to spend additional time improving security on my websites and my programming. I could potentially end up improving users security by NOT having to earn back spent money. It is not my fault if some users are stupid. I actually spent some time making security details available to my users. If they care, they are now educated, if not, what can you do? Chris Bennett
Re: OT: Risks of CAs (Re: Your web development opinions)
On Thu, 24 Feb 2011 10:16:36 +0100 Marc Espie wrote: > the fact that most people reuse the same password, You hear about that now said to be non existent security firm that was helping the fbi track down a support group of wkileaks called anonymous and ended up with all their email on wikileaks because the security firms bosses use the same pass on their email as found on their web CMS. "http://www.h-online.com/security/news/item/More-background-on-the-US-security-firm-break-in-1191797.html"; That made me chuckle. Atleast thanks to wikileaks, the fbi have had it drummed into them that data was insecure for crying out loud, they should stop pointing the finger outbound and get their house in order. Also sometimes seeing reactions to information without knowing why leads to horrible assumptions and reactions instead of the response "well I don't agree but I see why you did that." and "well that was obviously a corrupt individual or group" Sorry for changing the subject. >>I don't like having to trust dozens of CA and it's definitely not the best >>solution, but I don't see any alternative for this sort of thing. DNScurve/DNSSEC have been suggested, but how secure is the DNS infrastructure? I hate paying for ssl certs, just to get rid of the warnings.
Re: OT: Risks of CAs (Re: Your web development opinions)
I think your guys are into elaborate schemes and totally forgetting low-level tech/social engineering attack. Remember that most people out there don't understand https, they will just see that little lock and think "I'm secure"... yeah, sure, from 3rd party. But it's so easy to set up a fake site, get some valid credentials from any CA that accepts it for money, and lure people in. Between OpenID, facebook, and heck, the fact that most people reuse the same password, you can harvest a lot of valid accounts on a lot of sites. And then the real fun begins.
Re: Your web development opinions
On Wed, Feb 23, 2011 at 9:20 PM, Hugo Osvaldo Barrera wrote: > On 23/02/11 20:56, Andres Perera wrote: >> On Wed, Feb 23, 2011 at 5:57 PM, Hugo Osvaldo Barrera >> wrote: >>> On 02/23/2011 10:35 AM, Chris Bennett wrote: > They're a fucking disaster security-wise. +1 > In general, blocking javascript won't get you too far, because most of the > issues are not in the client, but rather in the use that's made of javascript. I basically block javascript to stop some adveritising and keep some sites from crashing firefox. But many, many sites require javascript to even login (i.e. many bank websites!) > - trying to do https and having to deal with corrupt certificate authorities > that don't guarantee too much in the end. CA's cannot be trusted to even pay attention to carefully securing your certificate. Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) I sign my own certificates, post a copy of serial number and correct name and IP address on my websites using them. I explain to every customer that I do not trust external CA's and that I am only using https for encryption of passwords and paid content. No one has complained. > > A simple man-in-the middle of that site, and replacing it's content > would open the door for every site you refer to. > If it's an SSL website, you're in and endless loop without a CA or > trusted third party. i hope that you realize that the loop applies to the initial distribution of the bundle aswell and that the difference after that is one is centralized (bigger target) and the other one isn't you're going to get their crl from them, right? like the millions of other people that trust them should? > Some have told me that I am risking a man-in-the-middle attack. Perhaps. But I see little reason to trust the CA man-at-the-end! Chris Bennett >>> >>> Supposing that's the case, the government can just request a CA a >>> certificate for your domain, and do a man-in-the middle. B User's won't >>> get any prompt for invalid cert, and the same "vulnerability" you >>> described using still exists. >>> >> >> that's flawed because you're assuming his users are trusting equifax, >> cacert.org, and the countless of others that get bundled in certs packages for >> unix, or worse, his users are ussing a browser that comes bundled with its own >> set of certs and ssl library (firefox). > > That means you'd have to physically give the certificate to every user, > with no trusted authority, or trusted third party, you have no way of > establishing a secure (authenticated) communication, except physically > being with that person. > > How do you then pay your taxes? B Check your bank account, etc? B I don't > like having to trust dozens of CA and it's definitely not the best > solution, but I don't see any alternative for this sort of thing. my bank account and other items would never account for the plethora of bundled certs, nor with the inability of a client to associate cacerts with specific hosts. the latter is why your argument is flawed, and it has nothing to do with self-singing a cert pool should have varying degrees of trust and reach. if firefox doesn't do this, the problem is firefox and not the server's cert distribution model > >> >> when you download openssh, does it come with bundled with a known hosts file? >> >> no, you go to the site and look at their public key. if they delegated their >> public keys to a central authority they excert no control over, they don't have >> the power to shutdown their site when it becomes compromised to display bogus >> public keys, or worse >> >> simlarly, i dont feed the cert bundle to sendmail, but instead feed it a >> *single* cert that i'm vary wary of if it changes >> >> "ssl everywhere" is a stupid concept because of this. you should only ssl >> select communications so that managing the certs is plausible >> >>> Additionally, you have to make users accept the cert manually the first >>> time (checking it, of course). B It may not be much of a fuss, but I >>> don't see you actually fixing any security holes. >>> >>> -- >>> Hugo Osvaldo Barrera >>> >>> > > > -- > Hugo Osvaldo Barrera
Re: Your web development opinions
On 23/02/11 20:56, Andres Perera wrote: > On Wed, Feb 23, 2011 at 5:57 PM, Hugo Osvaldo Barrera > wrote: >> On 02/23/2011 10:35 AM, Chris Bennett wrote: They're a fucking disaster security-wise. >>> >>> +1 >>> In general, blocking javascript won't get you too far, because most of the issues are not in the client, but rather in the use that's made of javascript. >>> >>> I basically block javascript to stop some adveritising and keep some sites >>> from crashing firefox. >>> But many, many sites require javascript to even login (i.e. many bank >>> websites!) >>> - trying to do https and having to deal with corrupt certificate authorities that don't guarantee too much in the end. >>> >>> CA's cannot be trusted to even pay attention to carefully securing your >>> certificate. >>> Here in the US, the government can simply ask for your certificate and get >>> it ( and possibly even use it to impersonate you) >>> >>> I sign my own certificates, post a copy of serial number and correct name >>> and IP address on my websites using them. I explain to every customer that >>> I do not trust external CA's and that I am only using https for encryption >>> of passwords and paid content. >>> No one has complained. A simple man-in-the middle of that site, and replacing it's content would open the door for every site you refer to. If it's an SSL website, you're in and endless loop without a CA or trusted third party. >>> >>> Some have told me that I am risking a man-in-the-middle attack. Perhaps. >>> But I see little reason to trust the CA man-at-the-end! >>> >>> Chris Bennett >>> >> >> Supposing that's the case, the government can just request a CA a >> certificate for your domain, and do a man-in-the middle. User's won't >> get any prompt for invalid cert, and the same "vulnerability" you >> described using still exists. >> > > that's flawed because you're assuming his users are trusting equifax, > cacert.org, and the countless of others that get bundled in certs packages for > unix, or worse, his users are ussing a browser that comes bundled with its own > set of certs and ssl library (firefox). That means you'd have to physically give the certificate to every user, with no trusted authority, or trusted third party, you have no way of establishing a secure (authenticated) communication, except physically being with that person. How do you then pay your taxes? Check your bank account, etc? I don't like having to trust dozens of CA and it's definitely not the best solution, but I don't see any alternative for this sort of thing. > > when you download openssh, does it come with bundled with a known hosts file? > > no, you go to the site and look at their public key. if they delegated their > public keys to a central authority they excert no control over, they don't > have > the power to shutdown their site when it becomes compromised to display bogus > public keys, or worse > > simlarly, i dont feed the cert bundle to sendmail, but instead feed it a > *single* cert that i'm vary wary of if it changes > > "ssl everywhere" is a stupid concept because of this. you should only ssl > select communications so that managing the certs is plausible > >> Additionally, you have to make users accept the cert manually the first >> time (checking it, of course). It may not be much of a fuss, but I >> don't see you actually fixing any security holes. >> >> -- >> Hugo Osvaldo Barrera >> >> -- Hugo Osvaldo Barrera
Re: OT: Risks of CAs (Re: Your web development opinions)
On Wed, Feb 23, 2011 at 9:21 AM, Olivier Mehani wrote: > Just some OT thoughts. > > On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote: >> CA's cannot be trusted to even pay attention to carefully securing >> your certificate. B Here in the US, the government can simply ask for >> your certificate and get it ( and possibly even use it to impersonate >> you) > > The government would have the certificate, but not the private key, so > I'm not sure how they can impersonate you with it. it's a little more detailed than that they gov could say revoke his cert on the crl, and assign the next iteration to me with my arbitrary req generated with my arbitrary key at that point it would not matter if they don't have *his* private key if he controls the ca, then the gov/whoever is forced to do true mitm the big problem with the first is that chances are that your ca company is american/european (no bullet proof host), and they will give in like paypal wrt wikileaks > > However, they can just get their own key to *any* shoddy CA included in > browsers, and get a certificate linking that key to your services > without much problem. > > The problem is not really whether there is a trust relationship between > your CA provider and you, it's whether at least *one* CA is laxist > enough that they give out certificates without thorough checking. > > Even with your self-signed approach, somebody could get a CA to issue a > certificate that their key is good for your website, and impersonate it > to any of your new-coming customers who haven't been exposed to your > official key yet. > > I may also be wrong in my analysis, but as far as my understanding goes, > it's correct. > > -- > Olivier Mehani > PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE B F5F9 F012 A6E2 98C6 6655 > > [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Your web development opinions
On 2/23/11 5:34 PM, Hugo Osvaldo Barrera wrote: On 02/23/2011 08:59 AM, Ana Zgombic wrote: you mind to turn it on sometimes? What browser do you use (lynx, firefox, chromium, ...)? not much choice. firefox. Regrettably, it is. Firefox is now more about: * "users are too stupid to read" * "let's not have any buttons so user's don't click one they shouldn't" * "features confuse user, it's better to remove them/hide them". The only plus side, is that standard-complaint browsers with market share this way (a plus for web developers and standard-compliance). I remember firefox sync used to have an encryption passphrase for syncing data. Now that's gone, and users are motivated to PRINT an auto-generated one, because "they can't remember the one that they set", and "printing it is the safest way to make sure they don't loose it". Of course, if you CAN remember passphrases, you can't set your own any more. This stuff is happening all the time with firefox, and I hope some OpenBSD-like developers branch firefox some day. "A browser for people who can read" would be a great slogan. You can always try xxxterm from Marco for a more secure browser. It really isn't bad at all! Very Fast, small and I would say more trusted then firefox or other, but sure no question, definitely more trusted then IE. (;> Doesn't support flash, but that's not a lost, I HATE flash! YMMV. I am not going to say it's full feature and fully compliant, I never tested it, but as long as it does what you need, who cares! May be some journalist trying to write an article, but then what Just a thought. My son use it and preach it! Yeap!!! Haven't been able to compile it on mac yet, but when time allow may be in 20 years or so! (:>
Re: Your web development opinions
On 02/23/2011 08:59 AM, Ana Zgombic wrote: >> > you mind to turn it on sometimes? What browser do you use (lynx, >> > firefox, chromium, ...)? > not much choice. firefox. > Regrettably, it is. Firefox is now more about: * "users are too stupid to read" * "let's not have any buttons so user's don't click one they shouldn't" * "features confuse user, it's better to remove them/hide them". The only plus side, is that standard-complaint browsers with market share this way (a plus for web developers and standard-compliance). I remember firefox sync used to have an encryption passphrase for syncing data. Now that's gone, and users are motivated to PRINT an auto-generated one, because "they can't remember the one that they set", and "printing it is the safest way to make sure they don't loose it". Of course, if you CAN remember passphrases, you can't set your own any more. This stuff is happening all the time with firefox, and I hope some OpenBSD-like developers branch firefox some day. "A browser for people who can read" would be a great slogan. -- Hugo Osvaldo Barrera
OT: Risks of CAs (Re: Your web development opinions)
Just some OT thoughts. On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote: > CA's cannot be trusted to even pay attention to carefully securing > your certificate. Here in the US, the government can simply ask for > your certificate and get it ( and possibly even use it to impersonate > you) The government would have the certificate, but not the private key, so I'm not sure how they can impersonate you with it. However, they can just get their own key to *any* shoddy CA included in browsers, and get a certificate linking that key to your services without much problem. The problem is not really whether there is a trust relationship between your CA provider and you, it's whether at least *one* CA is laxist enough that they give out certificates without thorough checking. Even with your self-signed approach, somebody could get a CA to issue a certificate that their key is good for your website, and impersonate it to any of your new-coming customers who haven't been exposed to your official key yet. I may also be wrong in my analysis, but as far as my understanding goes, it's correct. -- Olivier Mehani PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Your web development opinions
On Wed, 23 Feb 2011 11:04:58 +0100 Tomas Vavrys wrote: > Hi, > > what does OpenBSD community think about new trends in web development > HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do > you mind to turn it on sometimes? What browser do you use (lynx, > firefox, chromium, ...)? > I like html5 just because it allows videos that can be viewed universally and hopefully one day to demote flash to easy to do basic animation as was originally intended before the apple vs microsoft format and patent wars and regain the oodles of power wasted by flash, especially on Linux. Hopefully a video format that is as free as we can get will stop this kind of video war with dire consequences in terms of owned boxes via flash ads etc., happening again. I am concerned about the data storage and other functions of html5 and privacy, though. Javascript does annoy me a great deal especially when they say it's required to click a link or download a pdf. I was shown a link the other day saying install flash 8?!?! or greater to download this pdf about a product. Have they not heard of w3c and audience maximisation. Generally I leave javascript off, it even annoys me on google searches but I occasionally turn it on when it's not required to get functionality on sites I trust. I use noscript in firefox but also have a disable button. Chromium availability has just come back, I think on OpenBSD. I may use chromium and/or xxxterm at times or in the future. Almost forgot all the exploits in browsers, related to javascript. > I am learning Django at the moment and I would like to know more about > the nature of common OpenBSD user and how could I contribute to > project with my webdev skills.
Re: Your web development opinions
> They're a fucking disaster security-wise. +1 > In general, blocking javascript won't get you too far, because most of the > issues are not in the client, but rather in the use that's made of javascript. I basically block javascript to stop some adveritising and keep some sites from crashing firefox. But many, many sites require javascript to even login (i.e. many bank websites!) > - trying to do https and having to deal with corrupt certificate authorities > that don't guarantee too much in the end. CA's cannot be trusted to even pay attention to carefully securing your certificate. Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) I sign my own certificates, post a copy of serial number and correct name and IP address on my websites using them. I explain to every customer that I do not trust external CA's and that I am only using https for encryption of passwords and paid content. No one has complained. Some have told me that I am risking a man-in-the-middle attack. Perhaps. But I see little reason to trust the CA man-at-the-end! Chris Bennett
Re: Your web development opinions
On Wed, Feb 23, 2011 at 6:04 PM, Tomas Vavrys wrote: > Hi, > > what does OpenBSD community think about new trends in web development > HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do lots of code. lots of untested code. yes, i block javascript. my blood temp rises a bit when a site makes it a requirement. > you mind to turn it on sometimes? What browser do you use (lynx, > firefox, chromium, ...)? not much choice. firefox. > > I am learning Django at the moment and I would like to know more about > the nature of common OpenBSD user and how could I contribute to > project with my webdev skills. > > the common openbsd user is male, closet romantic, mildly aggressive, mildly masochistic, highly opinionated, loves to use the word 'fuck' and definitely does the act more than linux users. Ana -- http://nybl.info
Your web development opinions
Hi, what does OpenBSD community think about new trends in web development HTML5, javascript (jquery), AJAX? Do you block javascript? If so, do you mind to turn it on sometimes? What browser do you use (lynx, firefox, chromium, ...)? I am learning Django at the moment and I would like to know more about the nature of common OpenBSD user and how could I contribute to project with my webdev skills.