Re: SSL by default for all packaged web apps?
On Thu, Mar 03, 2011 at 10:03:28PM +0100, Soren Hansen wrote: > 2011/3/3 Neal McBurnett : > > Contrasting this with STARTTLS might also be instructive, though of > > course there are big differences. But last I checked (a while ago) a > > substantial amount of SMTP traffic was encrypted based on self-signed > > certificates because it was made pretty easy-to-do, though that was > > more likely to be used between servers than from an end user. > > SMTP over SSL is incredibly odd. SMTP is a communication protocol used > between servers. It's unattended. There's no-one to verify the SSL cert > of the remote party manually, so it has to be done automatically. You > have two options: 1) Require CA validated certs, or 2) accept any SSL cert. > > Because using self-signed certs is so incredibly pervasive option 1) would > basically render you unable to speak SMTP/SSL to anyone, and 2) which > is the default, > means MitM attacks are the easiest thing in the world, yet people seem > perfectly content with this. Yup. So do we have any results of this experiment in easy deployment of self-signed certs? Are the costs worth the risks? What are the costs? Has it been much harder to deploy? What are the benefits? Is there any evidence that much snooping has been prevented? How about the remaining risks? Are many MITM attacks being performed? How about lost-opportunity costs? Has it slowed folks from moving to harder/better forms of encryption, e.g. end-to-end via S/MIME or PGP? Does anyone know? Neal McBurnett http://neal.mcburnett.org/ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
2011/3/3 Neal McBurnett : > Contrasting this with STARTTLS might also be instructive, though of > course there are big differences. But last I checked (a while ago) a > substantial amount of SMTP traffic was encrypted based on self-signed > certificates because it was made pretty easy-to-do, though that was > more likely to be used between servers than from an end user. SMTP over SSL is incredibly odd. SMTP is a communication protocol used between servers. It's unattended. There's no-one to verify the SSL cert of the remote party manually, so it has to be done automatically. You have two options: 1) Require CA validated certs, or 2) accept any SSL cert. Because using self-signed certs is so incredibly pervasive option 1) would basically render you unable to speak SMTP/SSL to anyone, and 2) which is the default, means MitM attacks are the easiest thing in the world, yet people seem perfectly content with this. -- Soren Hansen | http://linux2go.dk/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
On Wed, Mar 02, 2011 at 10:24:49AM -0500, Marc Deslauriers wrote: > On Wed, 2011-03-02 at 17:05 +0200, Clint Byrum wrote: > > On Wed, 2011-03-02 at 08:45 -0500, Marc Deslauriers wrote: > > > On Wed, 2011-03-02 at 08:23 +, Hakan Koseoglu wrote: > > > > Forcing a naive system administrator to think about SSL & certificates > > > > is at least something useful. Of course there should be abilities to > > > > opt-out where SSL is not required. On the other hand, it's like saying > > > > "on secured networks SSH is not required, telnet is all you need" and > > > > I'm sure all of us would look at that sentence and mutter "insanity!". > > > > > > Please don't compare using password-protected SSH with using self-signed > > > certificates. Using passwords instead of certificates with SSH has no > > > impact on it's effectiveness against MITM attacks. Of course it's better > > > then Telnet. > > > > > > It is trivial to MITM self-signed certs, thereby countering any security > > > advantage by adding SSL. Of course, I assume that people who are > > > clicking Accept in their browser aren't validating the SSL cert > > > fingerprint, as technical SSH users are instructed to do. > > > > > > > I think you're trivializing a decent analogy, though I agree its not > > entirely the same. However, SSH carries the same fingerprint > > verification problem that makes MITM just as simple on the first > > connection. Most browser users will save the certificate and be warned > > if it changes, just like the SSH user will be warned. > > > > The main difference is that ssh would generally be used by a more > > conscientious user than a browser user. > > > > I totally agree. > > If web ssl self-signed certs were only for sysadmins who would know to > validate the fingerprint and suspect something is wrong when they get a > new browser warning, there would be a big advantage to turning it on. > > Unfortunately, that's not the case, and it's why you can't deploy > self-signed certs to end users and expect any level of security. > > Marc. I'm not sure where I stand on the general question, but it seems to me that there is indeed a substantial middle ground, e.g. self-signed certs are useful in protecting against passive wireless attacks. It all depends on the threat model for the particular app and the state of the attack software available to casual attackers. Contrasting this with STARTTLS might also be instructive, though of course there are big differences. But last I checked (a while ago) a substantial amount of SMTP traffic was encrypted based on self-signed certificates because it was made pretty easy-to-do, though that was more likely to be used between servers than from an end user. Neal McBurnett http://neal.mcburnett.org/ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
On Wed, 2011-03-02 at 17:05 +0200, Clint Byrum wrote: > On Wed, 2011-03-02 at 08:45 -0500, Marc Deslauriers wrote: > > On Wed, 2011-03-02 at 08:23 +, Hakan Koseoglu wrote: > > > Forcing a naive system administrator to think about SSL & certificates > > > is at least something useful. Of course there should be abilities to > > > opt-out where SSL is not required. On the other hand, it's like saying > > > "on secured networks SSH is not required, telnet is all you need" and > > > I'm sure all of us would look at that sentence and mutter "insanity!". > > > > Please don't compare using password-protected SSH with using self-signed > > certificates. Using passwords instead of certificates with SSH has no > > impact on it's effectiveness against MITM attacks. Of course it's better > > then Telnet. > > > > It is trivial to MITM self-signed certs, thereby countering any security > > advantage by adding SSL. Of course, I assume that people who are > > clicking Accept in their browser aren't validating the SSL cert > > fingerprint, as technical SSH users are instructed to do. > > > > I think you're trivializing a decent analogy, though I agree its not > entirely the same. However, SSH carries the same fingerprint > verification problem that makes MITM just as simple on the first > connection. Most browser users will save the certificate and be warned > if it changes, just like the SSH user will be warned. > > The main difference is that ssh would generally be used by a more > conscientious user than a browser user. > I totally agree. If web ssl self-signed certs were only for sysadmins who would know to validate the fingerprint and suspect something is wrong when they get a new browser warning, there would be a big advantage to turning it on. Unfortunately, that's not the case, and it's why you can't deploy self-signed certs to end users and expect any level of security. Marc. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
On Wed, 2011-03-02 at 08:45 -0500, Marc Deslauriers wrote: > On Wed, 2011-03-02 at 08:23 +, Hakan Koseoglu wrote: > > Forcing a naive system administrator to think about SSL & certificates > > is at least something useful. Of course there should be abilities to > > opt-out where SSL is not required. On the other hand, it's like saying > > "on secured networks SSH is not required, telnet is all you need" and > > I'm sure all of us would look at that sentence and mutter "insanity!". > > Please don't compare using password-protected SSH with using self-signed > certificates. Using passwords instead of certificates with SSH has no > impact on it's effectiveness against MITM attacks. Of course it's better > then Telnet. > > It is trivial to MITM self-signed certs, thereby countering any security > advantage by adding SSL. Of course, I assume that people who are > clicking Accept in their browser aren't validating the SSL cert > fingerprint, as technical SSH users are instructed to do. > I think you're trivializing a decent analogy, though I agree its not entirely the same. However, SSH carries the same fingerprint verification problem that makes MITM just as simple on the first connection. Most browser users will save the certificate and be warned if it changes, just like the SSH user will be warned. The main difference is that ssh would generally be used by a more conscientious user than a browser user. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
is this bug/question based on a single host/single ip/single domain apache configuration? ssl can be enabled only for 1 domain or with SNI (http://en.wikipedia.org/wiki/Server_Name_Indication) but then some browsers will not work. it would look like ssl is working correctly for all domains/vhosts and administrator would have no idea that large percentage of the users can't access ssl enabled websites/applications. or did i misunderstood something? Aljosa Mohorovic -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
On Wed, 2011-03-02 at 08:23 +, Hakan Koseoglu wrote: > Hi Clint, > > On 22 February 2011 22:56, Clint Byrum wrote: > > This bug was opened recently: > > > > https://bugs.launchpad.net/bugs/695857 > > > > It suggests that packages should configure themselves to require SSL by > > default. > > > > I think this is actually a good idea, and I am wondering how this would > > be received by the greater community. > +1. It's a starting point. > > A good sample is SSH. You are not supposed to use password > authenticated based SSH and only use passphrase protected distributed > keys but hey, it's way better than Telnet in all cases! > > Forcing a naive system administrator to think about SSL & certificates > is at least something useful. Of course there should be abilities to > opt-out where SSL is not required. On the other hand, it's like saying > "on secured networks SSH is not required, telnet is all you need" and > I'm sure all of us would look at that sentence and mutter "insanity!". Please don't compare using password-protected SSH with using self-signed certificates. Using passwords instead of certificates with SSH has no impact on it's effectiveness against MITM attacks. Of course it's better then Telnet. It is trivial to MITM self-signed certs, thereby countering any security advantage by adding SSL. Of course, I assume that people who are clicking Accept in their browser aren't validating the SSL cert fingerprint, as technical SSH users are instructed to do. Marc. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
On Wed, 2011-03-02 at 00:38 -0500, Etienne Goyer wrote: > Re-reading my email, I think I got a bit too snarky toward the end. > While I think my arguments are sound, the discussion does not have to be > confrontational. My apologies to Marc and the list for the tone I used > earlier. No apologies necessary Etienne. I don't think you can have a snarkier tone than I do on mailing lists sometimes. :) Marc. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
On Tue, 2011-03-01 at 21:01 -0500, Etienne Goyer wrote: > >> 1. Encrypting communication between the client and the server (notably > >> to protect the credential exchange from eavesdropping). > >> > >> 2. Preventing MitM by authenticating the server. > >> > >> > >> Using SSL with self-signed certificate doesn't address 2., but it does > >> address 1. From my perspective, it's an incremental improvement over > >> plain-text HTTP. So, why not? > > > > I'm not quite sure under which circumstance 1 would be a problem but 2 > > would not. When you're on a trusted network? If you're on a trusted > > network, you probably don't need SSL in the first place. > > There's no such thing as a trusted network. I am just saying that > encrypting traffic is an incremental improvement over plain-text HTTP. Given that it's a _lot_ easier to MITM a switched network than it is to eavesdrop on one, I don't think this would be much of an improvement. > > > The problem here is that turning it on by default will instill a false > > sense of security into people's minds. You are telling them that it's > > acceptable to bypass the important warnings and to click the "OK" button > > in Firefox when they connect the first time. You are showing them the > > lock icon in Firefox indicating to them that they're on a secure > > connection, when in fact, that's not the case... > > Yet, most internal web service (those that aren't public-facing) require > the end-user to dismiss a self-signed certificate already. That's what > I see out there. Turning SSL on by default would not be a regression, > it would be an incremental improvement over plain-text HTTP. This is incredibly wrong and no organisation who's had a security audit would be able to continue doing so, unless what's being protected is of no value, including the passwords that are being used. > >> I have had that argument with a few people over the years. Fact is, at > >> least for non publicly facing web services, most people will continue to > >> use self-signed certificates for the simple reason that getting a > >> "valid" certificate (or setting up your own CA) is a huge hassle, and > >> not even always possible. > > > > They are trading off security to save $50 and 30 minutes of work. > > Unless, of course, you are getting every single user to manually > > validate the fingerprint every time they click that Accept button. > > And this is the crux of the matter. I have had this argument served > recently by obnoxious developers of an application that would not run > without a valid SSL certificate, and it was of no help to me. On > internal network, organisation of all size often use non-registred > domain name. You cannot get a valid SSL certification signed by a CA > for a .silly domain, however hard you try. Plus, it's often much more > involved that 50$ and 30 minutes. Sometime, it requires you seek > approval from procurement, IT security or net ops department to buy a > certificate in the name of your org. There _are_ valid use-cases for self-signed certificates. I don't think _preventing_ the use of self-signed certs to be the right thing to do. Using an unregistered domain name for an internal network is bad network design, and causes a lot of problems, including an SSL cert problem. Inventing any random TLD seems to have had a splurge in popularity when Active Directory showed up. I agree, purchasing a certificate can be more complex than what I describedbut I don't think self-signed certs are any kind of valid replacement. > > > >> I would even go as far as arguing that trying to discourage people from > >> using self-signed certificate through systemic measure is a waste of > >> time, because most people just do not understand the implication. > >> Putting the cart before the horses and stuff. > > > > Setting up an insecure SSL connection by default, and giving them the > > impression of being encrypted properly is security theatre. This isn't > > something we should be recommending, or doing by default. If someone > > decides that self-signed certificates are "good enough" for them, they > > should set it up themselves and face the consequences. > > And that is what most people are currently doing, in fact. They would > be none the worst if we enabled SSL by default. Just because they are doing something terribly insecure already doesn't mean we should be doing it by default. Self-signed certs don't improve security over clear text in any significant way (unless used by technical people who check fingerprints, etc.) > > But, in the end, I do not care much and I am not going to argue any more > in favor of the proposal. It's just an incremental usability > improvement, like ssh-installed-by-default would have been. We could > nitpick all night long about the fine point of security vs usability, > but it's not very productive. I do think that we need something easier to set up SSL though, and that may be what we should put
Re: SSL by default for all packaged web apps?
Hi Clint, On 22 February 2011 22:56, Clint Byrum wrote: > This bug was opened recently: > > https://bugs.launchpad.net/bugs/695857 > > It suggests that packages should configure themselves to require SSL by > default. > > I think this is actually a good idea, and I am wondering how this would > be received by the greater community. +1. It's a starting point. A good sample is SSH. You are not supposed to use password authenticated based SSH and only use passphrase protected distributed keys but hey, it's way better than Telnet in all cases! Forcing a naive system administrator to think about SSL & certificates is at least something useful. Of course there should be abilities to opt-out where SSL is not required. On the other hand, it's like saying "on secured networks SSH is not required, telnet is all you need" and I'm sure all of us would look at that sentence and mutter "insanity!". PS: Sorry Clint, you're going to get this mail 3rd time, I forgot to cc to the ML! :) Need some coffee... Cheers, -- Hakan (m1fcj) - http://www.hititgunesi.org -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
Re-reading my email, I think I got a bit too snarky toward the end. While I think my arguments are sound, the discussion does not have to be confrontational. My apologies to Marc and the list for the tone I used earlier. On 11-03-01 09:01 PM, Etienne Goyer wrote: > On 11-03-01 06:39 PM, Marc Deslauriers wrote: >> On Tue, 2011-03-01 at 18:04 -0500, Etienne Goyer wrote: We should not turn on SSL by default with self-signed certificates. That is insecure and is not a configuration that should be encouraged. >>> >>> There is two things there: >>> >>> 1. Encrypting communication between the client and the server (notably >>> to protect the credential exchange from eavesdropping). >>> >>> 2. Preventing MitM by authenticating the server. >>> >>> >>> Using SSL with self-signed certificate doesn't address 2., but it does >>> address 1. From my perspective, it's an incremental improvement over >>> plain-text HTTP. So, why not? >> >> I'm not quite sure under which circumstance 1 would be a problem but 2 >> would not. When you're on a trusted network? If you're on a trusted >> network, you probably don't need SSL in the first place. > > There's no such thing as a trusted network. I am just saying that > encrypting traffic is an incremental improvement over plain-text HTTP. > >> The problem here is that turning it on by default will instill a false >> sense of security into people's minds. You are telling them that it's >> acceptable to bypass the important warnings and to click the "OK" button >> in Firefox when they connect the first time. You are showing them the >> lock icon in Firefox indicating to them that they're on a secure >> connection, when in fact, that's not the case... > > Yet, most internal web service (those that aren't public-facing) require > the end-user to dismiss a self-signed certificate already. That's what > I see out there. Turning SSL on by default would not be a regression, > it would be an incremental improvement over plain-text HTTP. > > >>> I have had that argument with a few people over the years. Fact is, at >>> least for non publicly facing web services, most people will continue to >>> use self-signed certificates for the simple reason that getting a >>> "valid" certificate (or setting up your own CA) is a huge hassle, and >>> not even always possible. >> >> They are trading off security to save $50 and 30 minutes of work. >> Unless, of course, you are getting every single user to manually >> validate the fingerprint every time they click that Accept button. > > And this is the crux of the matter. I have had this argument served > recently by obnoxious developers of an application that would not run > without a valid SSL certificate, and it was of no help to me. On > internal network, organisation of all size often use non-registred > domain name. You cannot get a valid SSL certification signed by a CA > for a .silly domain, however hard you try. Plus, it's often much more > involved that 50$ and 30 minutes. Sometime, it requires you seek > approval from procurement, IT security or net ops department to buy a > certificate in the name of your org. > > >>> I would even go as far as arguing that trying to discourage people from >>> using self-signed certificate through systemic measure is a waste of >>> time, because most people just do not understand the implication. >>> Putting the cart before the horses and stuff. >> >> Setting up an insecure SSL connection by default, and giving them the >> impression of being encrypted properly is security theatre. This isn't >> something we should be recommending, or doing by default. If someone >> decides that self-signed certificates are "good enough" for them, they >> should set it up themselves and face the consequences. > > And that is what most people are currently doing, in fact. They would > be none the worst if we enabled SSL by default. > > But, in the end, I do not care much and I am not going to argue any more > in favor of the proposal. It's just an incremental usability > improvement, like ssh-installed-by-default would have been. We could > nitpick all night long about the fine point of security vs usability, > but it's not very productive. > > -- Etienne Goyer Technical Account Manager - Canonical Ltd Ubuntu Certified Instructor -LPIC-3 ~= Ubuntu: Linux for Human Beings =~ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
+1 for SSL of packages. A compromise would just be to run the entire mirror both http & https with a self signed cert and leave the default http. The packages that are coming from the ubuntu mirror are very important especially since so many companies use ubuntu in production environments. As for the whole self signed vs. signed by a company I don't really care and I don't think many do either. People that modify the packages to use SSL will know why and what they are doing. Those who don't will just default to http. ~Dan On Tue, Mar 1, 2011 at 8:01 PM, Etienne Goyer wrote: > On 11-03-01 06:39 PM, Marc Deslauriers wrote: > > On Tue, 2011-03-01 at 18:04 -0500, Etienne Goyer wrote: > >>> We should not turn on SSL by default with self-signed certificates. > That > >>> is insecure and is not a configuration that should be encouraged. > >> > >> There is two things there: > >> > >> 1. Encrypting communication between the client and the server (notably > >> to protect the credential exchange from eavesdropping). > >> > >> 2. Preventing MitM by authenticating the server. > >> > >> > >> Using SSL with self-signed certificate doesn't address 2., but it does > >> address 1. From my perspective, it's an incremental improvement over > >> plain-text HTTP. So, why not? > > > > I'm not quite sure under which circumstance 1 would be a problem but 2 > > would not. When you're on a trusted network? If you're on a trusted > > network, you probably don't need SSL in the first place. > > There's no such thing as a trusted network. I am just saying that > encrypting traffic is an incremental improvement over plain-text HTTP. > > > The problem here is that turning it on by default will instill a false > > sense of security into people's minds. You are telling them that it's > > acceptable to bypass the important warnings and to click the "OK" button > > in Firefox when they connect the first time. You are showing them the > > lock icon in Firefox indicating to them that they're on a secure > > connection, when in fact, that's not the case... > > Yet, most internal web service (those that aren't public-facing) require > the end-user to dismiss a self-signed certificate already. That's what > I see out there. Turning SSL on by default would not be a regression, > it would be an incremental improvement over plain-text HTTP. > > > >> I have had that argument with a few people over the years. Fact is, at > >> least for non publicly facing web services, most people will continue to > >> use self-signed certificates for the simple reason that getting a > >> "valid" certificate (or setting up your own CA) is a huge hassle, and > >> not even always possible. > > > > They are trading off security to save $50 and 30 minutes of work. > > Unless, of course, you are getting every single user to manually > > validate the fingerprint every time they click that Accept button. > > And this is the crux of the matter. I have had this argument served > recently by obnoxious developers of an application that would not run > without a valid SSL certificate, and it was of no help to me. On > internal network, organisation of all size often use non-registred > domain name. You cannot get a valid SSL certification signed by a CA > for a .silly domain, however hard you try. Plus, it's often much more > involved that 50$ and 30 minutes. Sometime, it requires you seek > approval from procurement, IT security or net ops department to buy a > certificate in the name of your org. > > > >> I would even go as far as arguing that trying to discourage people from > >> using self-signed certificate through systemic measure is a waste of > >> time, because most people just do not understand the implication. > >> Putting the cart before the horses and stuff. > > > > Setting up an insecure SSL connection by default, and giving them the > > impression of being encrypted properly is security theatre. This isn't > > something we should be recommending, or doing by default. If someone > > decides that self-signed certificates are "good enough" for them, they > > should set it up themselves and face the consequences. > > And that is what most people are currently doing, in fact. They would > be none the worst if we enabled SSL by default. > > But, in the end, I do not care much and I am not going to argue any more > in favor of the proposal. It's just an incremental usability > improvement, like ssh-installed-by-default would have been. We could > nitpick all night long about the fine point of security vs usability, > but it's not very productive. > > > -- > Etienne Goyer > Technical Account Manager - Canonical Ltd > Ubuntu Certified Instructor -LPIC-3 > > ~= Ubuntu: Linux for Human Beings =~ > > -- > ubuntu-server mailing list > ubuntu-server@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/ubuntu-server > More info: https://wiki.ubuntu.com/ServerTeam > -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubunt
Re: SSL by default for all packaged web apps?
On 11-03-01 06:39 PM, Marc Deslauriers wrote: > On Tue, 2011-03-01 at 18:04 -0500, Etienne Goyer wrote: >>> We should not turn on SSL by default with self-signed certificates. That >>> is insecure and is not a configuration that should be encouraged. >> >> There is two things there: >> >> 1. Encrypting communication between the client and the server (notably >> to protect the credential exchange from eavesdropping). >> >> 2. Preventing MitM by authenticating the server. >> >> >> Using SSL with self-signed certificate doesn't address 2., but it does >> address 1. From my perspective, it's an incremental improvement over >> plain-text HTTP. So, why not? > > I'm not quite sure under which circumstance 1 would be a problem but 2 > would not. When you're on a trusted network? If you're on a trusted > network, you probably don't need SSL in the first place. There's no such thing as a trusted network. I am just saying that encrypting traffic is an incremental improvement over plain-text HTTP. > The problem here is that turning it on by default will instill a false > sense of security into people's minds. You are telling them that it's > acceptable to bypass the important warnings and to click the "OK" button > in Firefox when they connect the first time. You are showing them the > lock icon in Firefox indicating to them that they're on a secure > connection, when in fact, that's not the case... Yet, most internal web service (those that aren't public-facing) require the end-user to dismiss a self-signed certificate already. That's what I see out there. Turning SSL on by default would not be a regression, it would be an incremental improvement over plain-text HTTP. >> I have had that argument with a few people over the years. Fact is, at >> least for non publicly facing web services, most people will continue to >> use self-signed certificates for the simple reason that getting a >> "valid" certificate (or setting up your own CA) is a huge hassle, and >> not even always possible. > > They are trading off security to save $50 and 30 minutes of work. > Unless, of course, you are getting every single user to manually > validate the fingerprint every time they click that Accept button. And this is the crux of the matter. I have had this argument served recently by obnoxious developers of an application that would not run without a valid SSL certificate, and it was of no help to me. On internal network, organisation of all size often use non-registred domain name. You cannot get a valid SSL certification signed by a CA for a .silly domain, however hard you try. Plus, it's often much more involved that 50$ and 30 minutes. Sometime, it requires you seek approval from procurement, IT security or net ops department to buy a certificate in the name of your org. >> I would even go as far as arguing that trying to discourage people from >> using self-signed certificate through systemic measure is a waste of >> time, because most people just do not understand the implication. >> Putting the cart before the horses and stuff. > > Setting up an insecure SSL connection by default, and giving them the > impression of being encrypted properly is security theatre. This isn't > something we should be recommending, or doing by default. If someone > decides that self-signed certificates are "good enough" for them, they > should set it up themselves and face the consequences. And that is what most people are currently doing, in fact. They would be none the worst if we enabled SSL by default. But, in the end, I do not care much and I am not going to argue any more in favor of the proposal. It's just an incremental usability improvement, like ssh-installed-by-default would have been. We could nitpick all night long about the fine point of security vs usability, but it's not very productive. -- Etienne Goyer Technical Account Manager - Canonical Ltd Ubuntu Certified Instructor -LPIC-3 ~= Ubuntu: Linux for Human Beings =~ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
On Tue, 2011-03-01 at 18:04 -0500, Etienne Goyer wrote: > > We should not turn on SSL by default with self-signed certificates. That > > is insecure and is not a configuration that should be encouraged. > > There is two things there: > > 1. Encrypting communication between the client and the server (notably > to protect the credential exchange from eavesdropping). > > 2. Preventing MitM by authenticating the server. > > > Using SSL with self-signed certificate doesn't address 2., but it does > address 1. From my perspective, it's an incremental improvement over > plain-text HTTP. So, why not? I'm not quite sure under which circumstance 1 would be a problem but 2 would not. When you're on a trusted network? If you're on a trusted network, you probably don't need SSL in the first place. The problem here is that turning it on by default will instill a false sense of security into people's minds. You are telling them that it's acceptable to bypass the important warnings and to click the "OK" button in Firefox when they connect the first time. You are showing them the lock icon in Firefox indicating to them that they're on a secure connection, when in fact, that's not the case... > > I have had that argument with a few people over the years. Fact is, at > least for non publicly facing web services, most people will continue to > use self-signed certificates for the simple reason that getting a > "valid" certificate (or setting up your own CA) is a huge hassle, and > not even always possible. They are trading off security to save $50 and 30 minutes of work. Unless, of course, you are getting every single user to manually validate the fingerprint every time they click that Accept button. > > I would even go as far as arguing that trying to discourage people from > using self-signed certificate through systemic measure is a waste of > time, because most people just do not understand the implication. > Putting the cart before the horses and stuff. Setting up an insecure SSL connection by default, and giving them the impression of being encrypted properly is security theatre. This isn't something we should be recommending, or doing by default. If someone decides that self-signed certificates are "good enough" for them, they should set it up themselves and face the consequences. Marc. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
On 11-03-01 05:20 PM, Marc Deslauriers wrote: > On Tue, 2011-02-22 at 14:56 -0800, Clint Byrum wrote: >> This bug was opened recently: >> >> https://bugs.launchpad.net/bugs/695857 >> >> It suggests that packages should configure themselves to require SSL by >> default. >> >> I think this is actually a good idea, and I am wondering how this would >> be received by the greater community. >> >> I am marking the bug as "Opinion" and I'd like to get the opinions of >> the server community as a whole on the issue. If enough people think its >> a good idea we can open a blueprint for a future UDS. > > We should not turn on SSL by default with self-signed certificates. That > is insecure and is not a configuration that should be encouraged. There is two things there: 1. Encrypting communication between the client and the server (notably to protect the credential exchange from eavesdropping). 2. Preventing MitM by authenticating the server. Using SSL with self-signed certificate doesn't address 2., but it does address 1. From my perspective, it's an incremental improvement over plain-text HTTP. So, why not? I have had that argument with a few people over the years. Fact is, at least for non publicly facing web services, most people will continue to use self-signed certificates for the simple reason that getting a "valid" certificate (or setting up your own CA) is a huge hassle, and not even always possible. I would even go as far as arguing that trying to discourage people from using self-signed certificate through systemic measure is a waste of time, because most people just do not understand the implication. Putting the cart before the horses and stuff. -- Etienne Goyer Technical Account Manager - Canonical Ltd Ubuntu Certified Instructor -LPIC-3 ~= Ubuntu: Linux for Human Beings =~ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: SSL by default for all packaged web apps?
On Tue, 2011-02-22 at 14:56 -0800, Clint Byrum wrote: > This bug was opened recently: > > https://bugs.launchpad.net/bugs/695857 > > It suggests that packages should configure themselves to require SSL by > default. > > I think this is actually a good idea, and I am wondering how this would > be received by the greater community. > > I am marking the bug as "Opinion" and I'd like to get the opinions of > the server community as a whole on the issue. If enough people think its > a good idea we can open a blueprint for a future UDS. We should not turn on SSL by default with self-signed certificates. That is insecure and is not a configuration that should be encouraged. Marc. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
SSL by default for all packaged web apps?
This bug was opened recently: https://bugs.launchpad.net/bugs/695857 It suggests that packages should configure themselves to require SSL by default. I think this is actually a good idea, and I am wondering how this would be received by the greater community. I am marking the bug as "Opinion" and I'd like to get the opinions of the server community as a whole on the issue. If enough people think its a good idea we can open a blueprint for a future UDS. Thanks! -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam