Linked by Thom Holwerda on Thu 21st Nov 2013 23:46 UTC
Internet & Networking

"We can end government censorship in a decade," Schmidt said during a speech in Washington. "The solution to government surveillance is to encrypt everything."

Setting aside the entertaining aspect of the source of said statement, I don't think encryption in and of itself is enough. Encryption performed by companies is useless, since we know by now that companies - US or otherwise - are more than eager to bend over backwards to please their governments.

What we need is encryption that we perform ourselves, so that neither governments nor companies are involved. I imagine some sort of box between your home network and the internet, that encrypts and decrypts everything, regardless of source or destination. This box obviously needs to run open source software, otherwise we'd be right back where we started.

Is something like that even possible?

Permalink for comment 577402
To read all comments associated with this story, please click here.
RE[4]: Comment by pcunite
by Lennie on Sun 24th Nov 2013 18:16 UTC in reply to "RE[3]: Comment by pcunite"
Lennie
Member since:
2007-09-22

On the issue of browser support.

Bad support in (desktop) browsers is a thing of the past, I've not seen issues in a long time.

There are probably still problems on mobile though, but even those are going away.

If you are a provider, you really do pay only 10 euros per cert per year, maybe even 10 dollars. This isn't just some cheap provider that doesn't work. That is from the widely known CAs.

https://www.startssl.com/ is the one that is free and supported by all browsers.

On the issue of insecure email...

Yep, that is what domain validation is. It's just a check if you control the domain. I've never seen a CA use insecure HTTP though.

It really doesn't matter if you pay some CA more money or not. Because the user doesn't look at the CA, it just needs to be trusted by the browser.

If someone can prove they control your domain to an other browser supported CA then they'll get a cert for your domain. There is really nothing special about the different CAs. Any CA will do.

There are some other issues that do matter, like OCSP performance. Or the root included by default in Windows. But especially the last one doesn't matter all that much if it's a widely used CA.

If you want something more, you might want EV but you'll need to educate your users to look for the 'green bar' and not use the site if it's not there.

In many, many cases, for example something like Facebook that obviously doesn't work, when they visit the site they'll probably already sent the auto-login-cookie which an attacker can use to login in to your site.

Reply Parent Score: 3