Linked by Thom Holwerda on Tue 25th May 2010 21:37 UTC
Google Looking at the past few week of Google news, you'll be forgiven for thinking Google doesn't do anything else beyond making Android. While there's sexier stuff going on within Google, the company is also still trying to improve its core user service: search. They've launched encrypted search today, and it will be rolled out across the world in the coming days.
Thread beginning with comment 426563
To read all comments associated with this story, please click here.
I'll drop any cleartext in a heartbeat
by jabbotts on Tue 25th May 2010 22:52 UTC
jabbotts
Member since:
2007-09-06

I'll replace any http address with an https at the first given opportunity. Cleartext protocols like http, ftp, telnet, ftp, pop, smtp, snmp must al die.. die.. die.. die.. there is no excuse for not using encrypted protocols these days.

(OSNews, Techrepublick, I'm looking squarely at you with your http login forms. >:| )

I say, address the BS of overpriced third party validation certificates and get the cleartext protocols off the network for good.

Reply Score: 5

Laurence Member since:
2007-03-26

I'll replace any http address with an https at the first given opportunity. Cleartext protocols like http, ftp, telnet, ftp, pop, smtp, snmp must al die.. die.. die.. die.. there is no excuse for not using encrypted protocols these days.

(OSNews, Techrepublick, I'm looking squarely at you with your http login forms. >:| )

I say, address the BS of overpriced third party validation certificates and get the cleartext protocols off the network for good.


Forgive my ignorance, but what's wrong with self-signed certificates? They're free to set up and still offer you SSL/TLS encryption.

I've got one running on my FTPES server after following the linked wiki:
http://wiki.archlinux.org/index.php/Sftp
(read the 2nd section)

Edited 2010-05-26 07:16 UTC

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

Well, depending on bit strength, self signed certificates are just fine. I was focusing on the general network so my mind was thinking in terms of the third party certificate a big name site would get. Self signed certificates tend to scare average users (they involve a warning which involves reading). If you visit Google and are asked to accept a self signed cert, you should have questions. That's also why I suggested reducing the cost of a cert signing as it's currently an overpriced protection racket in most cases and especially if you want to use SSL/TLS that is actually safe.

Reply Parent Score: 2

Piranha Member since:
2008-06-24

It's because a MITM attack is so much easier. An attacker could be placed in the middle, and hand you HIS self signed certificate, while connecting to the legit site on your behalf and read ALL your data (meaning the ssl is now useless). At least now with a limited number of signing authorities, it's damn near impossible to do this. If a certificate authority goes rogue, then the browsers just need to remove their root server.

Besides, Startcom provides FREE class 1 ssl certificates and are available in every major browser (except Opera, but I believe they fixed that now). My domain runs off it, and never receiving the "WARNING" when I switch computers or browsers is very reassuring.


If you don't want the warning prompts from your own self signed certificates, then just install your signing cert into your browser. However, it's quite a hassle to get visitors to your site if they all get the warning.

Reply Parent Score: 1

Lennie Member since:
2007-09-22

As someone else explained, because of a self-signed certificate you can't be sure who you are talking too, it may be encrypted, but if it's the wrong person. Then who cares it's encrypted ?

But their are other ways:

https://www.startssl.com/
http://cacert.org/

Reply Parent Score: 2

Lennie Member since:
2007-09-22

I know of very little concerns with using https.

1. you need a dedicated address, this problably means: ipv4-address, we are running out. Not good. :-( I would love to see websites adopt: we have https for IPv6 users only. :-)

2. their needs to be enough entropy to do the encryption. Banks recently had DOS-attacks and the https-sites were really slow, not because of CPU-bound encryption (for which possible they already have extra hardware), but because of entropy shortage.

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

vhosts. Multiple sites/domains sharing a single IP. When the browser asks for the IP, it's header lists the domain it wants and the webserver presents domain/IP.

It would be much easier if vhosts could share an IP without sharing an SSL cert. The certificate is bound to the domain name not the IP it's currently hosted on. This may reduce the trust in certificates though as now your still sure of cert/domain but your not sure of location.

Reply Parent Score: 2