Linked by Thom Holwerda on Tue 25th May 2010 21:37 UTC
Google Looking at the past few week of Google news, you'll be forgiven for thinking Google doesn't do anything else beyond making Android. While there's sexier stuff going on within Google, the company is also still trying to improve its core user service: search. They've launched encrypted search today, and it will be rolled out across the world in the coming days.
Thread beginning with comment 426608
To view parent comment, click here.
To read all comments associated with this story, please click here.
Laurence
Member since:
2007-03-26

I'll replace any http address with an https at the first given opportunity. Cleartext protocols like http, ftp, telnet, ftp, pop, smtp, snmp must al die.. die.. die.. die.. there is no excuse for not using encrypted protocols these days.

(OSNews, Techrepublick, I'm looking squarely at you with your http login forms. >:| )

I say, address the BS of overpriced third party validation certificates and get the cleartext protocols off the network for good.


Forgive my ignorance, but what's wrong with self-signed certificates? They're free to set up and still offer you SSL/TLS encryption.

I've got one running on my FTPES server after following the linked wiki:
http://wiki.archlinux.org/index.php/Sftp
(read the 2nd section)

Edited 2010-05-26 07:16 UTC

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

Well, depending on bit strength, self signed certificates are just fine. I was focusing on the general network so my mind was thinking in terms of the third party certificate a big name site would get. Self signed certificates tend to scare average users (they involve a warning which involves reading). If you visit Google and are asked to accept a self signed cert, you should have questions. That's also why I suggested reducing the cost of a cert signing as it's currently an overpriced protection racket in most cases and especially if you want to use SSL/TLS that is actually safe.

Reply Parent Score: 2

Piranha Member since:
2008-06-24

It's because a MITM attack is so much easier. An attacker could be placed in the middle, and hand you HIS self signed certificate, while connecting to the legit site on your behalf and read ALL your data (meaning the ssl is now useless). At least now with a limited number of signing authorities, it's damn near impossible to do this. If a certificate authority goes rogue, then the browsers just need to remove their root server.

Besides, Startcom provides FREE class 1 ssl certificates and are available in every major browser (except Opera, but I believe they fixed that now). My domain runs off it, and never receiving the "WARNING" when I switch computers or browsers is very reassuring.


If you don't want the warning prompts from your own self signed certificates, then just install your signing cert into your browser. However, it's quite a hassle to get visitors to your site if they all get the warning.

Reply Parent Score: 1

jabbotts Member since:
2007-09-06

Actually, third party certificate validation isn't as rock solid as people like to think either. Unless you pay the premium protection racket fee for cert that validates all the way back up the chain (usually involving a grand or two in fees and a background check) MITM is still mostly limited by being able to position one inbetween of the two stream ends.

Mix a little Dan Kaminski DNS magic with some Moxie Marlinspike SSL MITM and whammo!

So, it's still down to bit strength and strong cert validation.

Edited 2010-05-27 18:29 UTC

Reply Parent Score: 2

Lennie Member since:
2007-09-22

As someone else explained, because of a self-signed certificate you can't be sure who you are talking too, it may be encrypted, but if it's the wrong person. Then who cares it's encrypted ?

But their are other ways:

https://www.startssl.com/
http://cacert.org/

Reply Parent Score: 2