Linked by Thom Holwerda on Thu 21st Nov 2013 23:46 UTC
Internet & Networking

"We can end government censorship in a decade," Schmidt said during a speech in Washington. "The solution to government surveillance is to encrypt everything."

Setting aside the entertaining aspect of the source of said statement, I don't think encryption in and of itself is enough. Encryption performed by companies is useless, since we know by now that companies - US or otherwise - are more than eager to bend over backwards to please their governments.

What we need is encryption that we perform ourselves, so that neither governments nor companies are involved. I imagine some sort of box between your home network and the internet, that encrypts and decrypts everything, regardless of source or destination. This box obviously needs to run open source software, otherwise we'd be right back where we started.

Is something like that even possible?

Thread beginning with comment 577404
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: Comment by pcunite
by Alfman on Sun 24th Nov 2013 20:19 UTC in reply to "RE[4]: Comment by pcunite"
Alfman
Member since:
2011-01-28

Lennie,

"If you are a provider, you really do pay only 10 euros per cert per year, maybe even 10 dollars. This isn't just some cheap provider that doesn't work. That is from the widely known CAs."

I honestly haven't seen them anywhere for quite that low. Big brands are still expensive, for example thwate's cheapest domain cert is still $150/yr, verisign too. Although many of us don't care for premium brand status, most other CAs seem to be in the $50-70/year range (ie instantssl, rapidssl, godaddy). I really needed to shop around to find a reseller for $14 (RunSSL), which is the cheapest price I've seen other than free trials. All these prices are for the basic domain validation certs.

I'm very surprised StartSSL is now offering domain certs for free, this is news to me and it doesn't appear to be a trial offer. Thanks for mentioning it!


"Yep, that is what domain validation is. It's just a check if you control the domain."

I realize that, however isn't it ironic that they are contacting you through channels that are vulnerable to the same kind of man in the middle attack that their certs are supposed to protect against? There are a few high profile cases where a CA issued certs to a fraudulent party, I wonder how often this happens to small guys without detection or making the news?


"If someone can prove they control your domain to an other browser supported CA then they'll get a cert for your domain. There is really nothing special about the different CAs. Any CA will do."

This is why I said that *everyone's* SSL security gets reduced to the security of the weakest CA. It's even technically plausible that some CA's could be a front for a government operation with the intention of issuing fraudulent CA's to the government. We implicitly have to trust the CA's, yet nothing makes them inherently trustworthy.

Reply Parent Score: 2

RE[6]: Comment by pcunite
by Lennie on Sun 24th Nov 2013 20:56 in reply to "RE[5]: Comment by pcunite"
Lennie Member since:
2007-09-22

So I work at a hosting provider. RapidSSL from GeoTrust and EssentialSSL from Comodo are really 10 and 13 euros (a little over 13 and 17,5 dollars).

StartSSL is cool. But selling free certs to customers feels a bit weird. ;-) Also the free certs display an email address in the cert-name, they call it a 'personal cert' (slightly unusual, but works).

StartSSL is cool because they do things like: if you certify your organization you can get unlimited certs for all your domains. Including SAN/UCC and wildcard.

That is 118 dollars for 2 years of free certs.

Governments yes, lots of fun there too. Look up the CNNIC controversy. There are over 1500 CAs that your browser trusts (indirectly) says the SSL observatory.

Do YOU trust them ? All of them ? ;-)

Anyway, summary, always remember: certs is a race to the bottom. EV-certs only exist because the normal certificates became only domain verified certs. They used to be validated like the EV-certs are now.

Reply Parent Score: 2

RE[7]: Comment by pcunite
by Alfman on Mon 25th Nov 2013 06:35 in reply to "RE[6]: Comment by pcunite"
Alfman Member since:
2011-01-28

Lennie,

"So I work at a hosting provider. RapidSSL from GeoTrust and EssentialSSL from Comodo are really 10 and 13 euros (a little over 13 and 17,5 dollars)."

I sell hosting services too ;)

So you're talking about volume discounts then...I was talking about consumer market prices (RapidSSL running at $49 right now). Never the less, I guess you must be big enough to negotiate prices significantly down? I really tried to become an SSL reseller for my hosting business earlier this year with several of the SSL providers (including comodo) however I discovered that for small businesses like myself, reseller prices were just as expensive as the market prices, and then my profits would be $0 - overhead if I charged market prices. If you can get me connected to someone who can offer cheaper prices I might take advantage of that.

As of right now I tell clients to buy the certs themselves and I charge them for my time in setting their environment up for them, which may be worth more to me than reselling certs anyways.

Edit: I'm looking at rapidssl's resellar program right now (who are resellers for geotrust). Their reseller prices start at $34/year, at 50 certs you are still paying $24/cert/year, how many do you need to sell to get down to $13/cert??

https://products.geotrust.com/geocenter/reseller/register.do?partner...

Isn't it funny that reseller prices are higher than the end user prices from RunSSL?

Edited 2013-11-25 06:53 UTC

Reply Parent Score: 2