* Posts by sdaugherty

7 publicly visible posts • joined 12 Sep 2014

Sysadmins rage over Apple’s ‘nightmarish’ SSL/TLS cert lifespan cuts plot

sdaugherty

Re: OK, then let's focus on really strict security

> Somewhere along the lines I lost the plot on why shorter lifespans are regarded as more secure.

The problem they are trying to solve is certificate revocation. It sucks. It's unreliable since it largely relies on certificate revocation lists, which require larger and larger downloads over time, are cached, and can silently fail to update. The only real alternative to CRLs that got any traction at all was OCSP, which is gradually being phased out because it's both unreliable, and an invasion of privacy, Since since all the current solutions for revocation suck, the browser vendors and most certificate authorities want to replace certificate revocation with certificate expiration, so eventually, they don't have to deal with revocation at all. In the meantime, the shorter periods help keep the CRL lists shorter, since entries can fall off as certificates expire.

Reducing validity down to 90 days or 45 days, or the even shorter periods we'll eventually see, are part of a scheme to cause increasing amounts of pain to gradually force sysadmins to automate, and to pressure vendors into supporting that automation, without being completely debilitating to those that can't yet automate. This in turn eventually gets us down to the magic 7 days or less, at which point CAs and browsers no longer have to implement certificate revocation at all, per the policy adopted in CA/Browser Forum Ballot SC-063.

systemd-free Devuan Linux hits version 1.0.0

sdaugherty

An elegant init system according to UNIX philosophy is a system that does exactly as little as possible in the simplest and sanest way as to be functional at its intended task.

init should not have an attack surface, it should not handle anything more than necessary - its purpose is to start the rest of processes needed for the system to function. Implementing runlevels, parallel startup, dependencies, and process supervision are potentially sensible additions, that don't raise the footprint very much.

For me, the part that is unforgivable about systemd is that it is invasive. Its very existence is a threat to the fundamental architectural principles of simplicity, isolation, transparency, and modularity that were so central to the success, stability and widespread adoption of UNIX and Linux. We're seeing deep dependencies on systemd in software that should have no reason to be aware of an init system, much less interact with one.

You know IoT security is bad when libertarians call for strict regulation

sdaugherty

Re: Known knowns, known unknowns, and unknown unknowns

How about, give the user full and complete control over hardware they legally own and what software runs on it via the necessary documentation and access to modify it, otherwise no disclaimers or waivers of liabilities allowed?

It won't completely solve the problem. but it will at least stop people from being stuck with vulnerable products with no possibility of fixing them.

Twas the week before Xmas ... not a creature was stirring – except Microsoft admitting its Windows 10 upgrade pop-up went 'too far'

sdaugherty

They'd have been better off to declare Windows 10 as a service pack from day 1.

Playing devil's advocate here, but A much more effective, and much less antagonistic response from Microsoft would have been to declare from day 1 that the upgrade to Windows 10 was a service pack to all supported upgrade paths, and therefore, a mandatory upgrade for anyone who wants to continue getting support.

It would have gotten them bad press, and complaints, sure, but those would have blown over quickly, instead of the gradually escalating war on users that was the Windows 10 promotion

In the end, Microsoft could have preserved a lot of goodwill with this approach, gotten to their adoption goals quickly, and consolidated everyone onto a single supported platform.

Password strength meters promote piss-poor paswords

sdaugherty

At this point, with the problem of password reuse, why are we even allowing users to pick their own passwords? Unless it's something like a desktop login password, give them a random password of 24 or more characters and tell them to save the damn thing in a password manager.

"Here's your new password, you won't be able to type it, much less remember it. Please save it in your password manager and enter it twice now."

Pointless features add to browser bloat and insecurity

sdaugherty

Study fails to consider one thing... Flash

A lot of the technologies that are being cited as "useless" in the study as part of efforts to be able to deliver a plugin-free experience - that is, to end reliance on things like Flash.

Along the way, this turned into a bloated mess, but some of these lesser-used technologies are essential if we want to truly be rid of the need for browser plugins.

Some of them aren't more widely used because they are definitely very niche. -but they are starting to see use - WebRTC is being used to bring videoconferencing like Skype into the browser, the various specs related to video are being used to deliver Flash-free video and are used on video streaming sites already, WebGL and the gamepad API are there to unseat Flash's stranglehold on gaming, and so on.

On the other hand, quite are few of these I recognize as being central to Mozilla's now-defunt FirefoxOS platform - bits and pieces that were implemented to make web pages behave like native apps which were rarely used and possibly not even widely enabled outside of FirefoxOS apps.

There's definitely room to trim some fat regardless. Of the features mentioned, a lot of them are excessively complicated, many of them are redundant, and many more of them need to be locked down under permission so that they don't get adopted widely by advertisers and malware. HTML5 video, for example, would be a better experience for users if it were behind a permission, so that videos never just start playing. There's only a handful of sites where I actually WANT videos to play on, places like YouTube.

Going forward what I'd like to see is the bare minimum of what's required to allow web applications to do things that currently require plugins, the simplest, smallest, cleanest,most easily audited implementation possible, and everything "niche" that an *average* website wouldn't use, locked down behind granular permissions, as Geolocation, Notifications,, Webcam/Microphone use, mouse capture, and other things already are.

I'd also like to see as much effort going into fixing the web advertising as has gone into these seldom-used features. Not killing it, fixing it, as that publishers get paid, users are not tortured, , privacy is respected, advertising ceases to be a malware vector, sites are not slowed to a crawl, and we no longer need an ad-blocker just to have a usable browser. I'd like to see a serious effort to impose a code of conduct and technical guidelines on advertisers, and war waged on those that don't fall into line. Something along the lines off this - audio/video ads only allowed to be delivered with audio/video content, otherwise static header and sidebar ad only, all ads to be surrounded by an advertisement border or watermark, etc. We've got to reach an end to the advertiser arms race, and, ans sites that break those and use abusive practices rules should start finding themselves in the malware blacklists.

It's a pain in the ASCII, so what can be done to make patching easier?

sdaugherty
FAIL

Make security as painless as possible, and make insecurity as painful as possible.

At the same time that we're trying to make patching painless - which is a very admirable goal, we should also be looking at how to make not patching as inconvenient as it is insecure. Provide both the carrot (easy, even automatic updates that preserve application state) and the stick (mandatory security prompts for everything until you apply the updates).

Address the psychology of not updating technologically - make users hate using unpatched applications.