[conspire] Fraudulent SSL certs for *.google.com from DigiNotar
rick at linuxmafia.com
Wed Aug 31 14:41:15 PDT 2011
Quoting Edward Cherlin (echerlin at gmail.com):
> The best advice I know is never to put data on the Internet unless you
> are willing to see it published on the front page of the New York
> Times. Not just Usenet postings that are publicly available to search
> on Google, _anything_.
The 'best advice you know' is pretty _bad_ advice. Terrible, in fact.
I'm really comfortable putting significant amounts of my personal
sensitive data on my own server, administered by me in my own house,
using my own DNS and my own first-stage routers, onto the Internet.
(It doesn't have my medical data or my finances; some things are
sufficiently sensitive that they're best kept mostly on paper.)
However, I'm also really comfortable using my own open-source Web
browser on my own open-source OS installation on my own workstation to
reach across an SSL link over the Internet to discuss confidential
medical matters with doctors at Kaiser Permanente.
I'm really comfortable to use that same Web client setup to talk to my
bank and some credit-card vendors about my private finances and credit
I'm not willing to see any of that on the front page of the _New York
Times_. However, since I understand the risk models in question, I know
how highly improbable disclosure through technical-level failure is.
You know what really offends me as an open-source person? Conditioned
helplessness. And that is what attitudes like the one you express,
above, leads to. I write about how to curtail and control security
exposures so people do _not_ need to 'never put data on the Internet
unless you are willing to see it published on the front page of the _New
York Times_', making the existence of thieves, rogues, and incompetents
at crypto companies, domain registrars, etc. _not_ a disaster -- and one
might say that a large part of my entire profession revolves around
people who hold your view being wrong.
More information about the conspire