[conspire] Fraudulent SSL certs for *.google.com from DigiNotar

Rick Moen rick at linuxmafia.com
Thu Sep 1 23:30:47 PDT 2011


Quoting Edward Cherlin (echerlin at gmail.com):

> How many people do you know who can correctly manage their own server
> at home with their own DNS?

Pretty much all of them can manage their own servers at home, and it's
entirely irrelevant whether they can manage their own DNS.

I say that because I very clearly remember putting up a Web server and
SMTP host around 1994 and having not a clue what I was doing.  So, I
consulted a couple of LDP docs and O'Reilly books, played with the
software, and learned by doing.  I had no aptitude for that:  I was a
_staff accountant_.

I have no idea why you're asking that question -- let alone the 
red herring about running one's own DNS -- because they're almost
completely irrelevant to the antecedent discussion.

'Almost' because I did imply that it's useful towards being comfortable
with Internet security to have local DNS.  I'm betting, however, that
you with your outsourcing of your main Internet presence to Google, Inc.
(GMail) have no idea what I mean by that.  So, I'll explain.

On either Linux/BSD, or Macintosh OS X, or MS-Windows, pull down the
'Unbound' recursive-only DNS nameserver, precompiled and ready to run.  
Start it.  Point your local resolver file (/etc/resolv.conf, on Linux)
at the IP where Unbound is running.  Done.  There is nothing to adjust.
There is nothing to administer.  It runs itself.

This is not _authoritative_ DNS, where you own and operate your own
domain (or publish authoritative DNS for a friend's domain).  Until
around 1997, I never bothered with that.  Not being anyone's fool, I got
a friend to do it for me.  'hugin.imat.com' in Richard Couture's
imat.com domain still points to my server, to this day.  All services on
my machine are reachable that way, e.g., 'rick at hugin.imat.com' still
reaches me.   The technical expertise required to do that?  I asked
Richard.

But you're really a technopeasant, aren't you?  It's all just
unthinkably difficult and arduous, even though it isn't, Mr. GMail?

> So we agree about keeping sufficiently sensitive data off the Net
> entirely. You are confident in your ability to protect less sensitive
> data on your own server, and you are very likely correct. I would not
> recommend that the less skilled try it. Would you?

See 'staff accountant', above.  Do the math.

I would recommend that anyone interested try it, keep good backups, and
see if he/she gets the hang of it over a couple of years.  It's not
fscking brain surgery, Mr. GMail.

The rest of that-all is not a discussion.  It reads like just another
time-wasting hand-waving speech and a general waste of time.





More information about the conspire mailing list