libera/#maemo/ Wednesday, 2018-10-24

brolin_empeyWow, apparently even the bmw.de Web site uses Let’s Encrypt.01:42
DocScrutinizer05lol, really?02:29
DocScrutinizer05indeed https://i.imgur.com/2C5Hw2o.png  X-P02:31
totalizatorwhy not?07:39
brolin_empeytotalizator: No reason not to in my experience and opinion but DocScrutinizer05 has his reasons to buy a certificate instead of using LE.  Personally I like LE because it allows me to automate the process of renewing the certificate.  That is actually a large part of the reason I switched to LE.  The reason for using a computer in the first place is to work more efficiently by having the computer do tedious, repetitive work to save valuable human time for08:29
brolin_empeythings the computer cannot do itself, such as programming the computer.  I do not want to risk interruption of service because I have to manually renew certificates if this renewal process can be automated.08:29
brolin_empeyIn this case, though, I found it remarkable that BMW uses LE because BMW is a large company with broad brand recognition by the general public, not only by engineers.  In my experience, it seems that large companies usually still buy a conventional certificate instead of using LE, at least for their Web sites that I access as a basically English-language monoglot whose travels IRL are limited to Canada, USA including Hawaii and Alaska, and Mexico.08:33
brolin_empeyBut hey, I can speak x86 assembly language and machine code. :-P08:36
brolin_empeyIt took me around three decades of living in Canada, not Quebec though, to realise that “bonjour” literally means “good day” instead of “hello”.  I thought it meant “hello” because “hello” is usually translated to French as “bonjour” in my experience.08:39
brolin_empeyDo new road vehicles sold in continental Europe have miles on the speedometer?  It surprises me that some automakers, at least Volkswagen and Audi, no longer include miles on the speedometer of vehicles sold in Canada even though most Canadians live close to the USA, where road signs still use miles instead of metric, same as the UK.08:45
brolin_empeyI realised that if the Tesla brand was used for a diesel vehicle then the vehicle may have a “Tesla coil” indicator light. :-D08:50
brolin_empeyDoes anyone from Taiwan say “flag of Taiwan” instead of “flag of the Republic of China”?08:55
brolin_empeyStrictly speaking, there is, as far as I can tell, no flag of Taiwan, only the flag of the Republic of China, which is effectively a flag of Taiwan.08:57
brolin_empeyI mean the current flag of the ROC, not the previous flag of the ROC.08:59
brolin_empeySerious question that I thought of: What do a Commodore 64 or Commodore 128 and a car with an automatic transmission with a horizontally-moving gear selector lever have in common?09:01
Vajbharware restrictions ;)09:02
brolin_empeyOr a typewriter, which is why the early Commodore computers have the thing that is the answer.09:03
brolin_empeyThe answer is (a) shift lock as opposed to a caps lock.09:05
brolin_empeyI do not know if a vehicle with an automatic transmission with a column shifter has a shift lock because I have possibly literally zero experience driving such a vehicle.09:07
brolin_empeyI have more experience with 5.25-inch flexible disc drives than with automatic transmissions.09:08
brolin_empeyVajb: Seriously, though, does any Commodore computer truly have hardware restrictions, other than the write prevent mechanism of the flexible disc drive?  I thought that Commodore usually did not try to restrict the user of their products.09:11
brolin_empeyIt also occurred to me recently that the automotive industry may have originally had only one manual that covered both using and servicing a vehicle before splitting the service manual from the user manual?09:18
brolin_empeyDocScrutinizer05: What does “DocScrutinizer” mean?  Document(ation) Scrutinizer?  Doctor Scrutinizer?09:24
Juestobrolin_empey: doctor is most likely, perhaps look it up?10:30
Juestopfft10:30
Juestothats a silly comparsion10:31
sixwheeledbeastI assumed Doctor. the issue with certificates is it's a massive chain of trust and if that is compromised somehow it leads to false security. Cert companies have gone bust by blindly or systematically adding certs you loose that web of trust and no one will trust you.11:00
MaxdamantusDo big companies use conventional certificates because they're better, or because that's just what companies have always done?11:08
MaxdamantusYou can probably find a bunch of other technologies that are pretty much only used by big companies, mostly because it's big companies that have been around long enough to still be using them.11:10
Maxdamantusthings like Java application servers come to mind.11:10
JuestoMaxdamantus: companies use standard certificates because its whats trusted and what browsers have built in, they use their own within the trusted well known root certificate that is on the OSes11:11
sixwheeledbeastI would imagine larger companies would be happy to pay for a better known more trusted company. Also they maybe happy with the relationship they have built up with the company.11:11
MaxdamantusJuesto: browsers obviously support LE though, otherwise LE wouldn't be very useful.11:12
sixwheeledbeastIt possible BMW have got new people in to work on there web stack.11:12
Juesto?11:12
MaxdamantusJuesto: “its whats trusted and what browsers have built in”11:13
JuestoLE?11:13
MaxdamantusJuesto: LE is trusted in the same way as other CAs.11:13
MaxdamantusJuesto: letsencrypt.11:13
Juestooh right11:13
Juestoyeah, LE is pretty recent as far i gather11:13
Juestobut that one likely uses another well known root cert11:14
Juestoapologies for the little confusion i had11:14
MaxdamantusI was under the impression that LE has their own root cert(s), but I haven't looked into it.11:14
Juestogo ahead and confirm?11:15
Maxdamantus"DST Root CA X3"?11:16
MaxdamantusAh okay, that's a certificate from some "IdenTrust" .11:18
Juesto:)11:18
MaxdamantusBut that's obviously quite a lot of trust that "IdenTrust" must be putting in LE.11:20
sixwheeledbeastExactly...11:22
* Maxdamantus isn't particularly familiar with certificates, but presumably they've signed LE's certificate saying they can sign for any domain.11:22
MaxdamantusSo IdenTrust and LE are effectively the same thing here.11:23
Maxdamantus"I trust you to have as much power as I have"11:23
sixwheeledbeastWith all encryption like this you have some public key and private key. The cert co's job is as a third party to verify those keys are correct and valid.11:27
MaxdamantusWell, its job is to vouch for the association of some public key with some domain name.11:28
MaxdamantusI understand how it works in principle, just don't know the details around validation processes, the actual trust delegation, etc11:29
MaxdamantusI can't see something explicitly like "domain: *" in the information about the LE certificate through Firefox's certificate viewer, so presumably the delegation is in the form of something like "Signer"11:30
MaxdamantusI'm guessing it's the "Is a Certificate Authority" part under "Extensions > Certificate Basic Constraints"11:32
Maxdamantusso if a valid certificate says "Is a Certificate Authority", then any certificate signed by that certificate is also valid.11:33
MaxdamantusBut surely there must be other ways to delegate these things, eg, if you have a valid certificate for "*.google.com", presumably you can sign another certificate for "mail.google.com", without being a CA.11:34
MaxdamantusGoogle has at least one of these CA certificates too.11:42
Maxdamantusissued by GlobalSign11:42
sixwheeledbeastGoogle have Google Trust Services11:45
sixwheeledbeastSuperfish...11:51
* sixwheeledbeast shudders11:51
Vajbhmm I wonder, if company x trusts company y and company y trusts company x. Who is to say that x and y are trustworthy?12:14
Vajbquestion raised while reading a backlog12:15
MaxdamantusVajb: the trust statements are backwards relative to how certificates normally work.12:16
MaxdamantusIt should be "y is trusted by x" and "x is trusted by y", since that's what's in the certificates ("y is trusted by x" -> "y includes a signature produced by x")12:17
KotCzarnyi think vajb wants to know who is at the top of trust12:18
Vajbhmm ok, Im still not quite there yet or maybe what KotCzarny said...12:19
Maxdamantusbut what's imporant is whether you can follow the "_ is trusted by _" relations to a certificate that you're willing to inherently trust, which will happen in this case if either certificate exists in the browser's/OS' certificate store.12:19
Maxdamantusafaik, being a "root" is not really important.12:20
VajbI thought more of as is there company z who says x and y are trustworthy12:21
KotCzarnyno? someone decides who can get in and when and at what conditions12:21
Vajbbut is this more related to blockchain?12:22
KotCzarnyand i suppose those in lower roots have to agree to some root conditions12:22
Maxdamantusunless "root" means "exists in the browser's/OS' certificate store"12:22
Maxdamantusas opposed to being issued by itself.12:22
KotCzarnycertificate stores usually use whatever is popular/"trusted"12:23
Vajbso browser creator gets to decide what certificates his browser has by default?12:26
KotCzarnyyes12:26
KotCzarnyunless they use system's one12:26
Vajbor maybe develober instead of creator...12:26
Vajbdeveloper*12:26
KotCzarnybut since browser's had to be consistent, they bundle certs themselves12:27
Vajbah os has its own certificates too?12:27
KotCzarnysome specific builds might use system's one12:27
KotCzarnyyeah12:27
Vajbhmm12:27
KotCzarnyin debianish world they usually come as ca-certificates package12:27
KotCzarnybut curl packs it's own often12:28
Vajbif some rogue developer puts some dubious certificates in his store would it be possible to them to spread and compromise whole chain of trust?12:28
KotCzarnyso basically it's a mess, which wouldnt be a mess in updated and supported distro12:28
KotCzarnyyup12:28
KotCzarnybut it would only be used by a that particular app12:29
KotCzarnyunless it goes rogue and modifies system12:29
Vajband that _could_ be possible with, say LE?12:29
KotCzarnynah, LE is different story12:29
Vajbok, Im trying to wrap my head around why it is starbge that BMW uses LE.12:30
Vajbstrange*12:30
Juestoeh, its a standard-ish thing12:30
KotCzarnybecause LE is new kid on the block12:30
Juestoroot certificates are like the root domains, they're on top of the chain12:30
KotCzarnyand we have yet to see how well they manage things12:30
Juestoif LE was a root cert on its own it would have been perhaps a little more exposed/scandalous/newsworthy12:31
Vajbah so it trust exp runs quite low still and it needs few level ups ;)12:32
Juestoits more a service12:33
VajbI see.12:33
Juestoapparently12:33
Juestodont quote me12:33
Juestoneither rely12:34
KotCzarnyalso, their value gets undermined by a 'free cert for everyone' idea12:34
KotCzarnywhich basically includes malware12:34
Juestopfft12:34
Juestowhat a scam(?)12:34
KotCzarnyuser might see 'oh it's a trusted site' without checking who is the owner of the cert12:34
Vajbso should we always check who issued the cert? And even block some certs if they seem dubious?12:37
KotCzarnyno, who owns the cert12:38
KotCzarnyissuers are trusted12:38
VajbI think I never checked any certs12:38
Juestoissuer != owner12:38
KotCzarnybut they might sell/issue cert to dubious entity12:38
Vajbah missed that part12:38
Vajbactually I recall firefox complaining about certs being old in some page12:39
Vajb(I know this is not related to this)12:39
Vajbhmm that12:40
Juestomust have been your clock or your store being outdated12:40
KotCzarnyor old browser without updated certs12:41
Vajbor I was in some shady back alley of internet12:41
KotCzarnymight be that too12:41
Juestolel12:41
Juestooh ya you reminded me12:42
VajbI backed off, if you wonder ;)12:42
Juestoyes some internet connection can cause issues with certs12:42
Juestoand browser warnings12:42
Juestoespecially flaky ones12:42
Vajbhmm can't recall if it was home or with some "free" wlan12:42
Juestothere you go12:43
Juestowifi can be terrible12:43
Vajbyup. That's why I don't use anything sensitive anymore while on free wifi12:45
Vajblike on holidays12:45
Juesto:)12:47
Maxdamantus23:28:39 < Vajb> if some rogue developer puts some dubious certificates in his store would it be possible to them to spread and compromise whole chain of trust?12:50
MaxdamantusIn his own store? Then he's just compromising whatever software uses that store.12:51
MaxdamantusThe trust store isn't going to magically replicate to other machines.12:51
MaxdamantusThe rogue developer would need to do something like change what certificates are distributed as part of something like a Firefox package, or curl or ca-certificates.12:52
Maxdamantus(by "a Firefox package", I mean the package used for something like Debian)12:53
MaxdamantusBut ultimately, the "top" of the trust chain is the stuff running on your system.12:55
MaxdamantusSince it's your browser that decides to look in certain places on the filesystem for certificates, and it's your harddrive that decides to return the blocks in the filesystem that happen to be stored certificates, and it's your CPU that decides to execute the browser's code in the correct way.12:57
KotCzarnytop, but still uses trust from the internet12:58
KotCzarnyso not the toppish top12:58
MaxdamantusBut you can say that about any CA, not just the "root" ones.12:59
KotCzarnyyup12:59
Maxdamantusand since LE has a valid CA certificate, they're already fully trusted through these chains.12:59
Maxdamantuswhether that trust comes from certificates stored directly in Firefox/ca-certificates, or from another such certificate signing LE's one.13:00
Maxdamantusactually, LE is already such a certificate on my system.13:04
Maxdamantusso it's trusted by both my browser directly, and by DST (which my browser trusts directly)13:06
sixwheeledbeastAn issue is something like superfish, someone gets a fake cert into peoples cert store either through browser or bundled by manufacturer. In this example it was a fake Google cert so you think TLS is working. Malware can then MITM your data on your machine, potentially leaving you with your private and public keys written to your drive in plaintext, that's bad.14:49
sixwheeledbeastOlder companies are more trusted and therefore further up the web of trust.14:51
sixwheeledbeasts/Older/Established14:51
MaxdamantusWell, the superfish case is kind of analogous to just including actual software that can be considered malware.20:37
Maxdamantuseg, some program that automatically runs and manipulates memory used by web browsers such that it shows websites as being safe when they're not.20:37
MaxdamantusIt's basically using the same "attack" vector: you control distribution of software, so you can control what the software does, either by including bad/modified software, or by including bad/modified "data" along with that software, such as certificates.20:38
Maxdamantusnote: the point of the above comments is: superfish is not the fault of any particular trust system, since any trust system is vulnerable to attacks involving control over software distribution.20:53
DocScrutinizer05>><brolin_empey> DocScrutinizer05: What does “DocScrutinizer” mean?  Document(ation) Scrutinizer?<<  <<-that22:08
brolin_empeyDocScrutinizer05: OK.22:09
DocScrutinizer05lice prolly all Nicks this one got 'designed' by a creative process and been inspired by "Mr Reisenweber eats documents for breakfast<< (quote of a colleague), Frank Zappa's "Joe's Garage", and the character of DocHoliday22:10
DocScrutinizer05https://en.wikipedia.org/wiki/Doc_Holliday22:12
DocScrutinizer05oops, the quote of my colleage actually was >>joerg eats datasheets for breakfast<<22:17
DocScrutinizer05but there's no 3char file extension specific for datasheets ;-D22:18
DocScrutinizer05it's surprising how often the reference to Joe's Garage gets instantly noticed though22:20
sixwheeledbeastCSVScrutinizer0523:10
DocScrutinizer05:-D23:40

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!