On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:
I would say those claiming certificates from a public CA provide no
assurance of authentication of server identity greater than that of a
self-signed one would have the burden of proof to show that it is no
less likely for an attempted
On 02 Jan 2013, at 3:20 PM, Luis Palma Lopez via LinkedIn mem...@linkedin.com
wrote:
snip
This email was intended for ***Ted Fischer***
snip
A whole new year and things are still the same…
-J
Hi Folks,
The site is offline as a result of some security issues that were discovered.
As soon as we've got it patched we'll put it back online.
Sorry for any inconvenience this may be causing.
Dave
-Original Message-
From: N. Max Pierson [mailto:nmaxpier...@gmail.com]
Sent:
On Jan 2, 2013, at 7:53 AM, valdis.kletni...@vt.edu wrote:
On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:
I would say those claiming certificates from a public CA provide no
assurance of authentication of server identity greater than that of a
self-signed one would have the burden of
I sent an unsubscribe request. Why Linkedin makes this so difficult, is
beyond me. They should just put an unsubscribe link in the email like
everyone else does.
On 1/2/13 5:25 AM, JP Viljoen wrote:
On 02 Jan 2013, at 3:20 PM, Luis Palma Lopez via LinkedIn
mem...@linkedin.com wrote:
snip
On 1/2/13 10:03 AM, Sean Lazar wrote:
I sent an unsubscribe request. Why Linkedin makes this so difficult, is
beyond me. They should just put an unsubscribe link in the email like
everyone else does.
On 1/2/13 5:25 AM, JP Viljoen wrote:
On 02 Jan 2013, at 3:20 PM, Luis Palma Lopez via LinkedIn
On Wed, Jan 2, 2013 at 8:25 AM, JP Viljoen froztb...@froztbyte.net wrote:
On 02 Jan 2013, at 3:20 PM, Luis Palma Lopez via LinkedIn
mem...@linkedin.com wrote:
snip
This email was intended for ***Ted Fischer***
snip
A whole new year and things are still the same…
Out of curiousity... how
On Sun, Dec 30, 2012 at 10:46 PM, John Levine jo...@iecc.com wrote:
So the only assurance a signed cert provides is that the person who
got the cert has some authority over a name that points to the mail
client
What other assurance are you looking for?
The only point of a signed server
Once upon a time, Brielle Bruns br...@2mbit.com said:
Needless to say, I'm starting to get a little annoyed with this behavior
as well.
Put eBay on the list of annoying as well. Somebody put my Gmail
address in their eBay account before Christmas, and there is no way for
me to stop getting
Isn't this what verification emails are meant to curb? I could have sworn
LinkedIn made you verify your email before you can play.
From my Galaxy Note II, please excuse any mistakes.
Original message
From: Chris Adams cmad...@hiwaay.net
Date: 01/02/2013 10:13 AM (GMT-08:00)
On Wed, Jan 2, 2013 at 1:08 PM, William Herrin b...@herrin.us wrote:
As for Google (and anyone else) it escapes me why you would require a
signed certificate for any connection that you're willing to also
permit completely unencrypted. Encryption stops nearly every purely
raising the bar for
This isn't new. It's been LinkedIn's practice since approximately
forever to get its users to surrender their address books and then to
spam [1] every address in them. The fix is simple: block linkedin.com
at the MTA. [2]
---rsk
[1] It's unsolicited bulk email, therefore spam. We could argue
On 02/01/2013 17:03, Sean Lazar wrote:
I sent an unsubscribe request. Why Linkedin makes this so difficult, is
beyond me. They should just put an unsubscribe link in the email like
everyone else does.
If you're not a user of linkedin, you can stop this by sending an email to
On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
goodness-scale (goodness to the left)
signed self-signed unsigned
Hi Chris,
Self-signed and unsigned are identical. The goodness scale is:
Encrypted Verified (signed) Encrypted Unsigned (or self-signed,
Colleagues:
Welcome to 2013! NANOG 57, our first meeting of the new year, scheduled
for Monday, February 4-6, 2013 in sunny Orlando is well underway.
The NANOG Program Committee will be sharing agenda information very soon.
As always it will be linked to the NANOG 57 meeting
On Wed, Jan 2, 2013 at 11:36 AM, William Herrin b...@herrin.us wrote:
Communications using a key signed by a trusted
third party suffer such attacks only with extraordinary difficulty on
the part of the attacker. It's purely a technical matter.
While I agree with your general characterization
On Wed, Jan 2, 2013 at 2:36 PM, William Herrin b...@herrin.us wrote:
On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
goodness-scale (goodness to the left)
signed self-signed unsigned
Hi Chris,
Self-signed and unsigned are identical. The goodness scale
Looking for a contact at ATT/Bellsouth regarding email acceptance.
(@bellsouth.net)
I've been unable to send them mail with a 550 Error (Blocked for abuse) and
have requested de-listing no less then 5 times. Not getting anywhere,
Normal contact routes have failed.
Nick Olsen
Network
[Apologies for duplicate emails]
Dear colleagues,
There has been discussion on various mailing lists regarding the status
of the RIPE Database Proxy Service.
Before I address the issues that arose, I'd like to give you some
background information on the service itself that may help with the
On Wed, Jan 2, 2013 at 3:10 PM, George Herbert george.herb...@gmail.com wrote:
On Wed, Jan 2, 2013 at 11:36 AM, William Herrin b...@herrin.us wrote:
Communications using a key signed by a trusted
third party suffer such attacks only with extraordinary difficulty on
the part of the attacker.
On Wed, Jan 2, 2013 at 3:24 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
I think though that the 'a question for the information owner' is
great, except that I doubt most of them are equipped with enough
information to make the judgement themselves.
Much of the evil in the world
Are you, at this moment, able to acquire a falsely signed certificate
for www.herrin.us that my web browser will accept?
Me, no, although I have read credible reports that otherwise reputable SSL
signers have issued MITM certs to governments for their filtering
firewalls.
Regards,
John
On Wed, Jan 2, 2013 at 2:27 PM, William Herrin b...@herrin.us wrote:
On Wed, Jan 2, 2013 at 3:10 PM, George Herbert george.herb...@gmail.com
wrote:
On Wed, Jan 2, 2013 at 11:36 AM, William Herrin b...@herrin.us wrote:
Communications using a key signed by a trusted
third party suffer such
Hell Axel,
On Jan 2, 2013, at 11:00 AM, Axel Pawlik ripencc-managem...@ripe.net wrote:
[Apologies for duplicate emails]
Dear colleagues,
There has been discussion on various mailing lists regarding the status of
the RIPE Database Proxy Service.
We do apologise, however, that the
This looks to be a happy ending. I thought we were going to get to see a fight.
;)
From my Galaxy Note II, please excuse any mistakes.
Original message
From: Rodney Joffe rjo...@centergate.com
Date: 01/02/2013 2:51 PM (GMT-08:00)
To: ripencc-managem...@ripe.net
Cc:
Do you run Cert Patrol (a Firefox extension) in your browser?
yes, but my main browser is chrome (ff does poorly with nine windows and
60+ tabs). there is some sort of pinning, or at least discussion of it.
but it is not clear what is actually provided. and i don't see evidence
of churn
procmail is your friend
and what's linkedin?
On Jan 2, 2013, at 7:15 PM, Randy Bush ra...@psg.com wrote:
Do you run Cert Patrol (a Firefox extension) in your browser?
yes, but my main browser is chrome (ff does poorly with nine windows and
60+ tabs). there is some sort of pinning, or at least discussion of it.
but it is not clear
On Wed, Jan 2, 2013 at 5:38 PM, John R. Levine jo...@iecc.com wrote:
Are you, at this moment, able to acquire a falsely signed certificate
for www.herrin.us that my web browser will accept?
Me, no, although I have read credible reports that otherwise reputable SSL
signers have issued MITM
On Wed, Jan 2, 2013 at 5:43 PM, George Herbert george.herb...@gmail.com wrote:
If push came to shove and minor legalities were not restraining me, I
recall (without checking) your domain's emails come to your home, and
your DSL or cable line is sniffable, so any of the CA who email URL
Yo William!
On Wed, 2 Jan 2013 19:42:16 -0500
William Herrin b...@herrin.us wrote:
On Wed, Jan 2, 2013 at 5:43 PM, George Herbert
george.herb...@gmail.com wrote:
If push came to shove and minor legalities were not restraining me,
I recall (without checking) your domain's emails come to
On Jan 2, 2013 7:36 PM, William Herrin b...@herrin.us wrote:
Me, no, although I have read credible reports that otherwise reputable
SSL
signers have issued MITM certs to governments for their filtering
firewalls.
That's not the case join is referring to.
The governments in question are
Steven Bellovin writes:
The only Chrome browser I have lying around right now is on a Nexus 7 tablet;
I don't see any way to list the pinned certs from the browser. There is a
list at http://www.chromium.org/administrators/policy-list-3, and while I
don't know how current it is you'll notice
On Wed, Jan 02, 2013 at 07:35:49PM -0500, William Herrin wrote:
A reputable SSL signer would have to get outed just once issuing a
government a resigning cert and they'd be kicked out of all the
browsers. They'd be awfully easy to catch.
I believe Honest Achmed said it best:
In any case by
On Wed, Jan 2, 2013 at 8:03 PM, Christopher Morrow
christopher.mor...@gmail.com wrote:
On Jan 2, 2013 7:36 PM, William Herrin b...@herrin.us wrote:
Me, no, although I have read credible reports that otherwise reputable
SSL
signers have issued MITM certs to governments for their
On Wed, Jan 2, 2013 at 8:39 PM, Christopher Morrow
christopher.mor...@gmail.com wrote:
On Wed, Jan 2, 2013 at 8:03 PM, Christopher Morrow
christopher.mor...@gmail.com wrote:
On Jan 2, 2013 7:36 PM, William Herrin b...@herrin.us wrote:
A reputable SSL signer would have to get outed just once
In resp, On 1/2/13, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote:
There's a bit more trust (not much, but a bit) to be attached to a
cert signed by a reputable CA over and above that you should attach
to a self-signed cert you've never seen before.
[snip]
Absolutely. A certificate
No more difficult at all. A MITM is a MITM. The atack is the same and
intteger-store-bought certificates make the process neither more nor less
complicated.
Sent from Samsung Mobile
Original message
From: William Herrin b...@herrin.us
Date:
To: George Herbert
On Jan 2, 2013, at 8:25 PM, Seth David Schoen sch...@loyalty.org wrote:
Steven Bellovin writes:
The only Chrome browser I have lying around right now is on a Nexus 7 tablet;
I don't see any way to list the pinned certs from the browser. There is a
list at
William Herrin wrote:
The governments in question are watching for exfiltration and they
largely use a less risky approach: they issue their own root key and,
That is a trusted first party.
Masataka Ohta
On 1/2/13, William Herrin b...@herrin.us wrote:
Out of curiousity... how did mem...@linkedin.com get subscribed to
nanog and, if it isn't, how did the message from mem...@linkedin.com
make it to the list?
Whatever happened to ' Only humans who bothered to read the directions
and subscribed to
On 1/2/13, Steven Bellovin s...@cs.columbia.edu wrote:
[snip]
It's ashame they've stuck with a hardcoded list of Acceptable CAs
for certain certificates; that would be very difficult to update. The
major banks, Facebook, Hotmail, etc, possibly have not made a
promise to anyone, that all their
On Wed, Jan 2, 2013 at 8:51 PM, William Herrin b...@herrin.us wrote:
secure cryptosystems. Has the EFF's SSL Observatory project detected
even one case of a fake certificate under Etilisat's trust chain since
then?
it's possible that the observatory won't see these in the wild, if the
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter
a lot of bots and script kiddies for the next few years, but it's not
enough against nation-state or serious professional level attacks.
To be fair though - if I was
On Wed, Jan 2, 2013 at 7:31 PM, valdis.kletni...@vt.edu wrote:
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter
a lot of bots and script kiddies for the next few years, but it's not
enough against nation-state or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 1/2/2013 10:31 PM, valdis.kletni...@vt.edu wrote:
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter
a lot of bots and script kiddies for the next few years, but it's
On Wed, Jan 2, 2013 at 7:31 PM, valdis.kletni...@vt.edu wrote:
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter
a lot of bots and script kiddies for the next few years, but it's not
enough against nation-state
On Wed, 02 Jan 2013 19:59:35 -0800, Damian Menscher said:
Aurora compromised at least 20 other companies, failed at its assumed
objective of seeing user data, and Google was the only organization to
notice, let alone have the guts to expose the attack [0]. And you're going
to hold that
Michael Painter wrote:
Damian Menscher wrote:
[Full disclosure: I work at Google, though the opinions stated below are
mine alone.]
snip Good luck finding another provider that
enables SSL by default [1], offers 2-factor authentication [2], warns you
when you're being targeted by
On Wed, Jan 2, 2013 at 8:52 PM, valdis.kletni...@vt.edu wrote:
On Wed, 02 Jan 2013 19:59:35 -0800, Damian Menscher said:
Aurora compromised at least 20 other companies, failed at its assumed
objective of seeing user data, and Google was the only organization to
notice, let alone have the
On Wed, 02 Jan 2013 21:14:31 -0800, Damian Menscher said:
We're off-topic, but that decision needs to be weighed against the
alternatives. If your alternative is running your own mailserver at home,
then your risks are:
Let's face it - if a nation-state has you in the crosshairs, digital
or
51 matches
Mail list logo
