The Big Name consipracy - and SSL certs
 

So I decided to setup SSL on my Apache server. After looking around for ages, it seems that the answer to SSL Certs is that I need to buy one. There doesn't seem to be any CA out there who will provide free certs that are accepted by most browsers.

So, this brings me into one of my favorite diatribes. The "Big Name" Conspiracy, as I like to call it.

Many many years ago, leading computer researchers began to connect their systems into a worldwide (or at least nationwide) network. The admin of each machine was trusted. There was a hosts.txt file distributed. Then computers came to the home, and with them, serial modems and connectivity. In the brief time before the 'net turned into a wasteland, it was free. Free as in if you had a phone line, the hardware, and the knowledge, you could setup your own BBS or other server.

Skip forward to 2007. I pay exorbitant rates (well, about $40/month) for a residential fiber-optic connection. A few people I know can't view my web site. Why? Because Verizon, my ISP, blocks incoming traffic on port 80 so that I can't run a server. And they won't give me a static IP, so I can't run a server. Thankfully, the folks at DynDNS.org are fighting for us, and they give me free DNS, which I can even forward my domain name to. To get around Verizon, I forward HTTP traffic to a high-number unused port. Well, what do you know, a number of corporate Internet filters block all web traffic going to ports other than the defaults.

I wanted to send mail from a Linux machine. So, I configured Postfix and sent mail. Worked perfectly to a few addresses, but AOL, Verizon, Hotmail, Gmail, big companies - forget it. Rejected. Why? Because I have a dynamic IP, and my domain name doesn't reverse-validate, so I must not be a legitimate user. There's no way around it. Try sending mail from you@yourdomain.dyndns.org - I have yet to find a mailserver that will accept it.

What happened to the community environment of the 'net? Yes, I know, it's all in the name of "bettering" the 'net, reducing spam, etc. But I have yet to find anyone who will whitelist my dynamic IP.

Maybe I'm just obtuse. Or angry. But it seems to me that there is a "conspiracy", perhaps unspoken, among the Big Names out there to centralize the Internet, to prevent people from participating.

I know I'm not the only person who has noticed this. While there are many people and companies out there valiantly fighting for freedom on the Internet, it seems that the majority of big companies, ISPs, hosting providers, etc. want the 'net to be a one-way medium: content is provided by those who can pay for leased lines and IP blocks, and everyone else looks at it.

Running a group of servers - web, SMTP, IMAP, etc. - on a dynamic IP, I am acutely aware of exactly how much modern Internet technology relies on the fact that anyone who's providing the content has a static IP - and can pay the cost associated with it.

Getting back to the SSL cert, why isn't there a reputable authority who provides free certificates? I have unlimited free long distance calls, I would be more than willing to call the DNS contact number for every applicant to validate.

And why hasn't anyone developed a method of making a dynamic IP "look" static to the rest of the world - surely IANA should set aside a massive block of IPv6 for this, if not IPv4.

Internet access has never been so cheap and fast that it is now.

There is a shortage of IP addresses, so everyone cannot be given a fixed IP. IPv6 should fix that.

Your ISP blocking incoming ports is really a problem with your ISP, most(?) people do not have that issue.

Internet traffic is spoiled with spam, there is nothing that can distinguish your mail server to a would be spammer one, so everyone is blocking unvalidated access, and there is no doubt you will do it too should your mail server would be connected.

You can be you own CA, or create self-signed certificates. Of course visitors will be annoyed by a warning window but that's the price to pay for free stuff ...

A few interesting follow-up questions to ponder on while humming the theme music from X-files or twilight zone:

IPv6 should potentially provide:
- Enough address space so that ordinary user could run whatever services they want
- better security for end users

Why is IPv6 being so slowly adopted, given the above?

Why is strong encryption and Internet anonymity considered dangerous (in some places illegal)?

Who does potentially more harm to end users: spammers or virusmakers/hackers?

Which of these are cracked down upon with more (political) force?

Is there a lot of money to be made in either of these groups?

In the beginning the Internet was run by sys.admins & researchers, blacklists were introduced for those participants who wouldn't play by the rules and behave. Why doesn't it work like that anymore?

Politicians and lawyers got involved.

Because most of the Internet works fine with IPv4, at least in regions with no IP addresses shortage. The migration has a cost: the ISPs are migratings very reluctantly.
Because three some gov. agencies love to peep the traffic, sometimes with valid reasons.
I don't remember having being harmed by a virus. I'm sent hundreds of spams everyday.
I don't know.
Sure, and it is made. A whole industry has been created.
Because blacklisting doesn't work. You can blacklist machines, not people.

The lease time on my "dynamic" IP (PPPoE) is usually in the days to weeks. It rarely changes. I have FiOS, which is always connected via a fiber node, so it's not like dial-up when IPs are freed when people disconnect. The same number of IPs are in use, they just want to restrict people from running servers. Why? Because that needs "business class" FiOS, for 100% more a month.


I don't know where you're from or what ISP you use, but I'm in NJ, USA. I've tried every high-bandwidth ISP out there (Verizon DSL, Verizon FiOS, Optimum Online, etc.) and they ALL block *at least* ports 80 and 25 incoming. They're selling "residential" service, but say in their TOS that you can't run a "sever". I know it's just a profit-generating scheme, but it doesn't seem too true to the Internet.

"unvalidated access"? No, they're saying that if you have lots of money like us you can use email, and if not, you're screwed. If I try to send email directly to the recipient's domain, without relaying through my ISP's server, it's bounced back. This is, literally, Internet postage.

Once again... "that's the price to pay for free stuff"... this logic is so horribly flawed for the Internet. Now, I understand that the whole concept of certificates would be moot if *anyone* could be a CA and be trusted. And I understand that the browsers have to have some weird pop-up windows with colors of whatever because people are too dumb to look and see if the cert is from who it should be. But if all of the browsers (especially Mozilla) want to include only certain chains, then they should have taken steps to assure that there's a CA out there who will verify and issue for free.

You are living in a region which doesn't have an IP address shortage issue, that's not the case in Asia where they already do tricky natting things to provide Internet access to end users.

I can see that in your profile.
Mine shows Paris.
Perhaps may I correct that to "Paris, France" to reduce ambiguity ?
I'm using "free" as my ISP, no incoming port is blocked.

It is just reverse resolution filtering.

Why ?
There are no CAs doing that. Someone has to pay for non virtual free stuff.

Jantman,

For just over $50 USD per year you can have Godaddy host your content and services.

While I respect your desire to do it all yourself...circumstances in the post 9/11 United States no longer allow us to enjoy the freedoms we once had.

We have never met you, so how do we know, what sort of content and services you are attempting to provide and to whom.

Thats just plainly rediculous, the world is no more dangerous than it was before 9/11. There has been, what 3 terrorist attacks in the western world since then, 9/11, one in Spain and another in England. That is hardly a big enough threat to remove everyones freedom.

Heck wasn't the US founded on "Give me Liberty or Give me Death!".

Please, you don't actually beleave any terrorist threat, or indead criminal will host anything AT HOME!?!?

Wait... my web site says that I'm a ham radio operator... that means that I can send messages across vast distances. And I'm a computer programmer, so I could encrypt them... I must be a terrorist.

My internet connection has actual transfer rates of 1.2 Mbps up and 2.0 Mbps down. I have five capable servers, with physical access to all of them. I refuse to pay somebody to host my site for me. And for another $50 a month, I could get a "business class" fiber line with a static IP. I don't have an extra $50/month laying around.

"We have never met you, so how do we know, what sort of content and services you are attempting to provide and to whom."
What does this have to do with a cert? All the cert says is that the content is coming FROM me. It has nothing to do with whether the content is pornography, banking information, terrorist plots, cooking tips, or in my case, free code.

My point is how have we gotten to the point where if you want to use HTTPS without annoying popups, you have to pay money?

I don't know why you're still ranting about this. I tried to explain to you very precisely why you need to pay for an SSL certificate if you want it to automatically be trusted by most browsers. You're making it out to seem like people can't connect to your site with SSL, when they can--it's only an issue of approving the certificate.

You're also making a few more leaps of logic in this post, since the ability to setup a BBS via your modem was not part of the Internet (or ARPAnet). Only the big universities had access to the original ARPAnet and their students usually had to pay to use accounts on time-share servers that could access the Internet (or their department had to pay for it). In that sense, the orignal Internet was far less open and much more of a tool "only for the elite", since you had to be in acadamia, and at one of the few schools who actually had a connetion to ARPAnet, to even have a chance to connect with other systems.

Also, you hit on the notion of "trust" in the original system (which didn't have anything resembling SSL connections, by the way). The problem was that you could only trust the Internet community when it was very small, tight-knit, and focused on productive and helpful things. As soon as the Internet got a wider audience, the community got too big to self-police when it was no longer possibly for everyone with access to know everyone else. See the Morris Worm incident for the first clue that the implicit Trust in the system was faulty.

Most of the security problems we have today on the Internet exist because malicious users are on the Internet and it's far too big to ever keep them all off. We still have protocols that were designed back in the relative Stone Age of technology that are easily exploited because they lack trust models (see SMTP). The Internet cannot survive in the modern age with an implicit trust model, because the sheer numbers involved mean a very few individuals can cause an enormous amount of harm to the system as a whole (see the recent DDoS attacks on the root servers, which did manage to make two of them unreachable, despite significant upgrades to their infrastructure since the last such attack).

You want an SSL cert? Pay for it, or generate your own and tell your visitors to click "accept permanently". You want a static IP? Move to an ISP that allows them, such as Speakeasy.net, Sonic.net, etc. There are "enthusiast-class" ISPs out there who will give you tons of static IPs, the ability to choose your reverse DNS records, and unrestricted access to any ports (inbound and outbound), but you have to pay a premium for it. Why? Because those ISPs trust that if you are willing to spend that much money for the privileges, you probably have a good reason to have such access and, more importantly, the know-how to configure the services (mostly) properly.

There are limits on Free Speech, which are necessary to serve the greater good of all. Similarly there are limits on the Freedom of the Internet, for the good of all. Novice users should not have the same freedom as expert users, because novices hurt themselves and others through their ignorance. I don't mind paying $100/month for my 4 static IPs, high bandwidth, and reverse DNS records (not to mention shell account, web space, and national dial-up) because that means the entry-level $20 DSL and cable accounts are generally locked-down tightly and more difficult to exploit with botnets and worms. I would be willing to pay for rackspace in a co-location rather than allow neophyte Internet users unfettered access on a standard account.

P.S. The foundation who distributes browsers should take it upon themselves to find, or start a CA that will sign certificates for free? Why is that their responsibility? That's just a ludicrous statement. It costs a lot of money to run a CA infrastructure, so how are they going to pay for it if they give their certs away for free? Furthermore, just because one free piece of software may include that root CA doesn't mean all the commercial software will. There are hundreds, if not thousands of applications that support SSL. Congrats, you have one that now supports your pet-project CA. If you don't have the time and/or resources (read: a lot of money) to setup a root CA, don't demand that someone else should do it for you, for free, no less.

P.P.S. This has nothing to do with 9/11. I'm really tired of people using that as an excuse for any restriction ever invented.

P.P.P.S. The extra cost for "business class" connectivity is due to higher bandwidth usually consumed by these connections (most consumers rarely use anything approaching their maximum bandwidth) and the extra risk associated with allowing unrestricted access (compromised hosts cost the ISP money to deal with, and use a lot more bandwidth, which, you guessed it, costs them more money!). There is also extra labor cost on the ISP for doing things like provisioning extra static IPs, performing reverse DNS changes, etc. We're living in a free-market society and they couldn't charge those higher prices if the market didn't bear it. Just because you can't afford it doesn't mean no one can. Businesses are not obligated to provide services to you at a cost which you find appropriate.

P.P.P.P.S. IPv6: It won't be any more secure, and it won't mean that everyone gets their own static IPs. Bill Gates is only tauting the "security" of IPv6 because Vista actually has support for it, so that's supposed to be a big "feature" that's worth upgrading from XP for. What a weak marketing stunt. Also, regardless of the fact that there will be enough IPv6 addresses for all, ISPs aren't going to hand them out like candy and keep them static. Why? For the same reason why they filter ports right now: They don't want average consumers to be hosting services, or be easily exploited by botnets and worms.

I still don't understand this concept. I don't understand why trust==money. I don't see how, realistically, you can't establish someone's identity without their credit card number. When I got my driver's license I paid cash. They still believed I am who I said I am. Are you saying that trust can't be established without payment, or that it's too expensive to run a root CA without charging? I take issue with both concepts.

I want a static IP with the same transfer and bandwidth limits that my account has now. That's not going to cost Verizon any more. And in terms of cost, I'm a student. My total income is around $500/month. I can't afford the $100 for a static IP, and I don't see a legitimate reason why Verizon HAS to charge that amount - the $100/month plan actually has LOWER transfer speeds than what I have now. Furthermore, I don't see any reason why they should block port 80 for residential access - other than trying to force people into a more expensive plan.

I've never looked into speakeasy or sonic.net. I don't see how that would help. They offer T-class at nearlt $400/month, plus requiring a line from my local telco. Speakeasy offers ADSL at $70/month, with static IP, but I'd still need the TelCo to put in a connection (I don't know if they charge monthly for the line, they probably do) and still have speeds lower than what I'm getting now.

I don't consider myself a neophyte. Why do I get grouped together with Joe Schmoe running Vista on one desktop? If they wanted to secure the Internet, the first step would be getting rid of Windoze. On a technical standpoint, blocking ONLY incoming on ports 80 and 25 doesn't do a hell of a lot to "secure the internet".

I think it's against the objectives of Mozilla to only recognize certs from high-charging entities. How much does it cost to run a CA infrastructure? Maybe there's some big part I'm missing, but it seems to me that you need some servers and ancillary equipment and connectivity. As to software support, I'd be happy if Firefox and Thunderbird supported it. I don't care much about IE, or anything else that's not open-source.


Bandwidth limits have nothing to do with whether the IP is static or dynamic. Verizon's Business DSL connections run at a fraction of the bandwidth I get on my residential fiber. Will the market bear it? Apparently. But I don't see any reason other than greed why the cost has to be so much higher.

i pay £13.99 a mounth (Approx $25) for 2048/256 ADSL internet here in the UK where the IP avalabilaty is comparable to the USA without any limits apart form what the ISP considered reasonable (i genrally use about 10G down and 8GB up and i havebt had any complaints yet)

for £1 more a mounth i could have a statiic IP and 512 upload as busness class.

so i dont see why there is a problem in the USA with this.

also my residential boradband has no blocks on any ports (that i have found yet)

Because it costs more to provide the kind of access that you want. They also don't have any kind of screening to determine if you cause them a high security risk or not to even know if they could trust you. If they did, the screening would cost money.

So the ISPs can just switch everyone from Windows to another OS, migrate all the applications, all the data, all the settings? Please be reasonable.

Yes it does. Neophyte users aren't able to run highly insecure services with the default values. There are quite a few people who might download a program and run it if they thought it would let them "make a web page" on their computer, but most of them wouldn't understand how to configure it. Also, a lot of OSs used to turn these services on by default with no security (Win2K, many old releases of Linux OSs). These boxes are easy to exploit and the user has no idea the services are running.

In addition, zombie machines need to allow access in order to serve up their phishing sites, etc. It's possible to do that over other ports, but it's more difficult, and a lot of corporate sites won't allow traffic outbound to non-standard ports, so it becomes a lot more difficult to execute phishing attacks.

It's not perfect security, but it's very effective at stopping some basic problems and it's cheap to implement. Then end result is less traffic across the provider's network and slowing the propagation of worms/viruses. It's also less work for their abuse team in terms of boxes that don't get exploited that would have otherwise.

I believe you're mistaken. Have a look at About Mozilla and follow some of the links on the page. It doesn't mention any philosophy against commercial products or charging for services.

You're just now realizing this? It's the point I've been trying to make all along and it is what you're missing. It's not just the servers and bandwidth, but mostly providing security for the entire thing (mainly physical security, not digital).

It costs more to statically assign IPs than it does to just let DHCP sort it out, and it also costs them more in bandwidth if people run servers on their static IPs and get a lot of traffic, whereas it's much more difficult to run servers on dynamic IPs, so the end result is few people do it and less bandwidth is used. Do not confuse maximum burstable bandwidth with sustained bandwidth. What providers care about most is overall bandwidth consumed per month, not what your maximum potential bandwidth is at one time.

If you do not like corporations being allowed to set their own prices and allow market forces to determine where the fair market price is, perhaps you would like to move to Venezuela? I hear that government-regulated price-controls are working out great for them!

You make a few good points, but I still disagree with some.

Let's assume that we put a bandwidth cap on the static IP line. The ONLY additional cost to Verizon would be whatever additional setup is needed for static IP as opposed to dynamic. This CAN'T be $40/month.

I'm not saying that IPSs can change your OS. I'm just saying that with most residential Windows desktops, there are already SO many possible exploits and security issues with just running Windows and IE.

To get rid of the neophyte user issue, and cost, it seems reasonable to me to charge a $15/month fee and have a clear and strict contract on what is acceptable in terms of traffic levels, etc. It would allow static IP, but put a cap on traffic, and also hopefully discourage most people who don't know what they're doing.

As to Mozilla, I was speaking of how hard it is to get a root cert included in their browser, and the fact that no (or at most one) free CA's have accomplished it.

So security is the main cost in establishing a CA? Where's all the cost? Man-in-the-middle attacks are pretty difficult on fiber, so you have a fiber line running in to your server room, and put a lock on the door. If the servers are kept in an office where only 1-2 people have physical security, I don't see the big issue. I'm not talking about a large company, I'm talking about a private effort between a few of us open-source people.

My point is that with all of the things that have been done on the Internet for the good of the community - every open source project ever - I'm surprised that there hasn't been a team who was willing to setup a CA and offer certs for free.