The Big Name consipracy - and SSL certs
So I decided to setup SSL on my Apache server. After looking around for ages, it seems that the answer to SSL Certs is that I need to buy one. There doesn't seem to be any CA out there who will provide free certs that are accepted by most browsers.
So, this brings me into one of my favorite diatribes. The "Big Name" Conspiracy, as I like to call it. Many many years ago, leading computer researchers began to connect their systems into a worldwide (or at least nationwide) network. The admin of each machine was trusted. There was a hosts.txt file distributed. Then computers came to the home, and with them, serial modems and connectivity. In the brief time before the 'net turned into a wasteland, it was free. Free as in if you had a phone line, the hardware, and the knowledge, you could setup your own BBS or other server. Skip forward to 2007. I pay exorbitant rates (well, about $40/month) for a residential fiber-optic connection. A few people I know can't view my web site. Why? Because Verizon, my ISP, blocks incoming traffic on port 80 so that I can't run a server. And they won't give me a static IP, so I can't run a server. Thankfully, the folks at DynDNS.org are fighting for us, and they give me free DNS, which I can even forward my domain name to. To get around Verizon, I forward HTTP traffic to a high-number unused port. Well, what do you know, a number of corporate Internet filters block all web traffic going to ports other than the defaults. I wanted to send mail from a Linux machine. So, I configured Postfix and sent mail. Worked perfectly to a few addresses, but AOL, Verizon, Hotmail, Gmail, big companies - forget it. Rejected. Why? Because I have a dynamic IP, and my domain name doesn't reverse-validate, so I must not be a legitimate user. There's no way around it. Try sending mail from you@yourdomain.dyndns.org - I have yet to find a mailserver that will accept it. What happened to the community environment of the 'net? Yes, I know, it's all in the name of "bettering" the 'net, reducing spam, etc. But I have yet to find anyone who will whitelist my dynamic IP. Maybe I'm just obtuse. Or angry. But it seems to me that there is a "conspiracy", perhaps unspoken, among the Big Names out there to centralize the Internet, to prevent people from participating. I know I'm not the only person who has noticed this. While there are many people and companies out there valiantly fighting for freedom on the Internet, it seems that the majority of big companies, ISPs, hosting providers, etc. want the 'net to be a one-way medium: content is provided by those who can pay for leased lines and IP blocks, and everyone else looks at it. Running a group of servers - web, SMTP, IMAP, etc. - on a dynamic IP, I am acutely aware of exactly how much modern Internet technology relies on the fact that anyone who's providing the content has a static IP - and can pay the cost associated with it. Getting back to the SSL cert, why isn't there a reputable authority who provides free certificates? I have unlimited free long distance calls, I would be more than willing to call the DNS contact number for every applicant to validate. And why hasn't anyone developed a method of making a dynamic IP "look" static to the rest of the world - surely IANA should set aside a massive block of IPv6 for this, if not IPv4. |
Internet access has never been so cheap and fast that it is now.
There is a shortage of IP addresses, so everyone cannot be given a fixed IP. IPv6 should fix that. Your ISP blocking incoming ports is really a problem with your ISP, most(?) people do not have that issue. Internet traffic is spoiled with spam, there is nothing that can distinguish your mail server to a would be spammer one, so everyone is blocking unvalidated access, and there is no doubt you will do it too should your mail server would be connected. You can be you own CA, or create self-signed certificates. Of course visitors will be annoyed by a warning window but that's the price to pay for free stuff ... |
A few interesting follow-up questions to ponder on while humming the theme music from X-files or twilight zone:
IPv6 should potentially provide: - Enough address space so that ordinary user could run whatever services they want - better security for end users Why is IPv6 being so slowly adopted, given the above? Why is strong encryption and Internet anonymity considered dangerous (in some places illegal)? Who does potentially more harm to end users: spammers or virusmakers/hackers? Which of these are cracked down upon with more (political) force? Is there a lot of money to be made in either of these groups? In the beginning the Internet was run by sys.admins & researchers, blacklists were introduced for those participants who wouldn't play by the rules and behave. Why doesn't it work like that anymore? |
Quote:
|
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
Quote:
Quote:
Quote:
Quote:
|
Quote:
Quote:
Mine shows Paris. Perhaps may I correct that to "Paris, France" to reduce ambiguity ? Quote:
Quote:
Quote:
Quote:
|
Jantman,
For just over $50 USD per year you can have Godaddy host your content and services. While I respect your desire to do it all yourself...circumstances in the post 9/11 United States no longer allow us to enjoy the freedoms we once had. We have never met you, so how do we know, what sort of content and services you are attempting to provide and to whom. |
Quote:
Heck wasn't the US founded on "Give me Liberty or Give me Death!". Quote:
|
Wait... my web site says that I'm a ham radio operator... that means that I can send messages across vast distances. And I'm a computer programmer, so I could encrypt them... I must be a terrorist.
My internet connection has actual transfer rates of 1.2 Mbps up and 2.0 Mbps down. I have five capable servers, with physical access to all of them. I refuse to pay somebody to host my site for me. And for another $50 a month, I could get a "business class" fiber line with a static IP. I don't have an extra $50/month laying around. "We have never met you, so how do we know, what sort of content and services you are attempting to provide and to whom." What does this have to do with a cert? All the cert says is that the content is coming FROM me. It has nothing to do with whether the content is pornography, banking information, terrorist plots, cooking tips, or in my case, free code. My point is how have we gotten to the point where if you want to use HTTPS without annoying popups, you have to pay money? |
I don't know why you're still ranting about this. I tried to explain to you very precisely why you need to pay for an SSL certificate if you want it to automatically be trusted by most browsers. You're making it out to seem like people can't connect to your site with SSL, when they can--it's only an issue of approving the certificate.
You're also making a few more leaps of logic in this post, since the ability to setup a BBS via your modem was not part of the Internet (or ARPAnet). Only the big universities had access to the original ARPAnet and their students usually had to pay to use accounts on time-share servers that could access the Internet (or their department had to pay for it). In that sense, the orignal Internet was far less open and much more of a tool "only for the elite", since you had to be in acadamia, and at one of the few schools who actually had a connetion to ARPAnet, to even have a chance to connect with other systems. Also, you hit on the notion of "trust" in the original system (which didn't have anything resembling SSL connections, by the way). The problem was that you could only trust the Internet community when it was very small, tight-knit, and focused on productive and helpful things. As soon as the Internet got a wider audience, the community got too big to self-police when it was no longer possibly for everyone with access to know everyone else. See the Morris Worm incident for the first clue that the implicit Trust in the system was faulty. Most of the security problems we have today on the Internet exist because malicious users are on the Internet and it's far too big to ever keep them all off. We still have protocols that were designed back in the relative Stone Age of technology that are easily exploited because they lack trust models (see SMTP). The Internet cannot survive in the modern age with an implicit trust model, because the sheer numbers involved mean a very few individuals can cause an enormous amount of harm to the system as a whole (see the recent DDoS attacks on the root servers, which did manage to make two of them unreachable, despite significant upgrades to their infrastructure since the last such attack). You want an SSL cert? Pay for it, or generate your own and tell your visitors to click "accept permanently". You want a static IP? Move to an ISP that allows them, such as Speakeasy.net, Sonic.net, etc. There are "enthusiast-class" ISPs out there who will give you tons of static IPs, the ability to choose your reverse DNS records, and unrestricted access to any ports (inbound and outbound), but you have to pay a premium for it. Why? Because those ISPs trust that if you are willing to spend that much money for the privileges, you probably have a good reason to have such access and, more importantly, the know-how to configure the services (mostly) properly. There are limits on Free Speech, which are necessary to serve the greater good of all. Similarly there are limits on the Freedom of the Internet, for the good of all. Novice users should not have the same freedom as expert users, because novices hurt themselves and others through their ignorance. I don't mind paying $100/month for my 4 static IPs, high bandwidth, and reverse DNS records (not to mention shell account, web space, and national dial-up) because that means the entry-level $20 DSL and cable accounts are generally locked-down tightly and more difficult to exploit with botnets and worms. I would be willing to pay for rackspace in a co-location rather than allow neophyte Internet users unfettered access on a standard account. P.S. The foundation who distributes browsers should take it upon themselves to find, or start a CA that will sign certificates for free? Why is that their responsibility? That's just a ludicrous statement. It costs a lot of money to run a CA infrastructure, so how are they going to pay for it if they give their certs away for free? Furthermore, just because one free piece of software may include that root CA doesn't mean all the commercial software will. There are hundreds, if not thousands of applications that support SSL. Congrats, you have one that now supports your pet-project CA. If you don't have the time and/or resources (read: a lot of money) to setup a root CA, don't demand that someone else should do it for you, for free, no less. P.P.S. This has nothing to do with 9/11. I'm really tired of people using that as an excuse for any restriction ever invented. P.P.P.S. The extra cost for "business class" connectivity is due to higher bandwidth usually consumed by these connections (most consumers rarely use anything approaching their maximum bandwidth) and the extra risk associated with allowing unrestricted access (compromised hosts cost the ISP money to deal with, and use a lot more bandwidth, which, you guessed it, costs them more money!). There is also extra labor cost on the ISP for doing things like provisioning extra static IPs, performing reverse DNS changes, etc. We're living in a free-market society and they couldn't charge those higher prices if the market didn't bear it. Just because you can't afford it doesn't mean no one can. Businesses are not obligated to provide services to you at a cost which you find appropriate. P.P.P.P.S. IPv6: It won't be any more secure, and it won't mean that everyone gets their own static IPs. Bill Gates is only tauting the "security" of IPv6 because Vista actually has support for it, so that's supposed to be a big "feature" that's worth upgrading from XP for. What a weak marketing stunt. Also, regardless of the fact that there will be enough IPv6 addresses for all, ISPs aren't going to hand them out like candy and keep them static. Why? For the same reason why they filter ports right now: They don't want average consumers to be hosting services, or be easily exploited by botnets and worms. |
Quote:
Quote:
I've never looked into speakeasy or sonic.net. I don't see how that would help. They offer T-class at nearlt $400/month, plus requiring a line from my local telco. Speakeasy offers ADSL at $70/month, with static IP, but I'd still need the TelCo to put in a connection (I don't know if they charge monthly for the line, they probably do) and still have speeds lower than what I'm getting now. Quote:
Quote:
Quote:
|
i pay £13.99 a mounth (Approx $25) for 2048/256 ADSL internet here in the UK where the IP avalabilaty is comparable to the USA without any limits apart form what the ISP considered reasonable (i genrally use about 10G down and 8GB up and i havebt had any complaints yet)
for £1 more a mounth i could have a statiic IP and 512 upload as busness class. so i dont see why there is a problem in the USA with this. also my residential boradband has no blocks on any ports (that i have found yet) |
Quote:
Quote:
Quote:
In addition, zombie machines need to allow access in order to serve up their phishing sites, etc. It's possible to do that over other ports, but it's more difficult, and a lot of corporate sites won't allow traffic outbound to non-standard ports, so it becomes a lot more difficult to execute phishing attacks. It's not perfect security, but it's very effective at stopping some basic problems and it's cheap to implement. Then end result is less traffic across the provider's network and slowing the propagation of worms/viruses. It's also less work for their abuse team in terms of boxes that don't get exploited that would have otherwise. Quote:
Quote:
Quote:
If you do not like corporations being allowed to set their own prices and allow market forces to determine where the fair market price is, perhaps you would like to move to Venezuela? I hear that government-regulated price-controls are working out great for them! |
You make a few good points, but I still disagree with some.
Let's assume that we put a bandwidth cap on the static IP line. The ONLY additional cost to Verizon would be whatever additional setup is needed for static IP as opposed to dynamic. This CAN'T be $40/month. I'm not saying that IPSs can change your OS. I'm just saying that with most residential Windows desktops, there are already SO many possible exploits and security issues with just running Windows and IE. To get rid of the neophyte user issue, and cost, it seems reasonable to me to charge a $15/month fee and have a clear and strict contract on what is acceptable in terms of traffic levels, etc. It would allow static IP, but put a cap on traffic, and also hopefully discourage most people who don't know what they're doing. As to Mozilla, I was speaking of how hard it is to get a root cert included in their browser, and the fact that no (or at most one) free CA's have accomplished it. So security is the main cost in establishing a CA? Where's all the cost? Man-in-the-middle attacks are pretty difficult on fiber, so you have a fiber line running in to your server room, and put a lock on the door. If the servers are kept in an office where only 1-2 people have physical security, I don't see the big issue. I'm not talking about a large company, I'm talking about a private effort between a few of us open-source people. My point is that with all of the things that have been done on the Internet for the good of the community - every open source project ever - I'm surprised that there hasn't been a team who was willing to setup a CA and offer certs for free. |
All times are GMT -5. The time now is 06:52 PM. |