Since TLS connections mostly ignore OCSP, Firefox is creating yet another solution

Subject: General Tech | March 5, 2015 - 01:46 PM |
Tagged: security, OneCRL, irony, firefox, CRLSet, chrome

It seems somehow strange that the vast majority of 'secure' connections still completely ignore what were developed as industry standards to ensure security in favour of creating their own solutions but that is the world a security professional lives in.  The basic design of OCSP does carry with it a lot of extra bandwidth usage and while maintaining a time limited local cache, referred to as stapling, would ameliorate this your TLS connection is not likely to support that solution.  Instead of fixing the root cause and utilizing existing standards it would seem that Firefox 37 will start a brand new solution, maintaining a list of revoked certificates ironically called OneCRL which will be pushed out to Firefox users, duplicating the CRLSet which Chrome has already developed and maintains. 

This is good for the end user in that it does add security to their browsing session but for those truly worried about attempting to make the net a safer place it offers yet another list to keep track of and for attackers yet another vector of attack.  At some point we will have to stop referring to standards when referencing networking technology.  Pour through the links on the Slashdot post and read through the comments to share in the frustration or to familiarize yourself with these concepts if the acronyms are unfamiliar.

firefox-crset-onecrl.jpg

"The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

AT&T is late to the gigabit game, but you can pay them for "privacy"

Subject: General Tech | February 18, 2015 - 01:06 PM |
Tagged: irony, Privacy, google, gigabit broadband, AT&T

Kansas City got Google Fiber back in 2012 and not surprisingly a lot of users jumped to this ~$70 service from their current ISPs the moment they could.  Two of the incumbent ISPs suddenly came to the realization that there was demand for broadband at this speed and turned on some of their already laid and configured fiber connection so they could start to offer actual broadband and now several years later AT&T discovered that they would need to do the same to be able to attract customers in that market.  The fiber has lain dormant for quite some time as most ISPs have argued that there was no demand for that level of connectivity; at least until Google offered it and customers left them in droves proving that the demand had always been there.

From The Register we hear that AT&T now offers $70 for a1Gbps connection, an additional $50 will get you TV and you can even bundle home service into the deal if you wish.  For an additional $29 per month AT&T also offers not to log everything you do on the web over their connection, something which Google does not offer.  This makes for an interesting discussion as most surfers no longer blink at Google the search engine tracking what they do online, but what about Google the ISP; does that create a different gut reaction?  Then again considering AT&T's loose definition of unlimited, what do they mean by privacy or even gigabit for that matter?

index.jpg

"We've moved quickly to bring more competition to the Kansas City area for blazing-fast Internet speeds and best-in-class television service," said John Sondag, president of AT&T Missouri, without apparent irony."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

IE10; so nasty we know to block it before it even launches?

Subject: General Tech | February 1, 2013 - 01:00 PM |
Tagged: irony, microsoft, IE10, blocker toolkit

It could only have been an unintentional slip that the verification that IE10 for Win7 is coming down the piped was that a tool was released to block the installation.  The Internet Explorer 10 Blocker Toolkit will prevent Windows Update from installing IE10 automatically, which would signal a change from Microsoft's usual way of introducing a browser.  Remember Beauty of the Web, the site used to distribute new Internet Explorer versions before they arrived as an automatic update?  The blocker toolkit is nothing new, most versions of IE which did not come with the OS coexisted with a toolkit to allow sysadmins to prevent updates to the new browser before they could test it fully.  We've been waiting about 9 months now for IE10 on Win7 and from what The Register and other sites say it will be worth upgrading when it arrives ... someday.

ieblocker.jpg

"Microsoft has dropped a strong hint that the long-awaited version of Internet Explorer 10 for Windows 7 might actually ship soon – ironically, by releasing a tool that blocks installation of the browser on users' PCs."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register