**** BEGIN LOGGING AT Wed Oct 24 03:00:00 2018 Oct 24 05:39:50 why not? Oct 24 06:29:24 totalizator: No reason not to in my experience and opinion but DocScrutinizer05 has his reasons to buy a certificate instead of using LE. Personally I like LE because it allows me to automate the process of renewing the certificate. That is actually a large part of the reason I switched to LE. The reason for using a computer in the first place is to work more efficiently by having the computer do tedious, repetitive work to save valuable human time for Oct 24 06:29:24 things the computer cannot do itself, such as programming the computer. I do not want to risk interruption of service because I have to manually renew certificates if this renewal process can be automated. Oct 24 06:33:43 In this case, though, I found it remarkable that BMW uses LE because BMW is a large company with broad brand recognition by the general public, not only by engineers. In my experience, it seems that large companies usually still buy a conventional certificate instead of using LE, at least for their Web sites that I access as a basically English-language monoglot whose travels IRL are limited to Canada, USA including Hawaii and Alaska, and Mexico. Oct 24 06:36:14 But hey, I can speak x86 assembly language and machine code. :-P Oct 24 06:39:08 It took me around three decades of living in Canada, not Quebec though, to realise that “bonjour” literally means “good day” instead of “hello”. I thought it meant “hello” because “hello” is usually translated to French as “bonjour” in my experience. Oct 24 06:45:14 Do new road vehicles sold in continental Europe have miles on the speedometer? It surprises me that some automakers, at least Volkswagen and Audi, no longer include miles on the speedometer of vehicles sold in Canada even though most Canadians live close to the USA, where road signs still use miles instead of metric, same as the UK. Oct 24 06:50:40 I realised that if the Tesla brand was used for a diesel vehicle then the vehicle may have a “Tesla coil” indicator light. :-D Oct 24 06:55:27 Does anyone from Taiwan say “flag of Taiwan” instead of “flag of the Republic of China”? Oct 24 06:57:46 Strictly speaking, there is, as far as I can tell, no flag of Taiwan, only the flag of the Republic of China, which is effectively a flag of Taiwan. Oct 24 06:59:20 I mean the current flag of the ROC, not the previous flag of the ROC. Oct 24 07:01:12 Serious question that I thought of: What do a Commodore 64 or Commodore 128 and a car with an automatic transmission with a horizontally-moving gear selector lever have in common? Oct 24 07:02:52 harware restrictions ;) Oct 24 07:03:59 Or a typewriter, which is why the early Commodore computers have the thing that is the answer. Oct 24 07:05:47 The answer is (a) shift lock as opposed to a caps lock. Oct 24 07:07:10 I do not know if a vehicle with an automatic transmission with a column shifter has a shift lock because I have possibly literally zero experience driving such a vehicle. Oct 24 07:08:41 I have more experience with 5.25-inch flexible disc drives than with automatic transmissions. Oct 24 07:11:52 Vajb: Seriously, though, does any Commodore computer truly have hardware restrictions, other than the write prevent mechanism of the flexible disc drive? I thought that Commodore usually did not try to restrict the user of their products. Oct 24 07:18:08 It also occurred to me recently that the automotive industry may have originally had only one manual that covered both using and servicing a vehicle before splitting the service manual from the user manual? Oct 24 07:24:37 DocScrutinizer05: What does “DocScrutinizer” mean? Document(ation) Scrutinizer? Doctor Scrutinizer? Oct 24 08:30:16 brolin_empey: doctor is most likely, perhaps look it up? Oct 24 08:30:50 pfft Oct 24 08:31:01 thats a silly comparsion Oct 24 09:00:49 I assumed Doctor. the issue with certificates is it's a massive chain of trust and if that is compromised somehow it leads to false security. Cert companies have gone bust by blindly or systematically adding certs you loose that web of trust and no one will trust you. Oct 24 09:08:24 Do big companies use conventional certificates because they're better, or because that's just what companies have always done? Oct 24 09:10:47 You can probably find a bunch of other technologies that are pretty much only used by big companies, mostly because it's big companies that have been around long enough to still be using them. Oct 24 09:10:57 things like Java application servers come to mind. Oct 24 09:11:39 Maxdamantus: companies use standard certificates because its whats trusted and what browsers have built in, they use their own within the trusted well known root certificate that is on the OSes Oct 24 09:11:51 I would imagine larger companies would be happy to pay for a better known more trusted company. Also they maybe happy with the relationship they have built up with the company. Oct 24 09:12:24 Juesto: browsers obviously support LE though, otherwise LE wouldn't be very useful. Oct 24 09:12:30 It possible BMW have got new people in to work on there web stack. Oct 24 09:12:35 ? Oct 24 09:13:00 Juesto: “its whats trusted and what browsers have built in” Oct 24 09:13:13 LE? Oct 24 09:13:15 Juesto: LE is trusted in the same way as other CAs. Oct 24 09:13:19 Juesto: letsencrypt. Oct 24 09:13:30 oh right Oct 24 09:13:48 yeah, LE is pretty recent as far i gather Oct 24 09:14:20 but that one likely uses another well known root cert Oct 24 09:14:49 apologies for the little confusion i had Oct 24 09:14:58 I was under the impression that LE has their own root cert(s), but I haven't looked into it. Oct 24 09:15:25 go ahead and confirm? Oct 24 09:16:49 "DST Root CA X3"? Oct 24 09:18:02 Ah okay, that's a certificate from some "IdenTrust" . Oct 24 09:18:41 :) Oct 24 09:20:57 But that's obviously quite a lot of trust that "IdenTrust" must be putting in LE. Oct 24 09:22:41 Exactly... Oct 24 09:22:48 * Maxdamantus isn't particularly familiar with certificates, but presumably they've signed LE's certificate saying they can sign for any domain. Oct 24 09:23:16 So IdenTrust and LE are effectively the same thing here. Oct 24 09:23:44 "I trust you to have as much power as I have" Oct 24 09:27:04 With all encryption like this you have some public key and private key. The cert co's job is as a third party to verify those keys are correct and valid. Oct 24 09:28:31 Well, its job is to vouch for the association of some public key with some domain name. Oct 24 09:29:12 I understand how it works in principle, just don't know the details around validation processes, the actual trust delegation, etc Oct 24 09:30:11 I can't see something explicitly like "domain: *" in the information about the LE certificate through Firefox's certificate viewer, so presumably the delegation is in the form of something like "Signer" Oct 24 09:32:30 I'm guessing it's the "Is a Certificate Authority" part under "Extensions > Certificate Basic Constraints" Oct 24 09:33:09 so if a valid certificate says "Is a Certificate Authority", then any certificate signed by that certificate is also valid. Oct 24 09:34:56 But surely there must be other ways to delegate these things, eg, if you have a valid certificate for "*.google.com", presumably you can sign another certificate for "mail.google.com", without being a CA. Oct 24 09:42:06 Google has at least one of these CA certificates too. Oct 24 09:42:37 issued by GlobalSign Oct 24 09:45:16 Google have Google Trust Services Oct 24 09:51:11 Superfish... Oct 24 09:51:17 * sixwheeledbeast shudders Oct 24 10:14:42 hmm I wonder, if company x trusts company y and company y trusts company x. Who is to say that x and y are trustworthy? Oct 24 10:15:17 question raised while reading a backlog Oct 24 10:16:16 Vajb: the trust statements are backwards relative to how certificates normally work. Oct 24 10:17:43 It should be "y is trusted by x" and "x is trusted by y", since that's what's in the certificates ("y is trusted by x" -> "y includes a signature produced by x") Oct 24 10:18:27 i think vajb wants to know who is at the top of trust Oct 24 10:19:07 hmm ok, Im still not quite there yet or maybe what KotCzarny said... Oct 24 10:19:35 but what's imporant is whether you can follow the "_ is trusted by _" relations to a certificate that you're willing to inherently trust, which will happen in this case if either certificate exists in the browser's/OS' certificate store. Oct 24 10:20:41 afaik, being a "root" is not really important. Oct 24 10:21:36 I thought more of as is there company z who says x and y are trustworthy Oct 24 10:21:55 no? someone decides who can get in and when and at what conditions Oct 24 10:22:10 but is this more related to blockchain? Oct 24 10:22:18 and i suppose those in lower roots have to agree to some root conditions Oct 24 10:22:30 unless "root" means "exists in the browser's/OS' certificate store" Oct 24 10:22:30 as opposed to being issued by itself. Oct 24 10:23:04 certificate stores usually use whatever is popular/"trusted" Oct 24 10:26:24 so browser creator gets to decide what certificates his browser has by default? Oct 24 10:26:31 yes Oct 24 10:26:39 unless they use system's one Oct 24 10:26:49 or maybe develober instead of creator... Oct 24 10:26:58 developer* Oct 24 10:27:00 but since browser's had to be consistent, they bundle certs themselves Oct 24 10:27:25 ah os has its own certificates too? Oct 24 10:27:27 some specific builds might use system's one Oct 24 10:27:36 yeah Oct 24 10:27:45 hmm Oct 24 10:27:50 in debianish world they usually come as ca-certificates package Oct 24 10:28:05 but curl packs it's own often Oct 24 10:28:39 if some rogue developer puts some dubious certificates in his store would it be possible to them to spread and compromise whole chain of trust? Oct 24 10:28:40 so basically it's a mess, which wouldnt be a mess in updated and supported distro Oct 24 10:28:44 yup Oct 24 10:29:10 but it would only be used by a that particular app Oct 24 10:29:32 unless it goes rogue and modifies system Oct 24 10:29:34 and that _could_ be possible with, say LE? Oct 24 10:29:45 nah, LE is different story Oct 24 10:30:19 ok, Im trying to wrap my head around why it is starbge that BMW uses LE. Oct 24 10:30:26 strange* Oct 24 10:30:28 eh, its a standard-ish thing Oct 24 10:30:34 because LE is new kid on the block Oct 24 10:30:51 root certificates are like the root domains, they're on top of the chain Oct 24 10:30:59 and we have yet to see how well they manage things Oct 24 10:31:45 if LE was a root cert on its own it would have been perhaps a little more exposed/scandalous/newsworthy Oct 24 10:32:15 ah so it trust exp runs quite low still and it needs few level ups ;) Oct 24 10:33:02 its more a service Oct 24 10:33:27 I see. Oct 24 10:33:44 apparently Oct 24 10:33:49 dont quote me Oct 24 10:34:03 neither rely Oct 24 10:34:08 also, their value gets undermined by a 'free cert for everyone' idea Oct 24 10:34:21 which basically includes malware Oct 24 10:34:28 pfft Oct 24 10:34:34 what a scam(?) Oct 24 10:34:40 user might see 'oh it's a trusted site' without checking who is the owner of the cert Oct 24 10:37:56 so should we always check who issued the cert? And even block some certs if they seem dubious? Oct 24 10:38:06 no, who owns the cert Oct 24 10:38:12 issuers are trusted Oct 24 10:38:18 I think I never checked any certs Oct 24 10:38:25 issuer != owner Oct 24 10:38:32 but they might sell/issue cert to dubious entity Oct 24 10:38:40 ah missed that part Oct 24 10:39:34 actually I recall firefox complaining about certs being old in some page Oct 24 10:39:53 (I know this is not related to this) Oct 24 10:40:02 hmm that Oct 24 10:40:26 must have been your clock or your store being outdated Oct 24 10:41:13 or old browser without updated certs Oct 24 10:41:16 or I was in some shady back alley of internet Oct 24 10:41:30 might be that too Oct 24 10:41:54 lel Oct 24 10:42:03 oh ya you reminded me Oct 24 10:42:07 I backed off, if you wonder ;) Oct 24 10:42:16 yes some internet connection can cause issues with certs Oct 24 10:42:19 and browser warnings Oct 24 10:42:30 especially flaky ones Oct 24 10:42:55 hmm can't recall if it was home or with some "free" wlan Oct 24 10:43:33 there you go Oct 24 10:43:40 wifi can be terrible Oct 24 10:45:01 yup. That's why I don't use anything sensitive anymore while on free wifi Oct 24 10:45:23 like on holidays Oct 24 10:47:26 :) Oct 24 10:50:52 23:28:39 < Vajb> if some rogue developer puts some dubious certificates in his store would it be possible to them to spread and compromise whole chain of trust? Oct 24 10:51:06 In his own store? Then he's just compromising whatever software uses that store. Oct 24 10:51:26 The trust store isn't going to magically replicate to other machines. Oct 24 10:52:01 The rogue developer would need to do something like change what certificates are distributed as part of something like a Firefox package, or curl or ca-certificates. Oct 24 10:53:04 (by "a Firefox package", I mean the package used for something like Debian) Oct 24 10:55:51 But ultimately, the "top" of the trust chain is the stuff running on your system. Oct 24 10:57:03 Since it's your browser that decides to look in certain places on the filesystem for certificates, and it's your harddrive that decides to return the blocks in the filesystem that happen to be stored certificates, and it's your CPU that decides to execute the browser's code in the correct way. Oct 24 10:58:41 top, but still uses trust from the internet Oct 24 10:58:50 so not the toppish top Oct 24 10:59:13 But you can say that about any CA, not just the "root" ones. Oct 24 10:59:18 yup Oct 24 10:59:53 and since LE has a valid CA certificate, they're already fully trusted through these chains. Oct 24 11:00:26 whether that trust comes from certificates stored directly in Firefox/ca-certificates, or from another such certificate signing LE's one. Oct 24 11:04:31 actually, LE is already such a certificate on my system. Oct 24 11:06:13 so it's trusted by both my browser directly, and by DST (which my browser trusts directly) Oct 24 12:49:50 An issue is something like superfish, someone gets a fake cert into peoples cert store either through browser or bundled by manufacturer. In this example it was a fake Google cert so you think TLS is working. Malware can then MITM your data on your machine, potentially leaving you with your private and public keys written to your drive in plaintext, that's bad. Oct 24 12:51:10 Older companies are more trusted and therefore further up the web of trust. Oct 24 12:51:23 s/Older/Established Oct 24 18:37:16 Well, the superfish case is kind of analogous to just including actual software that can be considered malware. Oct 24 18:37:56 eg, some program that automatically runs and manipulates memory used by web browsers such that it shows websites as being safe when they're not. Oct 24 18:38:55 It's basically using the same "attack" vector: you control distribution of software, so you can control what the software does, either by including bad/modified software, or by including bad/modified "data" along with that software, such as certificates. Oct 24 18:53:14 note: the point of the above comments is: superfish is not the fault of any particular trust system, since any trust system is vulnerable to attacks involving control over software distribution. Oct 24 20:08:39 >> DocScrutinizer05: What does “DocScrutinizer” mean? Document(ation) Scrutinizer?<< <<-that Oct 24 20:09:31 DocScrutinizer05: OK. Oct 24 20:10:41 lice prolly all Nicks this one got 'designed' by a creative process and been inspired by "Mr Reisenweber eats documents for breakfast<< (quote of a colleague), Frank Zappa's "Joe's Garage", and the character of DocHoliday Oct 24 20:12:27 https://en.wikipedia.org/wiki/Doc_Holliday Oct 24 20:17:24 oops, the quote of my colleage actually was >>joerg eats datasheets for breakfast<< Oct 24 20:18:18 but there's no 3char file extension specific for datasheets ;-D Oct 24 20:20:16 it's surprising how often the reference to Joe's Garage gets instantly noticed though Oct 24 21:10:33 CSVScrutinizer05 Oct 24 21:40:34 :-D Oct 24 22:22:54 Wow, a week of no spam on the wiki... well no anything. Maybe I have finally blocked all the rogue IPs... unlikely. **** ENDING LOGGING AT Thu Oct 25 03:00:00 2018