Profile

Scrapbook photo 1
Scrapbook photo 2
Gary Mort
Worked at ✔Verified Google Plus Account.
Attended State University of New York at Albany
Lived in Pleasant Valley, NY
257 followers|3,966 views
AboutPostsPhotosVideos+1's

Stream

Gary Mort

Shared publicly  - 
 
Mindstorming deploying the #Joomla CMS! on Google App Engine(#gae) for #PHP.... trying to find my roadblocks/problems http://www.mindmup.com/#m:h1garyamort/joomla-gae:master:/Joomla%20GAE.mup
1
Add a comment...

Gary Mort

commented on a video on YouTube.
Shared publicly  - 
1
Add a comment...

Gary Mort

commented on a video on YouTube.
Shared publicly  - 
1
Add a comment...

Gary Mort

Shared publicly  - 
 
The SSL Certificate Scam:


SSL encryption with internet traffic generally provides 2 benefits:

1) It protects the data sent back and forth over the internet from the client to the server from casual interception.

2) It provides assurances to the end user at the client that the website they have connected to is really who they say it is.


The first purpose can be handled with an SSL certificate created by anyone.  The second purpose requires that the certificates being used by the servers are from a "trusted third party".  What does it mean to be a trusted third party?  Well, it means that the third party has pays thousands of dollars a year to a financial Auditing Company to review their Certificate generation policies and ensure that they confirm to "best practices"...  considering the large numbers of websites out there where you can currently purchase an SSL certificate for a web server  - best practices are quite weak:

At best, the third party has verified:
1) That the Domain name the SSL certificate is being issued for is owned by the Company doing the registration.
2) That any address information from the payment method for the SSL Certificate matches the company information[ie credit card, etc]
3) That the IP address that the SSL certificate is being issued for is used by at least one subdomain from the domain name that the SSL certificate is being issued for[from 1].

In practice, SSL CA's will accept payment from anyone.  Because of the widespread use of so called 'DNS Privacy' options [aka fake addresses] for Domain Registrations CA's don't bother to check 1.  

Furthermore, CA's don't perform any 'follow up'.  Once a certificate is issued, it's good for a year and then it expires.  So all you know about the IP Address/Domain Name linkage is that at the time the certificate was issued, domain name and the ip address may have been, in some way, related...if they bothered to check.

Once an SSL certificate has been issued, it can be in one of 4 possible states:
1) A Valid, un-expired SSL certificate
2) An invalid, un-expired SSL certificate
3) A Valid, expired SSL certificate
4) An invalid, expired SSL certificate

An invalid certificate means that the CA Authority maintains a database of fraudulent certificates so as to protect user privacy.  

In practice, however, CA Authorities don't perform any followup, so the only certificates that are marked as invalid are ones that somone else has told them about...generally a LOT of someones as they don't bother to spend a lot of money researching a few reports.

Now consider your own browsing habits and how often you reach a website where you get a warning message because of an SSL certificate problem.   After the economic meltdown, there were a large number of bankrupt, non-existant companies with websites that continue to run to this day.  After years of running, most of them now give "expired certificate" warnings.  They do not give "invalid/revoked certificate" warnings.   Non-existant, bankrupt companies - and as far as the "trusted third parties" are concerned their certificates are still valid - and in some cases if they opted to purchase long expiration times - not even expired!

The "audits" that trusted third parties have to pass only address this sort of thing in passing.  IF they choose to do follow up checks, THEN they have to follow certain rules.  Considering the number of fraudulent certificates discovered, it is my belief that the only thing these "audits" prove is that the company pays thousands of dollars a year for a rubber stamp.  The only difficulty I'm aware of is passing the audit the first time.  Once you have passed, I'm not aware of any auditing firms coming back and revoking their findings.   Even in high profile cases of monumental mistakes - the auditing firms don't foot the bill and re-audit everyone they have previously audited to ensure that there are no problems.   So the only thing that a trusted third party really does to prove it is trustworthy is demonstrate that it can pay thousands of dollars a year to some company.


CA Authorities COULD easily and for the most part semi-automatically do these things.  For every website certificate generated, they could have a server which monitors the website and if it is down for a week or more[indicating something happening] automatically revoke the certificate and generate a new one for free for the customer.

They could periodically scan the internet for all websites using certificates that they signed which have expired and then have someone follow up to ensure that the certificates are still valid[ie the company still exists and is still running that website].

However, all of that doesn't actually generate any revenue.  So why should they? I would argue that they should do so because they put THEIR company name on that certificate at some point and it is their reputation on the line.

Instead they came up with a new idea.  Extended Validity Certificates.  http://en.wikipedia.org/wiki/Extended_Validation_Certificate  These certificates have a few extra hoops to jump through in order to receive one.  In theory, they solve the problem created by the CA's to begin with - that identity was not really checked.  And they do this in a brilliant manner, by charging customers more money!

This scheme, supported by most major browsers, is designed so that websites that are using an EV Certificate will appear even MORE trustworthy.

It is a relatively new program, first rolling out in 2008 and only really hitting it's stride after 2010.  At first appearance it seems to be "the solution" because websites now using them are legitimate.  But it has the same problems as the old scheme.  Given a decade, there will be a large number of "expired" EV certificates.   The trusted third parties aren't doing follow-up every few months to ensure that "legitimate" certificates aren't used for illegitimate purposes.  And since it is the same companies issueing these EV Certificates which also issue the 'normal' certificates there is no reason to believe that they will do anything differently.

Based on all of this my own feeling is that purchasing SSL certificates is, at this point in time, just a scam.  There is no added security to using one of them over using self signed certificates.  In fact, the opposite - with self signed certificates you have the CHOICE of who to trust.  With paid certificates, Google, Mozilla, or Microsoft chooses for you - and they don't allow you to choose to not trust one of these "trusted third parties".
1
Gary Mort's profile photo
 
FYI: I do think that with a few small changes, the system could be reformed.  I've got to reflect a bit on those changes and might post some ideas at some point.
Add a comment...

Gary Mort

Shared publicly  - 
 
1 step closer to publishing my first large-scale Joomla extension.  http://gary.mort.net/coding/joomla-musings/15-tracking-plugins-via-profile-2.html

Still needs some refinement on the installation process..packages don't quite work in Joomla or I'm missing something.  
1
Elin Waring's profile photoEd Pell's profile photo
2 comments
Ed Pell
 
Gary, your link is not working for me in Firefox.
Add a comment...
In his circles
246 people
Have him in circles
257 people
Amy Stephen's profile photo
Annalise Abraham's profile photo
Andrei Fatkullin's profile photo
Fred Sullivan's profile photo
Mitch Pirtle's profile photo
John Mort's profile photo
Michael Brewer's profile photo
Brian Rønnow's profile photo

Gary Mort

commented on a video on YouTube.
Shared publicly  - 
1
Add a comment...

Gary Mort

commented on a video on YouTube.
Shared publicly  - 
1
Add a comment...

Gary Mort

commented on a video on YouTube.
Shared publicly  - 
1
Add a comment...

Gary Mort

Shared publicly  - 
 
Getting ready for presenting on #Joomla Tomorrow evening in NYC: http://www.meetup.com/New-York-City-Joomla-Users-Group/events/151754632/

I will be doing a basic #git, #github, & #phpstorm configuration presentation for how to combine the three with #Joomla! Development as well as #PHP  in general

I also will go as far into depth as participants want on using the Joomla! Form API. There are lots of features buried away in the #JForm API to help developers build powerful user interfaces.  So we can start with the basics of setting up the xml file and then delve deeply into the API - so the presentation is good for beginners and experts.
1
Add a comment...
People
In his circles
246 people
Have him in circles
257 people
Amy Stephen's profile photo
Annalise Abraham's profile photo
Andrei Fatkullin's profile photo
Fred Sullivan's profile photo
Mitch Pirtle's profile photo
John Mort's profile photo
Michael Brewer's profile photo
Brian Rønnow's profile photo
Work
Occupation
Plumber for hire. Intertubes unclogged, installed, and upgraded.
Employment
  • ✔Verified Google Plus Account.
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Previously
Pleasant Valley, NY - Albany, NY - Salt Point, NY - Troy, NY - Rhinecliff, NY - Brooklyn, NY - Stanfordville, NY - Beacon, NY - Baltimore, MD - Queens, NY - Saugerties, NY - Kingston, NY
Links
Story
Introduction
Web Engineer. 
Jack of all trades, master of many.
If you can dream it, I can build it.
Bragging rights
✔Verified Google Plus Account.
Education
  • State University of New York at Albany
    Computer Science, 1989 - 1993
  • Arlington High School
    Regents, 1985 - 1989
Basic Information
Gender
Male
Looking for
Friends, Networking
Relationship
Married
Other names
garyamort, gmort, gamort, bzgmort
Gary Mort's +1's are the things they like, agree with, or want to recommend.
SGPlus
sgplus.me

SGPlus - use Google Plus, Facebook, Twitter and more all at once with a browser extension! Post to all three at once, import photos between

Context
chrome.google.com

Sort extensions into groups and easily switch between them.

Kit-A-Day Giveaway: Learn to Solder Badge Kit
blog.makezine.com

We're giving away amazing kits from our new Make: Ultimate Kit Guide EVERY DAY -- thousands of dollars worth of merchandise, including Maker

YouTube - Wavegarden man-made surf waves (Short version)
www.youtube.com

Create AccountSign In. Home. BrowseMoviesUpload. Hey there, this is not a commercial interruption. You're using an outdated browser, whi

Joomla! CMS Development - Google Groups
groups.google.com

Magic Quotes Research Help Needed, elin, 3:04 PM. autoupdate all extensions, Raphau, 12:43 PM. Gain more control over plugins, Jurian Even,

Joomla! General Development - Google Groups
groups.google.com

Multible tables with table-level AND item-level ACL in a component, Herman Peeren, 1:38 PM. bind not getting the array of multi select list,

OsciPrime Oscilloscope
www.osciprime.com

OsciPrime: an Open Source Android USB Oscilloscope

#206536 - ITP: php-phpdocumentor -- phpDocumentor provides automatic doc...
bugs.debian.org

Message #5 received at submit@bugs.debian.org (full text, mbox): From: Juan Manuel García Molina <juanma_gm@wanadoo.es> To: Debian Bug

Browser Incompatible
vizualize.me

Browser Incompatible. Unfortunately, your browser does not support the standard graphic display technologies used by our site. Please upgrad

ircmaxell's blog: A Failure Of Process (Tools Are Not To Blame)
blog.ircmaxell.com

A Failure Of Process (Tools Are Not To Blame). A tool is only as good as how it's used. It seems like such a simple concept, yet it'

YouTube - The Google Plus Trailer (The Social Network Parody)
www.youtube.com

Create AccountSign In. Home. BrowseMoviesUpload. Hey there, this is not a commercial interruption. You're using an outdated browser, whi

Google+ Statistics on SocialStatistics.com
socialstatistics.com

See the Top 100 most popular Google+ users and add yourself to the list. Best way to get more followers...

YouTube - New Theories Reveal the Nature of Numbers
www.youtube.com

Create AccountSign In. Home. BrowseMoviesUpload. Hey there, this is not a commercial interruption. You're using an outdated browser, whi

We Placed A Clean Sheet Of Glass Somewhere Across This Woman's Jogging R...
www.theonion.com

Pop Pilgrims: New York - The Royal Tenenbaums house Grad gifts at The Onion Store. The Onion: America's Finest News Source. Home; Video;