New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
He didn't pay up, so it's still available. First $4 gets it.
How do you sell the namecheap-processed cert? Do you enter the CSR for the person? It has to be done through your namecheap account, if it's like the ones I bought from them.
I got a voucher code for a 1 yr namecheap comodo ssl certificate.
Yes...
I found CloudFlare SSL is good enough for most cases.
you can get a cert at $4/yr at gogetss.com is you don't care about ssl brands. I remember they also sell comodo for around 5/yr
I highly recommend cloudflare for everything. They also make copies of your sensitive data all over the web.
The "ggssl" certificates are also Comodo, at least for now.
Well... we've been talking about CloudFlare being a shitty MITM service for a while now, so it wasn't like we didn't expect it to happen eventually :P
@doghouch
Sure, absolutely agreeing. But: I didn't expect it to be so bad. I was expecting them to play the usual (mostly) us of a big mouth games but to at least have some half-way acceptable level of technical capability.
What I saw really shocked me. I've sent diplomands home for less grave stupidity.
I mean, that goto driven state machines must be handling buffers carefully is something I'd expect even students in the lower semesters to know. This whole thing has "unprofessional, dumb, and careless - to the square" written all over it.
Oh come off it, code like that has comparable errors all the time. Other programs like the Linux kernel have had similar bugs countless times. If you're claiming to be invulnerable to making such errors yourself, please feel free to post some urls to your code repos for us to check. Otherwise the criticisms fall flat.
Using that approach may have been a dumb idea to begin with, but once embarked on, led to consequences that were foreseeable rather than shocking.
sslforfree.com uses an LE certbot
Multiple errors in one post. For a start, I could be the worlds worst coder and could still an excellent examiner. Your logic "show us code or shut up" is just gravely flawed, to the point of not being logic.
But being at that: How many state machines dealing with buffers have you written? I guess less than me. Which still doesn't tell a lot except that I know some problems that are specific (as in "quite common") for such state machines.
And there is a simple cure, namely to properly spec, model, and verify code.
Which leads us to the next of your errors: No, linux doesn't tell us anything about that situation; you can't compare that. Among other reasons for the fact that linux is an existing and very large code base, whereas that crap from cloudflare is not - which is a decisive difference. One could have designed and checked it properly.
Finally, you can't compare my code for different reasons. Like due to the fact that I'm usually asked for my service to expressly write safe code (which is pretty expensive, not because I'm greedy but because not every hacker can do that and because it's a lot of effort). And even if the situation were different, you could still not compare it because my less than perfect code is in side projects that don't touch a significant part of all internet traffic.
And btw, their approach/idea wasn't per se bad. State machines, particularly more complex ones, are often generated rather than hand coded. The way they did it and trusting so carelessly was stupid, however. Also note the embarrassment that others did find the problem. Short: cloudbleed is a major fuck-up and due to gross incompetence.
Ok, show us some exploits you've found in well known programs. Large bug bounties are waiting for you to claim them.
Do you think you can out-hack Linus, RMS, etc.? They've all made errors like that. Even if you find the errors, where do you get off saying they lack a "half-way acceptable level of technical capability"? Do you have any ACM awards, Kyoto prizes, Macarthur fellowships to put up against theirs? You can get those things without writing actual code, you know. The issue is what you say: it is bloody hard to write such stuff.
How about using technical arguments instead of repeatedly trying to hit on me (unsuccessfully I might add).
You are hitting on programmers who all visible evidence suggests are far more competent than you are. If there is some not-yet-seen evidence that says otherwise, I've invited you to post it. You've come back with nothing.
@wille I have seen @bsdguy posting something similar about LetsEncrypt. I don't want to attack anyone personally. His arguments were just baseless and he was just referring to a YCombinator discussion which was already marked as "non-issue".
He criticises everything but I couldn't find him coming back with a exploit or a capable solution.
Sticking to the original thread, You can use LetsEncrypt. I wouldn't recommend using StarCom SSL. They have charges for certificate revocation. I know it's customers duty to keep the certs safe. Even during heartbleed they charged revocation fee.
Pardon me, but you stubbornly follow really stupid line. Funnily you do not even notice that in doing so you put yourself next to linux, rms, and similar. Sorry, but your approach to first try to attack me personally and to then put famous coders in your back/on your side is a) ridiculous and b) a failure.
As it may please you: Of course I have made similar errors! But unlike you I don't merely blabber about things I don't know - I do write code that must be 100% correct. Not always and I'm still making errors occasionally but - the fact you still don't understand that clearly shows that you just don't know what you are talking about - those errors can be caught! You see, thats what I am talking about. Not about being perfect but about catching errors and about avoiding as many of them as possibly to start with.
As you obviously don't know the field, let me help you with something simple: One can pretty much always use ones own variable names for the code to be generated. So, a professional uses meaningful names for the simple fact that that makes spotting errors easier. Those cloudfail people however didn't do that. Nor did it ever strike their mind that a pointer might go beyond a buffer. I spotted that right away and told so. They didn't. That's not my guessing, that's in writing, their own writing. "==" in the comparison proves that they never even considered the case of the pointer going beyond the buffer.
One must not be a genius to know or to do that properly. One might, for example, use frama-c which will complain right away. But they didn't. Either because they didn't care or because they didn't know how to do that. Maybe both.
Can you now finally stop trying your attempts to win that case by trying to attack me and by "I have linux in my back. Who the fuck are you"?
You don't know what you're talking about. Sorry, but it's simple as that. Your intention may have been good and nice but the way you chose is neither smart nor successful.
And I have a strength you don't have. If I know something but not a lot about something I say "I think", "I guess", "maybe" and if don't know anything I simply stay quiet.
They're not allowed to issue new certificates these days. They are working on reinstatement but even if they make it back, if the same people are involved, I'd stay away.
Yet more lack of logic and being emotionally driven bullshit. And btw, linux has gazillions of bugs. But then, linus never said that he was about to create a secure OS. he started as a student, the thing grew and he should be lauded for the level of discipline he has managed to establish and to keep.
But that says plain nothing about my position to make statements about safe code.
Okay. I think now I know who I am talking with. You must be The God.
Bye!
You are calling the people who make the errors incompetent. The reality is that extremely smart people make those errors, which are very hard to avoid and also very hard to find. If they're so easy to find, I'd be interested in seeing urls about bug bounties you have collected, CTF events you've won, etc. People do get public recognition for that sort of thing. Unless you come up with some cred like that, you just sound like an idiot dissing a lot of highly capable programmers.
Nope. You and some others chose to interpret the issue in that way. Time will tell who is right.
As for the rest: Cute. In case I forget, kindly remind me that you applying to be on my "wants to be an opponent" list.
I think you don't understand what I am trying to tell you. No software is secure Open source or closed source. I know LE might have security issues. I know Linux has bugs waiting to pop out. We see bugs everyday coming out.
Bugs are part of Software development and maintenance. If you are going to stop using a product just because it might have bugs and security issues which may be found and exploited in future, you should refrain from using anything.
How about understanding for a start that the issue with LE is not software.
"Bugs are part of Software development and maintenance. If you are going to stop using a product just because it might have bugs and security issues, you should refrain from using anything."
I quote this because it amply demonstrates how you tick and how black and white you approach it.
That (what you said there) is absolutely not my position. I'm not against cloudfail or linux or whatever because it's "not perfect". In fact I find the error density in linux quite (positively) suprising.
What I do stay away from is crap that is shitty and carelessly made without even adequate efforts to make something proper.
linux tries hard to make something proper. cloudfail did not. cloudfail acted utterly unprofessionally and cluelessly.
For me to be your opponent or whatever you call it, you must be capable. @willie has asked several times to share anything which you had created and is remarkable. I see you couldn't produce anything. You don't have to. Atleast expose a single bug on LE/Linux or an,y project before someone else does. Sharing an exploit after someone has exposed it doesn't count.
Saying, "Look I told you these are not secure. Now xyz have exposed a vulnerability"
We know it might have security flaws. But show us you can do it. I would agree you know what you are talking about.
Then we will think about joining the opponent list. Because security researches find bugs everyday in all products. But you criticise almost all products but give no remedies/solutions.
okay. You told,
I do write code that must be 100% correct.
How do you ensure that? I would like to get into details.
Take a look at www.dwheeler.com for some methods. The issue is that they're somewhat exotic by industry standards and not widely used in the real world, but that doesn't mean people who don't use them are idiots.
What for? I already did - and you didn't even get it.
Oh well, I wouldn't call major projects in infrastructure, medical, military, space and others "somewhat exotic". Another hint is, as L. Lamport loves to mention, that amazon uses TLA+. Amazon. Not exactly exotic or irrelevant.
"industry standard". Congratulations. As if there were any reasonable measure. industry standard sadly is crap.
And: I didn't say that people who don't use that type of software engineering are idiots. Kindly stop to again and again put your emotions into my mouth.
Once more both of you talk about things you do hardly or not know and once more you are led by emotions and try funny social tactics instead of technical arguments.
As for cloudfail: Is running significant parts of the internet through ones machinery sensitive or not? Is it a case where high standards - or even just linux standards - should be applied or not?
As you brought up linux (once more not really knowing what you are talking about) let me give you a hint: openssl is a shitpile. cloudflare almost certainly is a shitpile, too. Linux (except systemd cancer) is no shitpile.
Why? Maybe because linus insistingly drove his people not not produce shit? Because not a 1000 but at least 4 or 6 well trained eyes are not blabla but reality in linux? Maybe because linux and his core team established some sensible coding standards?
And you tried to put linus against me? Ridiculous.
And stop it already to ask for this or that proof of my professional capabilities. You couldn't handle or even just understand what I gave you so far. As if you would understand whatever TLA+ or frama annotations I offered you ... so, do yourself a favour and hate me and consider me arrogant (that will probably help you digesting) but stop begging for more pain.
I'm saying if you live in a glass house, it's unwise to throw stones. And if you want to convince us that your house isn't glass, you have to show it to us.