bristol@mailman.lug.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk
You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."
Today's Topics:
1. Re: SSL Certs (cms)
2. Re: Scanner Driver (Epson V550) (Peter Hemmings)
3. Re: SSL Certs (Alex Butcher)
4. Re: SSL Certs (David Smith)
5. Re: SSL Certs (Martin Moore)
6. Re: SSL Certs (nick robinson)
----------------------------------------------------------------------
Message: 1
Date: Wed, 20 Jul 2016 13:56:54 +0100
From: cms <cms@beatworm.co.uk>
To: Martin Moore <martinm@it-helps.co.uk>, Bristol and Bath Linux User
Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] SSL Certs
Message-ID: <e1a51a30-bff7-b953-e742-9c9bdc609dca@beatworm.co.uk>
Content-Type: text/plain; charset=utf-8; format=flowed
On 20/07/16 11:41, Martin Moore via Bristol wrote:
> No – by share I mean same cert on multiple servers to save money.
>
> I've installed letsencrpyt on one server – very simple and lists subdomains to select/deselect as opposed to full wildcard.
>
> I'll stick with them for the moment .
>
> Cheers,
>
> Martin.
>
>
Cool. I use it for everything. You just can't automatically scale it to
any subdomain, although the setup time for a new host is fairly small,
it can be minutes not seconds on limited hardware. Not really a problem
for most use cases.
--
Regards,
cms
------------------------------
Message: 2
Date: Wed, 20 Jul 2016 15:49:28 +0100
From: Peter Hemmings <peternsomerset@virginmedia.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Scanner Driver (Epson V550)
Message-ID: <54ea1a67-bbe6-0cfe-876a-5d4e1b81eabc@virginmedia.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Update:
On 20/07/16 10:18, Peter Hemmings via Bristol wrote:
> Update -some basic problems
>
> On 20/07/16 08:17, Peter Hemmings via Bristol wrote:
>> Hi Peter
>>> The packages I installed looked different. They are
>>> iscan-2.3.0.1-1.usb0.1.ltd7.x86_64,rpm
>>> iscan-data-1.36.0-1.noarch.rpm
>>> iscan-network-nt-1.1.1-1.x86_64.rpm
>>> available from here
>>> http://support.epson.net/linux/en/iscan_c.html
>>>
>>> The FAQ here
>>> http://www.epson.co.uk/gb/en/viewcon/corporatesite/products/mainunits/faq/3458/2610
>>>
>>>
>>> says that the network package is only needed for scanning over ethernet
I have removed iscan firmware and data.
My good OS has same iscan-data and iscan so installed them from earlier
"bundle".
My working OS does not have the network package,but does have a plugin
"GT-X770".
I now have the following:
[peter@localhost ~]$ rpm -q iscan
iscan-2.30.1-1.usb0.1.ltdl7.x86_64
[peter@localhost ~]$ rpm -q iscan-data
iscan-data-1.36.0-1.noarch
[peter@localhost ~]$ rpm -q iscan-network-nt
iscan-network-nt-1.1.1-1.x86_64
[peter@localhost ~]$
[peter@localhost ~]$ usb-devices
(part)
T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs= 1
P: Vendor=04b8 ProdID=0130 Rev=01.00
S: Manufacturer=EPSON
S: Product=EPSON Scanner
C: #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=2mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
It still does not work, could you confirm your driver above is Driver=
I assume you has a "epkowa" listed as the driver in "usb-devices!?
Is the GT-X770 likely to be needed as I read "plugins" were "extras"?
>>>
>>> Might be worth trying these packages rather than the ones you
>>> currently have
>>> installed
>
>>> Regards
>>> Dave
>>>
Nearly about to give up and install windoze again but know it would be a
real pain to install and use.
--
Peter H
------------------------------
Message: 3
Date: Wed, 20 Jul 2016 16:08:07 +0100 (BST)
From: Alex Butcher <lug@assursys.co.uk>
To: Martin Moore <martinm@it-helps.co.uk>, Bristol and Bath Linux
User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] SSL Certs
Message-ID:
<alpine.LRH.2.11.1607201558440.7624@zlgugi.of5.nffheflf.cev>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On Wed, 20 Jul 2016, Martin Moore via Bristol wrote:
> No – by share I mean same cert on multiple servers to save money.
Be careful what you wish for; the more servers a cert (and corresponding
key) is installed upon, the more ways there are for somebody to steal them
and use them to impersonate or MITM secure connections. And then, when they
do, you have to get the replacement key and and cert on all the servers it's
shared with.
I use StartSSL.com's free certificates for personal use (I'm not sure I'd
trust their infrastructure for anything more important, though).
Otherwise, you're basically looking at:
* Browser compatibility - i.e. which browsers/OSs have the necessary root
certificates in their certificate store so as to be able to validate your
certifcate without giving errors and warnings to your users. See
<https://www.sslshopper.com/ssl-certificate-compatibility.html> and the
links at the bottom.
* Trustworthy status - can you be reasonably assured that their
processes and infrastructure are reliable and secure enough so as to not
issue fraudulent certs?
* Cost, of course!
HTH,
Alex
------------------------------
Message: 4
Date: Wed, 20 Jul 2016 15:27:32 +0000
From: David Smith <David.Smith@imgtec.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] SSL Certs
Message-ID:
<15A9D35B5490FC49AC0524AE3A085F082CA44506@BRMAIL01.br.imgtec.org>
Content-Type: text/plain; charset="utf-8"
> From: Bristol [mailto:bristol-bounces@mailman.lug.org.uk] On Behalf Of Alex
> Butcher via Bristol
> Otherwise, you're basically looking at:
> * Trustworthy status - can you be reasonably assured that their processes
> and infrastructure are reliable and secure enough so as to not issue
> fraudulent certs?
Just as a point-of-interest, is this actually relevant? I don't think it actually increases the security of the system, since the security of the system is limited by the least-trustworthy CA that has its root certificates in the users' browsers, isn't it? Can't any CA issue a certificate for any website, even if another CA has already issued one?
For example:
Joe Bloggs is the legitimate owner of www.bloggs.com. He has bought an SSL certificate from trustworthy-ssl-certificates.com.
Dr Nefario wants to attack the website. He goes to dodgy-ssl-certificates.com and buys a certificate identifying his server as a legitimate host, and poisons DNS, hijacks WiFi or uses some other mechanism to redirect traffic to his site. His server provides the dodgy-ssl-certificates.com SSL certificate to identify itself, and because dodgy-ssl-certificates.com also have their root certificate installed in the vast majority of users' browsers, the users' browsers accept it as a valid host (especially as the number of users that will actively police their browsers' root CA certificates is so close to zero as to make no difference).
I don't see how having your SSL certificate issued by a "trustworthy" CA increases the security of your site, unless you persuade all the users to disable the other CA's root certificates in their browsers.
Unless I've completely misunderstood how this works?
------------------------------
Message: 5
Date: Wed, 20 Jul 2016 16:40:00 +0100
From: "Martin Moore" <martinm@it-helps.co.uk>
To: "'David Smith'" <David.Smith@imgtec.com>, "'Bristol and Bath Linux
User Group'" <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] SSL Certs
Message-ID: <013101d1e29c$fa4e3520$eeea9f60$@co.uk>
Content-Type: text/plain; charset="utf-8"
Ironically, I'm not really fussed about security!
We don't keep anything of that type on our servers, but some new stuff insists on SSL - e.g. chrome browser and geolocation stuff. It's clearly not a bad thing to have anyway, but I've no need for top level SSL.
Martin.
-----Original Message-----
From: Bristol [mailto:bristol-bounces@mailman.lug.org.uk] On Behalf Of David Smith via Bristol
Sent: Wednesday, July 20, 2016 4:28 PM
To: Bristol and Bath Linux User Group
Subject: Re: [bristol] SSL Certs
> From: Bristol [mailto:bristol-bounces@mailman.lug.org.uk] On Behalf Of
> Alex Butcher via Bristol Otherwise, you're basically looking at:
> * Trustworthy status - can you be reasonably assured that their
> processes and infrastructure are reliable and secure enough so as to
> not issue fraudulent certs?
Just as a point-of-interest, is this actually relevant? I don't think it actually increases the security of the system, since the security of the system is limited by the least-trustworthy CA that has its root certificates in the users' browsers, isn't it? Can't any CA issue a certificate for any website, even if another CA has already issued one?
For example:
Joe Bloggs is the legitimate owner of www.bloggs.com. He has bought an SSL certificate from trustworthy-ssl-certificates.com.
Dr Nefario wants to attack the website. He goes to dodgy-ssl-certificates.com and buys a certificate identifying his server as a legitimate host, and poisons DNS, hijacks WiFi or uses some other mechanism to redirect traffic to his site. His server provides the dodgy-ssl-certificates.com SSL certificate to identify itself, and because dodgy-ssl-certificates.com also have their root certificate installed in the vast majority of users' browsers, the users' browsers accept it as a valid host (especially as the number of users that will actively police their browsers' root CA certificates is so close to zero as to make no difference).
I don't see how having your SSL certificate issued by a "trustworthy" CA increases the security of your site, unless you persuade all the users to disable the other CA's root certificates in their browsers.
Unless I've completely misunderstood how this works?
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
------------------------------
Message: 6
Date: Wed, 20 Jul 2016 17:02:58 +0100
From: nick robinson <nick@njrobinson.net>
To: David Smith <David.Smith@imgtec.com>, Bristol and Bath Linux User
Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] SSL Certs
Message-ID:
<CADo8qK7uyDtd3omXkELR7iPjTmjRkwfBDm-rc1zWWCyTCOLQgQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I agree with this, which is also the point of view letsencrypt takes, that
ssl is about encrypting the traffic between client and server. All the
additional "trusted"/"verified" nonsense they add on the top of it to hike
the bill should be handled by some other system.
On 20 July 2016 at 16:27, David Smith via Bristol <
bristol@mailman.lug.org.uk> wrote:
> > From: Bristol [mailto:bristol-bounces@mailman.lug.org.uk] On Behalf Of
> Alex
> > Butcher via Bristol
> > Otherwise, you're basically looking at:
> > * Trustworthy status - can you be reasonably assured that their processes
> > and infrastructure are reliable and secure enough so as to not issue
> > fraudulent certs?
>
> Just as a point-of-interest, is this actually relevant? I don't think it
> actually increases the security of the system, since the security of the
> system is limited by the least-trustworthy CA that has its root
> certificates in the users' browsers, isn't it? Can't any CA issue a
> certificate for any website, even if another CA has already issued one?
>
> For example:
>
> Joe Bloggs is the legitimate owner of www.bloggs.com. He has bought an
> SSL certificate from trustworthy-ssl-certificates.com.
>
> Dr Nefario wants to attack the website. He goes to
> dodgy-ssl-certificates.com and buys a certificate identifying his server
> as a legitimate host, and poisons DNS, hijacks WiFi or uses some other
> mechanism to redirect traffic to his site. His server provides the
> dodgy-ssl-certificates.com SSL certificate to identify itself, and
> because dodgy-ssl-certificates.com also have their root certificate
> installed in the vast majority of users' browsers, the users' browsers
> accept it as a valid host (especially as the number of users that will
> actively police their browsers' root CA certificates is so close to zero as
> to make no difference).
>
> I don't see how having your SSL certificate issued by a "trustworthy" CA
> increases the security of your site, unless you persuade all the users to
> disable the other CA's root certificates in their browsers.
>
> Unless I've completely misunderstood how this works?
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20160720/4ef77fcb/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
------------------------------
End of Bristol Digest, Vol 653, Issue 5
***************************************
Great content! Super high-quality! Keep it up!
BalasHapusetutorialspoint