Ken
-
Posts
316 -
Joined
-
Last visited
-
Days Won
2
Posts posted by Ken
-
-
Why would proxies need to filter traffic? I don't know of any open web proxy that forces users to use unencrypted connections. TOR is a proxy network that, in addition to forcing HTTPS (where possible), encrypts every packet in multiple layers of encryption.
While HTTPS may not be perfect, the key exchange (Diffie-Hellman) is still the best way of allowing two anonymous users to exchange encryption keys. While some trust is required, it's infinitely less trust than would be required when transmitting plain-text over the Internet.
Open Web Proxies yes but private businesses that use filtering for internal policies not just limited to security. Of course those companies can add their certificates to the proxy and configure a MITM in order to do their filtering but I'd imagine in some cases this isn't applicable. So I'm not sure I'd rule it out.
-
Forget speed I was only referring to as it stands today. You may have encrypted your site and did not notice a difference but if you're talking about encrypting every entity out on the internet that's another thing. Will it fix MITM? I say no for the fact that it's a 'trust'. You are trusting the certificate on the other end because the root server says it's legit. This is fine for local traffic when you're on WiFi networks but when you're talking about backbone traffic being rerouted how are you going to trust your trusted authority?
Let's not forget that encrypted traffic also allows hackers to hide in some situations.
-
google.com does
Google is a login portal since even their search page will recognize a logged in user.
Almost all modern CPUs support hardware accelerated encryption. The iPhone5s even does this. Encryption is not necessarily a time consuming process. Block ciphers work by encrypting small pieces (usually 16-bytes) of data at a time, so can easily be streamed. Keep in mind the maximum TCP packet size is 64 KB.
Will encryption ever be as fast as plain-text? No, but soon the differences will be negligible and there will be simply no reason not to use it.
That's fair in regards to speed and consumption but what about proxy servers won't be able to filter traffic properly? That and HTTPS doesn't make you immune to MITM since SSL connectivity is based on 'trust'.
-
Computationally it's becoming more and more feasible. A lot of websites now force SSL. More people use SFTP instead of FTP for file transfers. More people check and send email securely now (it's a requirement for all of us here). Sure, there are some services that may not necessarily benefit from encryption, or where encryption may be too expensive to implement due to processing power. BGP may be a good example of that.
I'm not arguing that there should be any laws or regulations to enforce encryption and I don't think those would pass anyway, governments love to get their hands on information. I always argue against such regulations. But, I think that people are becoming more and more security conscious, and that the result is that more and more traffic is becoming encrypted. I think that's a good thing.
Which websites force SSL traffic short of area of sensitivity like login access? Requiring SSL on everything would make things incredibly slow, especially for mobile users.
-
It does seem to reinforce the idea that encryption is increasingly necessary, and not just for the most sensitive information. An Internet where virtually all traffic is encrypted is one that I think we're necessarily heading towards. Necessity drives innovation, and I think it'll happen naturally.
To encrypt all internet traffic would require devastating amounts of CPU, electricity and bandwidth because of it's footprint. I don't feel like there's a need to encrypt all traffic except for of course private or secret information and exploitable files. When sends someone a file it can be intercepted and tampered with. I think you'd sooner see some method to fragment or distribute traffic in order to prevent MITM where it is single point in nature.
-
I saw this article mentioned in the ARIN mailing list recently, and found it quite interesting.
http://www.renesys.com/2013/11/mitm-internet-hijacking/
Apparently, route hijacking has been on the rise in 2013. Worth the read if you have a few minutes.
Thanks to encryption and trusted certificates you can sleep at night.
Edit: With one eye open.
-
Wow didn't mean to triple reply. Mobile theme kept locking up on post.
-
That's why developers usually require half up front to keep them invested in the project.
-
That's why developers usually require half up front to keep them invested in the project.
-
That's why developers usually require half up front to keep them invested in the project.
-
Welcome Steve and point taken. My apologies for suggesting that you were attempting a publicity stunt... I more or less meant it looks like 'it could be taken' as one. I took it out of context for what was intended for the disclosure.
-
Please post feature requests here.
To comment on this one though, adding the ability to resend a welcome email or service activation email that there are no logs for, or that were never originally sent is something I'd like to do. It hasn't been heavily requested yet, so it's not very high on the priority list, but I think it's necessary.
For one-off fix of this problem though since he said it was in WHMCS and didn't get transferred can't he just copy it over to Blesta and create a new email from the client screen?
-
Not arguing putting the word out. I am saying I feel it's already out. I understand that after research Rack911 does a lot of work for members of that community. My point still stands though.
-
Ah right UK fees. No idea about those.
PayPal doesn't run my business either, however a lot of customers use them and trust them. My company is only 3 years old, and some aren't willling to trust me with their credit card information (even though I don't really even get it, stripe does) but they do have a higher regard of trust with PayPal. On the other hand some customers hate paypal and distrust them. Either way, I still wouldn't want to piss off my merchant gateway, just to save some pennies off each transaction.
Going to have to agree here, Mike. It's just business. We know you hate PayPal.
-
Why are emails not showing up in the logs? I'm not using this module to check. Mike do yours not show up in the mail log? Shouldn't all emails go there regardless of the module?
We are thinking about removing blesta from our production at this moment. There Missing to many functions...
WHMCS is a nightmare. You sure that's necessary? Not sure if you saw some of the other threads but the devs have acknowledged this and plan to improve this.
-
I don't buy into the "that's their (people who use WHMCS) own dumb fault, let 'em burn" mentality. Never have, never will.
You act as if they don't already know and trying to save people that don't necessarily want to be saved. The bugs were reported and we're talking about it in the open. They made national headlines. What more do you want?
There seems to be a lot of emphasis around this Rack911 business and looking more like a publicity stunt.
-
I'd say at this point hand it off to someone like Rack911 or one of the other trustworthy security firms. Let them do their thing and, if appropriate, post on WHT. If you make a public disclosure, it would immediately be shouted down as a conflict of interest.
Isn't that kind of beating a dead horse? With everything that has happened with them and continuing to happen... I'm not sure what more needs to be said. It's great for our devs to underline security when it comes to Blesta for those who care about it, which should be everyone, but anything beyond that would just start to look a little foolish. As Cody mentioned he reported the exploits as well as others obviously since they are issuing security updates to the point that it's driving people nuts apparently. Either people get the picture and move on or they tighten up over time whether they're reporting back to people's submissions or not.
It wouldn't take very much research at all to get a feel for how secure their software is or isn't. If people won't take basic consideration for their own business then there's no real point in going on a crusade to inform them. Until then grab some popcorn and let's see what happens.
-
-
It's at the bottom of the first post on this thread.
-
I think everyone acknowledges their mistake in participating in this thread.
Alex don't take things to heart. It's going to get much worse in this industry. We've all been grilled when making assumptions... if we didn't we'd still be making them.
No one is attacking you personally they're just reacting to the rhetoric. Make friends not enemies.
-
agreed
-
If you're going to use Ubuntu you should use the LTS (Long-Term Support) versions. Which is every other x.04 release such as 10.04, 12.04, 14.04 etc.
-
Nothing is more harsh than someone irresponsibly mishandling data. Get a cert or shut it down.
-
We met the Vision guys a couple years ago, really good people. http://www.flickr.com/photos/48176820@N04/6028837095/in/photolist-abKnea I look high in that picture, though.
Well... we are in California after all.
Resend Mail
in Feature Requests
Posted
How about the ability to create email templates and use them in custom client emails instead? Rather than using WHMCS' hand holding bloated methods.