Hacker Newsnew | past | comments | ask | show | jobs | submit | more meapix's commentslogin

Good luck with that!


If the whole world could unite with a better system of measure of space (meter) then the same can happen for measures of time.


8 pounds less money.


The problem is ethics, you just made somebody slave for a year. Now if you're happy with that, that's ok.


It's like saying, how the people who invented a knife and provide a way to cut fruit feel about criminals and other bad people using their products to kill people.


What kind of insurance does letsencrypt provide in case of data breach? isn't that the whole point of certificate authority?


No that is not the entire point of a CA. The insurance that the big commercial CAs offer now is a farce. No end user has actually received the money for two reasons:

1. breaches that qualify are often written off by the underwriter as "gross negligence" or other such behavior which basically allows them to nullify the contracts and pay nothing

2. situations where the breach could be covered by the terms of the insurance are incredibly rare. Most situations where SSL compromise is at risk would not be covered. The insurance only helps you if the CA causes you damages through their own actions. In one of the most famous cases, the breach of the CA DigiNotar, the underwriter said that DigiNotar misrepresented themselves and invalidated all their policies.


That should be the job of an insurance company, not a certificate authority.

Also, an https cert has nothing to do with data breaches :)


Breach of the CA, not the web host. If the CA is breached there is no point to the encryption.


It wouldn't break encryption because you don't give away the private key when requesting a certificate from a CA.

It would definitively compromise the identity/trust part of it.


Let me rephrase with a quote from the public-key cryptography wiki:

"An attacker who could subvert any single one of those certificate authorities into issuing a certificate for a bogus public key could then mount a "man-in-the-middle" attack as easily as if the certificate scheme were not used at all."


https://en.wikipedia.org/wiki/Job_sharing


> I still don't think they realize what happened.

Basically your goal was to punish not to correct?


Yes, absolutely.

Since this was the business model this company deemed acceptable, I figured it was completely acceptable to do it in return. When all you receive to your questions is "RTFM, idiot", that's a punishment in my opinion...not a correction. And I'm the one holding the million dollar purchase order in my hand.

I could not (and would not) waste development time trying to reeducate this person into being a better customer support person. That's not my job - it's theirs. Sometimes you need to whack someone on the head with a 2x4 before they get the message.


It sounds like his goal was to be able to have a helpful support person to call.

(Attempting to correct from the outside, the flaws of vendor bureaucracies seldom goes well.)


What strike me most is the amount of people around me who don't care about this.


Well, it's a sort of institutionalized resignation... I mean, if there's nothing you can do about it, what should you be doing? Switching to a blackphone? What if your organization doesn't support a truly secure option?

It's like hearing that Microsoft and the NSA had a backdoor 20 years ago - at the time I didn't have an option for my work machine, so I just grunted and went along.


I'll start, terrorism is a violence of any kind.


That's an overly broad and dangerous definition of terrorism.

Following that definition, these acts can be considered terrorism:

- Pub brawl

- Running someone over with a car

- Punching someone who is attacking you

- Police hitting protestors


Terrorism as delivered by the media in the current time is Islamic related violence.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: