Coffeehouse Thread

23 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Microsft - "Pay us 'protection' money or don't run a site"

Back to Forum: Coffeehouse
  • User profile image
    Manip

    Microsoft and affiliates are operating a virtual protection racket; which allows Microsoft to profit from every secure site accessed by its IE7 browser.

    Here is what happens if you aren't willing to pay one of Microsoft's authorised certificate authorities:



    Now, why such an extreme warning? Why break EVERY secure site on the internet not willing to pay up just to stop phlishing of a few?

    It is simple -- To make money.

    Sites pay a CA for a certificate, who in turn pay Microsoft to add them to the release within their software.

    I really want to know how Microsoft expects sites to run securely with encryption other than paying one of their trusted CAs.

    The result of this might be that the internet gets less secure while Microsoft and friends get richer and richer... Sites will stop supporting encryption if visitors leave because they see an ugly warning screen.

    PS - I looked up the cost for one site... $349 (£259!) per year for an authorised SSL certificate from a trusted CA.

  • User profile image
    AndyC

    Firstly, Microsoft don't sell certificates so I don't quite get how this allows them to make money.

    Secondly, the entire point of a certificate is to prove you are who you say you are. If you don't have someone trustworthy to vouch for your identity, then why should anyone trust that you are indeed who you claim to be? Self-signed certificates give the average user an illusion of security that simply is not there, faced with that fact, IE is doing the right thing.

    Thirdly, there are plenty of places that sell certificates much, much cheaper than that.

  • User profile image
    Andrei P

    $349 is rather affordable. You don't need SSL for your blog, you normally need SSL if you're selling something (for CC details) or you retrieve other sensitive information.  Selling something or storing sensitive information shouldn't be done by someone who can't afford to pay $349.
    Also, certificates that are not signed have absolutely no value.

    Have you thought about writing for The Register?

  • User profile image
    AndyC

    Manip wrote:


    Uhh what? Running an encrypted site is STILL more secure than running an unencrypted site even if it uses self-sign.



    No, it really isn't. I can set up a site with a self-signed certificate claiming to be Manip. Nobody would know the difference. It completely defeats the object of certificates in the first place.

  • User profile image
    Manip

    AndyC wrote:
    Firstly, Microsoft don't sell certificates so I don't quite get how this allows them to make money.


    It is obvious... You pay the CA who in turn pay Microsoft for the rights to be 'trusted' ... Either per certificate or per a period of time. Thus Microsoft make big bucks out of the deal (billions I'd imagine).

    AndyC wrote:
    Secondly, the entire point of a certificate is to prove you are who you say you are. If you don't have someone trustworthy to vouch for your identity, then why should anyone trust that you are indeed who you claim to be? Self-signed certificates give the average user an illusion of security that simply is not there, faced with that fact, IE is doing the right thing.


    Uhh what? Running an encrypted site is STILL more secure than running an unencrypted site even if it uses self-sign.

    Andrei P. wrote:
    $349 is rather affordable. You don't need SSL for your blog, you normally need SSL if you're selling something (for CC details) or you retrieve other sensitive information.  Selling something or storing sensitive information shouldn't be done by someone who can't afford to pay $349.


    There is a tree planted in my back garden ... Please pay me $1 a day to breath my air... It isn't THAT much after all... You aren't going to need THAT much air unless you are working hard, which means you are making money...

    I await your check.
    (My request is no more or less absurd than what you expect sites to do on a free internet)

    Plus your logic is incorrect. I use SSL to access the management system on a server I run (no money involved); University uses it to secure communications between me and my personal information (no money there) and even Channel 9 uses it to allow you to securely access the forums if you don't trust the network you are on.
    With America wire tapping everything under the sun (And sometimes stuff not under it), you can expect to see more wide uses of encryption.

  • User profile image
    Manip

    AndyC wrote:
    Manip wrote:

    Uhh what? Running an encrypted site is STILL more secure than running an unencrypted site even if it uses self-sign.



    No, it really isn't. I can set up a site with a self-signed certificate claiming to be Manip. Nobody would know the difference. It completely defeats the object of certificates in the first place.


    I thought the point of SSL was to encrypt data between two end points? If you have an alternative way to do that which doesn't involve trusts then please teach us savages how.

  • User profile image
    AndyC

    Manip wrote:



    Plus your logic is incorrect. I use SSL to access the management system on a server I run (no money involved); University uses it to secure communications between me and my personal information (no money there) and even Channel 9 uses it to allow you to securely access the forums if you don't trust the network you are on.


    For your server, just add the certificate to your trusted certificate store. Manually distributing the certificate isnt really an issue, because you aren't going to be letting just anyone manage your server (I hope)

    For your university, ipsca provide free certificates to educational establishments.

    For Channel 9, https is frankly overkill, but if Microsoft want to pay to provide it, well that's their call.

  • User profile image
    AndyC

    Manip wrote:


    I thought the point of SSL was to encrypt data between two end points? If you have an alternative way to do that which doesn't involve trusts then please teach us savages how.


    I don't. That is why you use certificates.

    However a certificate with no trust is meaningless, it doesn't prevent precisely the man-in-the-middle attacks that you want encryption for in the first place.

  • User profile image
    Mike Dimmick

    I doubt that Microsoft is paid much to include root authorities in Windows. You can get SSL certificates cheaper than your quoted $349 - Thawte offers 'SSL 123' at $149 per year or $259 for two years. There are cheaper providers available; I was looking at this for Exchange ActiveSync and the list of preinstalled root certificates on Windows Mobile devices is shorter than on the desktop.
     
    There are currently 108 trusted root certification authorities on my computer (although some have expired or will do so shortly); if you have fewer or a lot of expired ones, you've probably disabled the automatic root certificate update facility. To turn it on, go to Add/Remove Programs, Add/Remove Windows Components, and check 'Update Root Certificates', then click Next to install.

    If you just want to use SSL on your intranet, adding a trusted root certificate is extremely easy, if you've created your own certification authority. You just export the root certificate from the CA, copy it to the workstations and double-click. If you have Active Directory, you can use Group Policy to deploy new trusted root certificates.

    If the certificate isn't valid - expired or with the wrong server name on it - or trusted - not signed by a trusted root CA or not in a valid chain from a trusted root CA, the user's attention must be drawn to it. An invalid certificate can indicate that a man-in-the-middle attack is taking place or that the server has been spoofed. Arguably the warning in IE6 was not serious enough and I'm glad to see it strengthened in IE7. Yes, it's scary for the user. It's meant to be.

    I'm trying to persuade my employers to get a certificate from one of the preinstalled trusted root CAs for our Outlook Web Access server. For the moment it's using a self-signed certificate, which covers our own computers, but not public computers.

  • User profile image
    Michael Griffiths

    Scaremongering.

    Rather baseless as well.

  • User profile image
    Karim

    Andrei P. wrote:
    $349 is rather affordable. You don't need SSL for your blog, you normally need SSL if you're selling something (for CC details) or you retrieve other sensitive information.  Selling something or storing sensitive information shouldn't be done by someone who can't afford to pay $349.


    You go to Verisign and they say you need to pay $349 for one year for an SSL cert.

    Then they say that's only 40-bit security (which is a lie) and that you don't want that (which is another lie).  To get 128-bit security, they say you need to pay $995.  If you are STUPID enough to need another $150,000 of "VeriSign NetSure Protection Warranty," your 128-bit cert will cost you $1,495.

    For one year.  For one site.  Of course, when you buy, the default is always for multiple years (best value!), so you have to manually select the one-year price.

    No word on what the clearcoat Teflon sealant and Scotchgard upholstery protector costs.

    Ask yourself what it costs to issue an SSL cert.

    I used to be a big fan of FreeSSL.  They used to give away single-root 128-bit SSL certs.  For free.  They issue them in MINUTES, unlike the DAYS it took with Verisign.

    Then they started charging a small fee.  At first I think it was $15.  $15 for what Verisign charges $995 for?  A bargain!  I'll take more!!!  Then they jacked up the price a little more... here and there... $20, then $29... then, inexplicably, $39... $49...

    Oh did they mention they're not called "FreeSSL" anymore?

    RapidSSL.com now charges $69.

    Why did RapidSSL jack up their price?

    BECAUSE THEY CAN.

    Because their main competition (Verisign) is telling people they need to spend $995 for the same damn thing.

    I'm sorry, I think $349 is a huge ripoff.   It's on the level of scam.

  • User profile image
    ScaleOven​Stove

    Microsoft isnt making anyone pay. Yes you can secure two endpoints with SSL but withouth a trusted authority (verisign, etc) then the certificates are meaningless, as noted already. Anyone can spoof their certificates to be anyone else with no verification - not very secure for end users, who might think they are buying something over a secure channel that really is some other site.

  • User profile image
    blowdart

    Karim wrote:

    RapidSSL.com now charges $69.



    I use instant SSL myself, same sort of price, trusted by the PC, not by the mobile.

    Problem with the simple ones, and heck, even verisign do it is they do not verify the owner or address, the SSL cert is just to verify the name of the computer

    So now if you click on the SSL icon (stupid ID to move it Dave) you get a dialog telling you that the location and owner are not verified. Which will scare people. Heck even my bank's SSL cert has that warning.








  • User profile image
    Manip

    ScaleOvenStove wrote:
    Microsoft isnt making anyone pay. Yes you can secure two endpoints with SSL but withouth a trusted authority (verisign, etc) then the certificates are meaningless, as noted already. Anyone can spoof their certificates to be anyone else with no verification - not very secure for end users, who might think they are buying something over a secure channel that really is some other site.


    They are making every user-facing site pay actually. As you yourself just said. I tried to look up how much Microsoft charge in order to become a "Trusted Root Authority" and it isn't even listed, which means one thing... It is insanely expensive ... Millions... Billions.. Who knows.

  • User profile image
    BenZilla

    Misleading topic title, I thought you would be above that.

  • User profile image
    Karim

    AndyC wrote:
    Manip wrote:

    I thought the point of SSL was to encrypt data between two end points? If you have an alternative way to do that which doesn't involve trusts then please teach us savages how.


    I don't. That is why you use certificates.

    However a certificate with no trust is meaningless, it doesn't prevent precisely the man-in-the-middle attacks that you want encryption for in the first place.


    I thought that a lot of remote-control management cards on servers (Dell DRAC, HP Lights-Out) used self-signed SSL certs.  Point being not to prevent a sophisticated man-in-the-middle attack, but simply to keep the username and password used to log into the card from being transmitted in the clear....

  • User profile image
    blowdart

    Manip wrote:

    I tried to look up how much Microsoft charge in order to become a "Trusted Root Authority" and it isn't even listed, which means one thing... It is insanely expensive ... Millions... Billions.. Who knows.


    Wow there's a straw man; I tried to look up how much Manip charges Microsoft for each post he makes on channel 9, it isn't even listed, which means one thing... It is insanely expensive ... Millions... Billions.. Who knows. They're not getting their money's worth.

  • User profile image
    Stephen

    That makes me sad my CACert.org are now flagged even after putting them into my 'trusted root' Sad

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.