“No I don’t think it’s the wrong cert for the wrong domain, just a limitation of SSL and certificates that makes it problematic to transfer between hosts. Gmail starts the SSL session on one, and then transfers users over to the other resulting in a cert mismatch.”

No, this is not a limitation in SSL. USUALLY a certificate is bound to a certain host (IP address). If they are not able to implement this correctly (by using gateways,load balancers, etc..), they could use multi-domain or wildcard certificates.

In any case, the end user (or the end users browser) should not be burdened with sorting these problems out. If a company cannot get SSL right (without any warnings presented to the end user), it should not use it at all.

Unfortunately, part of the discussion in this comments section degenerated into the very kind of squabbling that I was hoping to avoid, but that usually happens with mention of politics on this site.

We have a great country with an armed forces, who go to fight for our freedom wherever and whenever they are called. Our troops having been sacrificing their lives to protect Daniel’s right to say as he pleases. That’s one of the great values that we have in our country.

My comment was much more pragmatic. It appears that Dan has a point of view that he very much desires to share. I suggest that Dan create a politics section, and add liberally (no pun intended really) to his own politics blog here on RDM.

This website belongs to Daniel, claims of community participation, mutual benefit & common ownership notwithstanding. he is free to do as he pleases.

My point still is that since Daniel has a deep-seating desire to share his political views with others (it is an understandable feeling after all), that Daniel should create a political section to complement and rival his tech section. I’m certain that Dan would develop a quite loyal following for his political writing. Many would agree with his views, and others would want to disagree with Dan publicly. I’m sure the discussions would get lively. Not only with it likely be a great read, I get the impression that Dan wold thoroughly enjoy the writing.

So, instead of suggesting that Dan not express himself ( which doesn’t make sense, and wouldn’t happen anyway), I made the constructive comment that Dan should go whole hog and start a political blog on his website to complement his tech blog.

Dan would enjoy both blogs. He would get a following at both, with some overlap I imagine. Personally, I don’t enjoy having a perfectly good discussion on a tech topic being interrupted with comments about the propriety of Daniel writing about politics on a tech blog.

So, I encourage Dan to write about his political opinions. And I encourage Dan to do so in a separate political section. Not only would likely read his political entries, but I would actually appreciate his political writings more.

Anyway. Back to tech. Thanks for indulging my words. Isn’t freedom such a beautiful thing.

I think your opinion would have more weight if you actually articulated it rationally. Obama’s tax policy would dial things back to the days of Clinton, which fostered the dotcom boom and served as the longest peacetime expansion in US history. Hardly a “second rate business climate.”

As for California, you are aware we have a republican governor, right? And that when the candidates needed to find a big evangelical fundamentalist church, they went to SoCal, which is only slightly less knuckle dragging and slow thinkin’ than most of Middle America.

And if you were thinking specifically about SF, let me assure you that the only “poison stuffed into the soul of its residents daily” comes from the City’s conservative newspapers, which I assure you are all republican shill rags.

And speaking of which, not even Fox News is buying McCain’s tax policy. It reported:

“The crowds roar with approval when Obama and Biden describe their plans for a middle class tax cut and boo loudly at statistics showing how McCain’s continuation of the Bush tax cuts favor the wealthy. Of course, these are partisan Obama crowds. But it would be unwise for anyone seriously backing McCain to dismiss their full-throated roars for Obama-Biden on an issue that historically has favored the GOP nominee. [...]

Add to this the mounting evidence that McCain’s TV commercials assailing Obama’s tax policy contain serious distortions, if not out-right lies.”

When Fox calls McCain’s voice on Obama’s tax policy “serious distortions” and “out-right lies,” it makes it hard to see your viewpoint as being anything more than hysterics from tunnel-red vision due to propagandist head trauma. Maybe lay off the tube.

No I don’t think it’s the wrong cert for the wrong domain, just a limitation of SSL and certificates that makes it problematic to transfer between hosts. Gmail starts the SSL session on one, and then transfers users over to the other resulting in a cert mismatch.

And the point is that the warning is “identical to a real attack” because it is doing the same thing as an attacker would want to do: move an existing session to a new host.

So I’m not complaining that SSL warnings are too much to read, I’m pointing out that the warning mechanism isn’t enough to replace education. Users who aren’t paying enough attention to see they’re being redirected to a malicious “paypay.login.com” are not really going to benefit from being told that by an SSL warning, because they don’t see the problem, particularly if they regularly get warnings about safely moving from paypal.com to login.paypal.com for example.

My critic was arguing that SSL broadly protects users who wouldn’t otherwise know any better, but that’s just wrong, just as wrong as throwing the security burden on users with UAC.

> “I was talking about logging into MobileMe from https://www.me.com. With the above problem it appears the domain wasn’t updated by Apple. Seems sloppy, unprefessional. Yep, its not a huge problem bu gives ammo for pundits who don’t know any better…

> I’m interested in how you can state “Apple did not misconfigure its web services at all” for sure…?”

Apple didn’t misconfigure MobileMe and I don’t know where you even got that idea, apart from wishing it to be true. There was never an issue related to cert warnings on MM’s SSL because it never occurred. The only SSL warning (noted above in my article) came from users who had set up SSL certs with .Mac email in Mail, and then tried to connect to me.com. The SSL cert worked as expected, and users got a warning that SSL is designed to give.

Again, the point is that SSL warnings only help users who already know everything and don’t do anything to protect users who don’t fully understand the rather complex concepts of cert / web security.

“when I’m sending and receiving it, I’m more concerned about making sure people around me don’t know the contents of my mails And an sssl connection locally would prevent that. (ie, ssl to MobileMe.)”

Yes, its a nice idea, but you’re failing to get that what I addressed is SSL authentication. Without secure authentication, encryption is meaningless. Do you think you’re automatically secure just because your encrypted information is preventing people at Starbucks from looking at your email text? Well have you considered that, if your SSL authentication security fails and you are redirected without realizing it and get a cert warning you OK without thinking, you’re now going to be setting up and sending “encrypted” data with your attacker, without realizing that you’re totally hosed?

That’s exactly what I’m addressing. Security is not about tacking on a buzzword. It’s about engineering. You can say you understand the idea of encryption, but if you don’t know who your encryption is going to (authentication), or that a “hacker” can set up encryption with you and decrypt what you send them (authentication failure), then you’re not really in a position to say what you “need,” because you don’t know.

It’s easy to make uninformed demands. I didn’t write the articles to insist that Apple shouldn’t be criticized, I wrote them to inform users so they aren’t making uninformed demands based on faulty information that only delivers half of the story.

Thats because they’re using the wrong cert for the wrong domain. It is little work to generate and implement the correct certs for each domain. Its not a warning identical to real “attack” its just a warning that the website your visiting is misconfigured.

“So while you try to spin things by saying essentially that ‘GMail is in beta and can’t be expected to be configured correctly’ and ‘MobileMe is full of problems,’ the truth is that Google failed to consider the consequences of providing a gmail cert for (apparently) google.com/gmail and redirecting users to mail.google.com, added to the fact that Chrome threw up a warning in error.”

All web browsers (including Firefox and Safari) will give the same mismatch warnings. What would you prefer…? That browsers charge on ignoring config errors and the potential security problems it could indicate. Someone has screwed with your dns so that you use https://www.myWebMail.com you get a “self-signed” cert error. Since you don’t want to know about these errors the browser ignores them, And Dr Evil has your mail login details.

“Apple did not misconfigure its web services at all. The cert warning was only presented to Mail users who had set up .Mac mail using the .Mac server names. Apple changed these to me.com, so while both work, earlier setups present a fairly straightforward warning that makes sense. It has nothing to do with Apple’s MobileMe web site and Akamai caching.”

I was talking about logging into MobileMe from https://www.me.com. With the above problem it appears the domain wasn’t updated by Apple. Seems sloppy, unprefessional. Yep, its not a huge problem bu gives ammo for pundits who don’t know any better…

I’m interested in how you can state “Apple did not misconfigure its web services at all” for sure…?

“And one again: the point is that SSL can only provide security warnings when things appear wrong. Since there are lots of opportunities for things to appear wrong among few actual threats, this creates a fear cloud that does little to address the problem for actual users, and instead just complicates things.”

So how would a browser know when something is actually wrong, and you’re underattack, compared to a cert misconfuration…? This is why it is a good idea to have the correct certs to your domains. It removes the number of false positives. I’d point out the ssl system shows you when things are going fine by indicating through different coloured address bars and icons that the certs check out.

“Should Apple add additional SSL encryption to MobileMe? That’s not the issue here, and there may be better alternatives from a performance standpoint. The real question is: would having added SSL as pundits demanded have prevented real security problems in the way they insisted (an argument that revolved around authentication), or would it have mostly just slowed things down while offering little effective security related to authentication?”

Yep, Email is an inherently insecure communication medium. But when I’m sending and receiving it, I’m more concerned about making sure people around me don’t know the contents of my mails. And an sssl connection locally would prevent that. (ie, ssl to MobileMe.)

Didn’t mean to imply public forum in that sense in my earlier response to those asking you to separate politics from tech. I was referring to your blog’s comments system (note: I don’t really consider this site a “blog”).

Like at AppleInsider, every editor’s article has an associated forum thread for questions, which are viewable to any reader. Hope that makes sense, but it’s obvious to me now how my description could be easily misunderstood.

The comments weren’t intended to correct popular belief, but to address the criticism that I encountered when pointing out that SSL is not a security panacea. After encryption, which is an obvious benefit, critics marched out authentication, man-in-the-middle attacks, and DNS poisoning as reasons why MobileMe failed their security baseline.

What I’m pointing out is that attaching a buzzword solution is not a security solution if that buzzword fails to work as expected. Throwing up panicked warnings is not the same as addressing problems.

That in itself warrants a comparison with US politics, where the NeoCon extremist right has pursued a policy of domestic terrorism to counter a threat that is less likely to occur than the pain it adds. Obama’s comment on solving that issue through education rather than more DHS big government spending is therefore quite relevant.

Also, this isn’t a public forum, it’s my website. There’s comments below what I write because I’m not afraid to hear criticism or correction from readers. So I welcome critique, but if you have a bone to pick, please provide more meat than just insisting that wide topics are taboo and must never be mentioned.

Politics is social engineering, and the decisions and tradeoffs and marketing involved are all very similar to the world of tech.

@ Joel “Maybe I’m missing something huge here, but why is this a problem…?”

Google’s issue was that Chrome was not “aware” of the domains in use by the Gmail service, but most importantly, that it presented a domain mismatch that highlights the fragility of using SSL for authentication. If you call your web hosts various different things, you will present a high alert warning identical to a real attack, creating panic that waters out the point of SSL warnings.

In Apple’s case, it actually changed its domain for .Mac users. Anyone subscribing to MobileMe wouldn’t see this, only .Mac users who realized they were being redirected from mac.com to me.com

So while you try to spin things by saying essentially that ‘GMail is in beta and can’t be expected to be configured correctly’ and ‘MobileMe is full of problems,’ the truth is that Google failed to consider the consequences of providing a gmail cert for (apparently) google.com/gmail and redirecting users to mail.google.com, added to the fact that Chrome threw up a warning in error.

Apple did not misconfigure its web services at all. The cert warning was only presented to Mail users who had set up .Mac mail using the .Mac server names. Apple changed these to me.com, so while both work, earlier setups present a fairly straightforward warning that makes sense. It has nothing to do with Apple’s MobileMe web site and Akamai caching.

And one again: the point is that SSL can only provide security warnings when things appear wrong. Since there are lots of opportunities for things to appear wrong among few actual threats, this creates a fear cloud that does little to address the problem for actual users, and instead just complicates things.

Should Apple add additional SSL encryption to MobileMe? That’s not the issue here, and there may be better alternatives from a performance standpoint. The real question is: would having added SSL as pundits demanded have prevented real security problems in the way they insisted (an argument that revolved around authentication), or would it have mostly just slowed things down while offering little effective security related to authentication?

You do realize you’ve undermined your own point by throwing your politics into this public forum, right? The difference between you and Dan is more than political, though you demonstrated holding some anti-American sentiments trying to discourage his right to speak his mind on…his website.

eR_ror err_Or – coDe #1984: diFFEriNg of opInioNS is prØHIbiTed!¡ ¬∆˙ƒ˙©†®ƒ∂∂®¥†®¥‡°flfi‹fiflfi›‰Í˛π“º†/

havE a NI_nI_nI_ce DaaaAaAaaaay

Lose the liberal swill. No-one reads your excellent technical analysis to get to a video of a man whose tax and business policies will signlehandedly turn America into a protectionist second rate business climate. I understand you are from CA where liberalism is a poison stuffed into the soul of it’s residents daily but get over it and focus on technology.