Packetizer

Paul E. Jones' Blog

Microsoft Office 2013: Licensing from Hell

March 4, 2013

I upgrade to the latest version of Microsoft Office every time a new version is released. While some feel that Office has more features than anyone needs, I spend much of my time working in Office and have always appreciated the new enhancements and features that came with each new Office release.

Unfortunately, Office 2013 brings with it such insane licensing agreements that I cannot buy it. I do not have any reasonable options. There are basically four options I could consider, but each one presents a roadblock.

Option 1 – Office 2013 Professional

This is more-or-less the same product I have purchased from Microsoft with every product update. In the past, I could install that on my primary desktop and I could install it on my laptop. I could use it for work-related activities or personal stuff. If I bought a new machine, I could uninstall it from my old machine and install it on my new machine. The Office 2013 Professional license agreement forbids that. It says that the software is licensed for a single computer and that “you may not transfer the software to another computer or user.” You are not allowed to install a second copy on a laptop, either. Honestly, I don’t care about the desktop and laptop installs. However, I do buy new computers from time-to-time and if I buy a new one, I don’t want to be in a situation where I cannot install Office. And, that’s exactly what it says. I cannot do that. Just imagine spending $400 on new software tomorrow and the next day your computer breaks. You’re out of luck. You lose your computer and your $400 for Office.

Option 2 – Office 365 Home Premium

This is Microsoft’s new subscription service. You basically get everything in the $400 Office Professional version, except it’s a subscription service. With the service, you get updates at no charge as long as you maintain the subscription. The cost is $100/year, which is a reasonable price as compared to the Office Professional 2013. Further, you have the right to install and use Office on up to 5 different computers. You can even use it on Mac or Windows. Boy, for those looking for an opportunity to escape Windows for a Mac, this is the ticket.

Unfortunately, this option has a major problem: it’s licensed for home use only. You are not allowed, per the license agreement, to use it for business. It states that Home Premium is for home use. So, if I use this for business? It is rather explicit about saying it is for “Home” and “Non-Commercial Use”. So, what if I author a document for work using it? Apparently, that’s not acceptable. My wife owns a business where she needs to use Office about 10% of the time, whereas the other 90% is personal. Well, that’s not permitted, either. Both of those activities would be classifies as commercial use. So, Option #2 is out.

Option 3 – Office 365 Small Business Premium

This option allows one to buy Office for use in business. Oh, but this one is explicitly listed as a product for business use only. I assume that is the case, because this page says “for business use” under the “Which Office products are available for home and business?” drop-down. Further, if you try to sign up, it wants your business name and email. But, I don’t want something exclusively for business. This is sometimes used at home and sometimes I use it for work. So, this one is out.

Option 4 – Office Home & Business 2013

This one is like Office 2013 Professional, except it is missing Publisher. I want Publisher! So, I buy this and don’t get Publisher? I guess so, but it has a lower price, too. I guess I could buy Publisher separately. The problem is that, like Office 2013 Professional, it is tied to a single computer. You spend the $220 they are asking for the product, but have the risk that if the computer dies, your $220 goes out the window. No thanks.

Conclusion

Microsoft has successfully created a licensing scheme that is so messed up that I have no upgrade path. Congratulations, Microsoft. I’ll keep using Office 2010, as I have no viable, legal alternative. In the meantime, I’ll have to invest a little time evaluating alternatives. There is Kingsoft, WordPerfect, and LibreOffice. Others?

UPDATE: It appears that Microsoft heard this complaint from too many customers, as they have made a sane step toward licensing. It is now permissible to transfer purchased copies of Office from one machine to another, if you wish.

Permalink: Microsoft Office 2013: Licensing from Hell

Resetting Directory and File Masks on Synology NAS

December 9, 2012

If you have a Synology NAS and you mount those file systems on Linux, you see something horrible. Synology always sets the directory and file creation masks to 0777, so all files and directories are readable and writable by everybody else on the Linux machine. It works fine on Windows since access to files is controlled by the Samba software.

If you're like me, though, you want a little more control. This Perl script, when run on a Synology NAS server running DSM 4.1, will add the desired config lines to the smb.conf file. Put is over in /usr/local/bin/modify_samba_config (make sure root can execute this program).

NOTE:DSM 5 and DSM 6 changes a few things. See the notes at the bottom.

#!/usr/bin/perl
#
# Modify the smb.conf file on the Synology disk station
#

# Location of the smb.conf and temp files
$smb_file = "/usr/syno/etc/smb.conf";
$tmp_file = "/tmp/mod_smb_cfg.$$";

# Below are the names of the shares and to the right
# are the config lines to introduce
%share_config =
(
    'archive'            => [
                                  "directory mask = 0755",
                                  "create mask = 0644"
                            ],
    'music'              => [
                                  "directory mask = 0755",
                                  "create mask = 0644"
                            ],
    'pictures'           => [
                                  "directory mask = 0755",
                                  "create mask = 0644"
                            ],
    'public'             => [
                                  "directory mask = 0775",
                                  "create mask = 0664"
                            ]
);

#
# SameOption
#
# This function will check to see if the option names are the same
#
sub SameOption
{
    my (@options) = @_;

    my ($i);

    if ($#options != 1)
    {
        return 0;
    }

    # Normalize values
    for ($i=0; $i<=1; $i++)
    {
        $options[$i] =~ s/=.*//;          # Remove everything after =
        $options[$i] =~ s/^\s+//;         # Remove all leading whitespace
        $options[$i] =~ s/\s$//;          # Remove all trailing whitespace
        1 while $options[$i] =~ s/  / /g; # Remove excess spaces
    }

    if (($options[0] eq $options[1]) && (length($options[0]) > 0))
    {
        return 1;
    }
    else
    {
        return 0;
    }
}

#
# MAIN
#
# The following is the main logic of the program
#

# Read the old config, make changes, writing to a temp file
open(SMBFILE, "< $smb_file") || exit;
open(TMPFILE, "> $tmp_file") || exit;

while(<SMBFILE>)
{
    # We will assume the current line will be printed
    $print_line = 1;

    # This logic will remove lines from the existing config that are
    # added via the $share_config array
    if ((!/^\[/) && (length($section_name) > 0))
    {
        $tline = $_;
        chomp($tline);

        foreach $line ( @{ $share_config{"$section_name"} } )
        {
            # Is the current config option in our
            if (SameOption($tline, $line))
            {
                $print_line = 0;
                last;
            }
        }
    }
    if ($print_line)
    {
        print TMPFILE;
    }
    next unless /^\[/;

    # Add configuration lines as specified in "share_config"
    chomp($section_name = $_);
    $section_name =~ s/^\[//;
    $section_name =~ s/\].*//;
    foreach $line ( @{ $share_config{"$section_name"} } )
    {
        print TMPFILE "\t$line\n";
    }
}

close(SMBFILE);
close(TMPFILE);

# Read the temp file in and replace the original config file
open(TMPFILE, "< $tmp_file") || exit;
open(SMBFILE, "> $smb_file") || exit;

while(<TMPFILE>)
{
    print SMBFILE;
}

close(TMPFILE);
close(SMBFILE);

# Get rid of the temp file
unlink($tmp_file);

You can modify the config lines, adding or removing whatever you wish. The "keys" in that hash (e.g., "archive" and "private") are the names of the Samba shares created on your Synology box. You'll need to assign those appropriately. You can have different additions per "share" to customize whatever you wish. (Note that if Synology already has a config line like what you introduce, your config line might be ignored. I've not tested what happens if there are two conflicting config lines.)

Now, you want this script to run before Samba starts. I tried adding it to rc.local, but the synology box loads services like Samba in the background, so there is a risk of a race condition and things not working right.

What I decided to do was create a "service" that the Synology box calls before it starts Samba, but after it has re-built the config (which it does every time the machine boots). I created a script in /usr/syno/etc/rc.d/S80alt_samba_config.sh. The Samba service is S80samba.sh, so this script will get called first (alphabetical sorting).

#!/bin/sh

if [ $# -eq 0 ]; then
        action=status
else
        action=$1
fi

# dispatch actions
case $action in
        start)
                /usr/local/bin/modify_samba_config
                ;;
        *)
                # Do nothing with any other command
                ;;
esac

That's it! Now, if you reboot the NAS server, you should get the permissions in Samba as you wanted.

DISCLAIMER: This is not a technique you should try if you're not familiar with Linux system administration. I cannot help you if you break your NAS server. Carefully review the code and test it before using it.

UPDATE: It appears that each time you install an update of the DSM software, the /usr/syno/etc/rc.d directory gets replaced. So, you'll have to put the "80alt_samba_config.sh" script back on place each time. The /usr/local/bin/ directory appears to remain untouched.

UPDATE: With DSM 5, I think it was, the name of the rc.d script had to change to S02smbfix.sh in order to run at the proper time.

UPDATE: With DSM 6, Synology moved things around. The smb.conf file is now in /etc/samba/. So, the line that says '$smb_file = "/usr/syno/etc/smb.conf";' needs to change to '$smb_file = "/etc/samba/smb.conf";'. Also, the rc.d directory changed. It appears that placing the script "S02smbfix.sh" into /usr/local/etc/rc.d will work.

Permalink: Resetting Directory and File Masks on Synology NAS

Intel's Next Unit of Computing

December 2, 2012

Intel released a really cool new device called the Next Unit of Computing. It's a small 4x4x2" box that packs the power of an Intel Core i3 processor. It has three USB ports, two HDMI ports, a gigabit Ethernet port, and consumes very little power as compared to normal a desktop machine.

It's designed to be mounted right on the back of a display using the supplied VESA mounting bracket, turning any display device into a computer.

It was not made for the technically challenged, though. At the same time, one does not have to be a hardware expert, either. It is sold as a kit, and one has to buy the memory and storage separately. While that was expected, what was not expected is the fact that the kit is shipped without a power cord to go from the power brick to the wall. I had to make a run to the local CompUSA to get one of those.

It uses an mSATA drive for storage and can hold up to 16GB of DDR3 RAM.

I purchased a 128GB mSATA drive and 4GB of RAM for mine. Total cost was about $440 for the NUC, storage, RAM, and power cord.

I've only had it running a few hours, but this thing is awesome. I installed Linux on it and replaced one of my aging Linux machines. I use Linux machines in my house to provide various network services, including DHCP, TFTP, and DNS, and use the devices when writing software on Linux, including AES Crypt. These devices also handle storage functions for me, allowing me to back up data to Amazon S3.

I don't have a monitor or keyboard connected to the box. It's just a tiny little box connected to the network that I access via SSH that serves a useful purpose for me and my family.

Another great feature with this device is that it consumes far less power than the desktop it is replacing. The desktop I was using was not a monster machine: just a low-end Dell Dimension. Even so, I could tell from the display on my UPS that the box consumes far less power.

So, I save space in the house, the machine runs way faster (since it's solid date vs. traditional hard drives), and save energy. What's not to like? Very cool box.

Permalink: Intel's Next Unit of Computing

Frustrating Customer Service Agent at AT&T

November 30, 2012

On October 8, 2012 I went to my local AT&T store to get a prepaid SIM card. I just needed an extra phone for about 4 months with just voice service. The representative at the store suggested that I just add a line to my current monthly plan, since I'd probably save money that way. He said he'll waive the activation fee and the contract period for the new line. So, rather than paying for $25/mo for the prepaid card, I could pay just $10/mo using my existing plan (plus taxes, 911 fees, etc.) In all, I could probably save 50% that way. He made a kind offer to do that, but likely because I've been a customer of AT&T a long time.

He printed out the service summary sheet and marked through the things that were waived. You can see that below.

Though this was the agreement we had, I was charged the activation fee on my bill this past month. Oh, well. Mistakes happen, right? So, I called AT&T to get it corrected.

The lady was absolutely horrible. I don't think she necessarily believed me, speaking down to me as if I was a peasant. She really had a condescending tone to her voice. She told me, "We'll waive the fee this one time, but we'll put a note on your account and if you add another line, we will not waive the fee again." So, now she's is doing me a favor? Or was this a threat? I can't tell which. Between the tone of voice, suggestion she's doing me a favor "this one time", and the threat that AT&T will never extend an offer to waive an activation fee again, I got mad.

Sometimes, I really, really hate AT&T. Working in the communications business, I have a number of friends who work for AT&T and I've worked with their engineers on projects. The company has many good people, but representatives like this battle ax are what frustrate customers and drive them elsewhere.

Permalink: Frustrating Customer Service Agent at AT&T

Dell has a "Dismal" Third Quarter

November 16, 2012

One of my favorite companies is Dell. I’ve been using Dell computers now about 20 years and love the computers Dell makes. Unfortunately, my love for Dell certainly did not translate into enough money to help the company this quarter. For that matter, I can safely report that not one penny of my money went to help the company this quarter. However, I did buy some nice tablets! They just were not Dell brand devices.

For its part, Dell still has a solid business. Even so, it is seeing sales decline and it’s not only because we are in a “post-PC”era. Dell seems to be ignoring its non-enterprise customers entirely. Briefly, Dell has issues in a number of areas:

  • The order system is not very flexible and it is virtually impossible to customize machines
  • The order system does not provide accurate descriptions for some options it does offer
  • I cannot figure out how to order physical media for Windows!
  • Customer support people are clueless or just read scripts
  • Dell has no cool laptops to rival the Macbook Air or Asus Zenbook

While the enterprise customers make up a large percentage of Dell’s revenue, I assume, I also know many, many people who buy machines for use at home and have some influence over the purchase of machines in SMBs.

For its part, Dell has tried to bring some innovative tablets to the market and they now have an ultrabook. Still, they apparently cannot match the engineering of Asus and Apple in terms of building some really thin machines that look really good.

I really do wish Dell the best of luck. I like the company. It still makes good computers. However, when I can go to Best Buy (yuck!) and get a machine that looks better and has more-or-less the same configuration, that means Dell has dropped the ball. Dell, I bought my last laptop at Office Depot! Why was I forced to buy my laptop off-the-shelf at Best Buy? Your quarterly results do reflect your inability to execute in areas that matter.

Permalink: Dell has a "Dismal" Third Quarter

Buckyballs to be Discontinued

October 31, 2012

That was the email I received today from Buckyballs. I suppose they sent that message to me since I have purchased products from them before. This is truly sad for a number of reasons.

And, in case you are not familiar with what Buckyballs are, they are magnetic desk toys. Basically, they're a bunch of little high-powered magnets in the shape of little balls about 5 millimeters across. They are designed to be a desk toy much like many of the other geeky toys many of us engineers tend to buy and have sitting around our offices. The difference with these, though, is that they are high-powered magnets and, if swallowed, they can cause serious internal injury and require surgery. Because of that, Buckyballs labels their products with some very strong warnings. They tell you not to put them in your nose or mouth or to swallow them. I think there are about five such warnings on their packages, including the outside package and the container they provide to house the balls.

Even though these warnings exist and in spite of the fact that these desk toys are not marketed to children, the US Consumer Product Safety Commission decided in its infinite wisdom to force the company to stop selling the products. However, the reason I felt compelled to blog about this was the way they went about it. Buckyballs had been working with the CPSC to do whatever they could to address concerns. But, the CSPC really did not care to work with them. They had already made up their minds and within about 4 hours after Buckyballs submitted a safety plan at the request of the Commission, the Commission sent out a notice that they were suing the company and they reached out to retailers to urge them to stop selling the “dangerous” product. And, nearly every retailer complied.

Buckyballs had this to say:

In 2010, The Consumer Product Safety Commission approved the safety program we currently have in place. Now, after more than two years, they're saying our extensive measures aren't enough and we should be put out of business. Out of more than half a billion magnets sold, the CPSC reports less than two-dozen incidents with our products. While even one incident is too many, we stand by our comprehensive safety program and believe responsible adults should still be able to enjoy Buckyballs® and Buckycubes™.

With their sales channels effectively shut down, the looming threat of legal action, etc., Buckyballs decided to stop selling the magnetic balls and cubes at the center of the CPSC’s complaint. What this will likely mean for the company is that it will go out of business. This was, after all, their primary product. Without it, their revenue stream is gone. We can thank the Commission for putting those people on the street.

And while product safety is important, I personally feel the Commission went too far on this one. There are many hazardous things that can hurt children. Out of the billions of products sold, a few incidents are truly a low percentage. Most importantly, it does not reflect a flaw in the product. Rather, it demonstrates that the purchasers were irresponsible. Children get hurt seriously every year from all kinds of things that adults should keep out of the reach of children.

To think a company can be put out of business at the hand of a 4-person panel without the due process of law is hardly the American way.

Permalink: Buckyballs to be Discontinued

Verisign's Hashlinks

September 13, 2012

I received an email from one of my domain registrars advertising with great fanfare a new "service" from Verisign called "Domain Hashlink". I don't know exactly how they expect to make money with this, but they said this about the service:

A new navigation tool from Verisign that lets you replace long and difficult-to-remember URLs with shorter, more consumer-friendly vanity URLs; e.g. example.com#keyword

They call it a tool, but also call it a service. They even have retailers who will sell the service! I get the idea of having something like "keywords" to take visitors to specific pages on your own site, but to call this a service and have people selling it? Who would pay for this?

It took me just a very few minutes to get this working:

http://www.packetizer.com#h323

There is a very small JavaScript program I wrote called hashlink.js. This queries the server to see if there is a link that matches a known value. If it matches, the page is replaced with the associated URL.

I'm not even sure why Verisign wants to use the hash character. This character has a specific purpose in URLs, and this is really not within the spirit of the original purpose.

It also seems somewhat unreliable. The JavaScript code only runs when the page is initially loaded. I noted in Chrome that if I load a page without using a HashLink and then add one, Chrome will not reload or execute the JavaScript code. If I hit refresh it will.

So in replicating the "service", what I did was create something very similar that uses the @ character. Here's an example:

http://www.packetizer.com/@h323

This is much more reliable, because this always results in a redirection or a 404. You cannot return a 404 when using the hash character, because there might actually be something in the web page itself that needs that hash. Besides, what would one return in a 404? Suggest the main page is not found? That's horrific.

As I said, the HashLink idea is a bit odd and does not work perfectly well. I wish they had used something like the "@" approach. Any number of characters would have worked.

Permalink: Verisign's Hashlinks

Basis for Apple vs. Samsung Decision

August 27, 2012

This past week, a jury of nine people convicted Samsung of infringing the patents of Apple. There were a number of patents that Apple claimed were infringed. Per CNET, the devices and patents were numerous. In a nutshell:

  • ‘381: “rubber band” effect when reaching the bottom of a document (“look and feel”)
  • ‘915: ability to differentiate between single-touch and multi-touch, just like Microsoft’s older surface computing table (how Apple got this patent in the face of prior art, I do not know) (“look and feel”)
  • ‘163: double tap on screen to enlarge and center portions of the screen (“look and feel”)
  • D ‘677: related to the front face of the iPhone (“design”)
  • D ‘087: related to the general outline (“design”)
  • D ‘305: the icon arrangement in a grid with round corners (“look and feel”), like the Palm Pilot, Windows Mobile, and Apple Newton from years ago

It is impossible for me to say which of these “inventions” are truly inventions. That said, I largely do not agree with “look and feel” patents. Often, “look and feel” is a matter of current fashion. It’s what’s in vogue. I certainly feel that way about icon arrangement and the look of icons, scrolling, etc.

The “rubber band” effect is an interesting effect, but that’s what it is: an effect. It is not an invention, really. Computer graphics students have for years been creating programs with bouncing balls and such that behave in a similar way. So what was “invented” was not the bouncing effect, but the application of that effect to scrolling. So is that an invention?

I think similar arguments can be made for most, if not all of these patents. Apple has truly created a revolutionary platform, but what was revolutionary was bringing together a powerful operating system, applications, and an app store, all while making it as simple to use as possible. Apple did not create the first mobile phone. Apple did not create most of the graphical user interface elements and concepts. Apple did not create the first operating system, and certainly not the first powerful mobile operating system. What Apple did was package it well and market it extremely well.

One has to wonder whether these user interface and design patents are even valid. Consider where the U.S. patent system originated. It came about due to Article I §8 of the U.S. Constitution which says, “Congress shall have the power … to promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”

Exactly where does a user interface design fit into writings or discoveries? I would agree with a design patent that describes the process of creating a particular kind of material or shape through a complex manufacturing process, the process for which had to be discovered through scientific research. However, a “rubber band” effect, icon arrangement, and aluminum edge around a glass screen hardly falls into that category.

Exactly how does the patent system that allows for such patents in any way “promote the progress of science or useful arts”? The answer is that it does not.

Apple’s bold entrance into the mobile communication space has significantly impacted the market and I applaud them for leading the revolution. At the same time, awarding these kinds of patents to Apple does not help to “promote the progress of science”. Rather, it serves just the opposite. Apple did not need those patents to become the wealthiest company in the world. However, it can use those patents to prevent anyone else from attempting to create competitive products. In so doing, it is the consumers – the public – that suffers. We want Apple to continue to innovate and we want Samsung and others to push the envelope. That is how technology progresses in all industries.

In any case, it is very interesting to see how the basic concepts of promoting science and useful arts has mushroomed into the complex copyright and patent system we have today. Now, we have cartoon characters like Mickey Mouse protected for some 70 years beyond the death of the inventor, copyright assigned to things other than writing or useful arts (the latter including music and movies), and patents awarded on the arrangement of icons in a grid pattern.

Permalink: Basis for Apple vs. Samsung Decision

Amazon "Add-Ons" are Idiotic

August 26, 2012

Perhaps the title is a bit strong, but I was frustrated when trying to order an item on Amazon tonight only to be greeted with a message that the item I wanted to order was an "add-on" item and that Amazon would not ship that item unless I ordered at least $25.

What are "add-on" items? They are items that, per Amazon, "would be cost-prohibitive to ship on their own". For those who are not Amazon Prime members and normally pay for shipping on items, these "add-on" items cannot be ordered separately, but will ship for free with your $25 or more order. Sounds good? Perhaps, except that you cannot even pay Amazon whatever the "cost-prohibitive" amount to ship it. Amazon simply will not sell those items by themselves, unless you buy $25 worth of the "add-on" items or something that cost $25 total.

What about Amazon Prime members? For those who do not know what Amazon Prime is, "Amazon Prime is a membership program that gives you and your family unlimited fast shipping, such as FREE Two-Day shipping to street addresses in the contiguous U.S. on all eligible purchases for an annual membership fee". But what are "eligible purchases"? Those are:

  • Millions of items sold by Amazon.com
  • Over 100,000 eligible items on AmazonSupply.com
  • Many items that are fulfilled by Amazon

It's a great program, but what are the items that are not eligible? Well, Amazon lists those and they are:

  • Items fulfilled by Amazon Marketplace sellers
  • Magazine subscriptions
  • Personalized gift cards
  • Any item that doesn't have a message indicating that it's eligible for Prime on its product page

I visited Amazon today to purchase a short HDMI cable. I had purchased this same cable a couple of years ago. It was Prime Eligible then. Now, though, Amazon will not let me buy just the 0.9 meter cable for $4.99, because it's classified as an "add-on". I can't offer to pay for shipping, either. Amazon also tells me "FREE Two-Day Shipping for Prime members when buying this Add-on Item", but that's of no comfort since I cannot order it.

Just to show how dumb Amazon's "add-on" item idea is, while I cannot order the 0.9 meter cable for $4.99, I can order the 6 meter cable for $5.49 and get free 2-day shipping. Amazon: I'd gladly pay the extra 50 cents and get the shorter cable!

I appreciate the fact that some items might cost more to ship than Amazon would earn, but to offer absolutely no option to pay the cost it would take to get it out of the "cost-prohibitive" bucket is silly.

Is Amazon losing its touch?

Permalink: Amazon "Add-Ons" are Idiotic

DNSSEC Paves the Way for Better TLS Security

August 20, 2012

Everyone is familiar with the padlock that appears on the address bar in the web browser indicating that the communication session is secure. However, few people understand the technology behind that padlock, namely the Transport Layer Security protocol (TLS), or what a digital certificate is. It is those digital certificates that is the subject of this blog post.

For years, a small group of companies have served in the capacity of Certificate Authorities (CAs). The companies, along with makes of web browser, form the Certificate Authority / Browser Forum. It’s a fairly exclusive club, really. They purposely limit the number of certificate authorities so as to ensure that the price people pay for digital certificates is at a price that allows them to make money. Oh, and of course, to provide “trust” in some way. Gaining membership into this exclusive club is hard. Suppose you want to establish a new business to be a root certificate authority. In order to do that, you must “actively issue certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers”, as in you must be in the business already. It’s a bit of a chicken and egg problem. One cannot actively issue certificates if the web browser makers do not “trust” you and you cannot gain their trust unless you are a root certificate authority.

Not only is the CA/Browser Forum mostly a club that tightly controls who can trust whom on the Internet, largely for the financial benefit of the members of the Forum, the whole system is, in fact, flawed. If you visit a web site that claims it is secure, can you really trust the certificate presented? The fact is, there has been more than one casewhere a digital certificate was issued by a certificate authority in error. How can this happen? It’s possible because, until recently, DNS has had no security applied in practice, for one. Second, people are able to get into corporate email accounts. Anyone can create create a public/private key pair for the certificate. A hacker just needs to trick a certificate authority into signing it. Usually, this requires only that the person verify that they own an email address at the domain, usually one of the few the certificate authority believes to be an administrative address.

Now that DNSSEC is here, a better way exists to secure browser communication or other communication that utilizes TLS. Rather than create a certificate and have it signed by a certificate authority, a domain owner can create a certificate and place a signature of that certificate into the domain’s DNS. Since all DNS records are signed by the domain owner and DS records created by the domain owner are inserted into the registrar’s DNS servers, it is possible to trust those records. RFC 6698 defines precisely how to do that. Essentially, one creates a self-signed certificate and inserts a signature of that certificate in DNS as a TLSA record. For example, suppose one creates a certificate for www.example.com on port 443 (standard TLS port) and wishes that to be trusted by browsers. One would create a signature of that certificate and insert a TLSA record like this:

_443._tcp.www.example.com. IN TLSA 1 1 \
    C3E2885170FB937E45FCE92CCEE01904A3EE3248156FCD7B945F38994A1F9496

It will take a few years before browsers and other TLS clients start using DNSSEC and TLSA records, but the technology now exists. This is significantly more secure than today’s certificates, since domain owners are in complete control of certificates. No longer is there a risk of a certificate authority issuing a bogus certificate. Domain owners can easily cancel certificates by simply removing the associated TLSA records in DNS.

Permalink: DNSSEC Paves the Way for Better TLS Security

Page 1 [2] 3 4 5 6

Paul E. Jones

About Me
My Blog ATOM Feed
Email Me
IM Me

Certified ScrumMaster®