OVH Community, your new community space.

the "Net Secure" authentication and encryption


Ashley
16-04-2010, 11:45
They can't eavesdrop unsigned SSL certificates though, such as SSH connections and tunneling.

antdgar
09-04-2010, 15:08
SSL can now be circumvented by governments.

They can compel a certificate authority to issue an intermediary certificate. Then with hardware they can eavesdrop on SSL.

What do we do now?

oles@ovh.net
02-04-2010, 14:12
Hello,

If you did not believe our announcement on 1 April, you were wrong not to dream.

Our announcement is only 20% an April's Fool ... or 30%. We do not block HTTP or POP3 ports ... whatsoever ... TELNET is ok dead, no ? In short, we will be able to give you all the details of which the database is "done" ...

In any case, at OVH, you find a good domain name with national ecofax and class 1 SSL for €5.99 ex. VAT / year all included and those who already have a domain name at OVH may well require these services and more for free ...

the movement is well underway ... it will be good for hosting ... but it will take some years ... and not the snap of fingers ...

Regarding the VSDL2, for technical issues this standard is prohibited in France. Indeed, the rates of VSDL2 are in Mbps approximately 20 times higher than ADSL because the signal is much stronger than that of ADSL2. This signal is so strong that ADSL is too disrupted and no longer works. Basically, the VSDL puts down the ADSL and therefore it is either ADSL either VSDL.

For France, ARCEP chose ADSL, presumably to protect the investments of telecom operators who have deployed their networks in the NRA with all DSLAM ADSL and all the BOX ADSL. With the VSDL, should throw all garbage. Not cool. Instead, operators must invest in the ... fiber optics. Will they do it? And why? To propose essentially the same thing may have with the VSDL2 ... Not cool and not logical either.

On VSDL2 you can have a symmetrical 34Mbps/34Mbps or asymmetrical 10Mbps/100Mbps on a single copper wire which you have today on fibre optic, if you're lucky enough to live in the right place at the right time. We can therefore conclude that in France in 50 years everyone will have the equivalent rates that they can have already in Germany or Belgium. It is true that the market for individuals who watch TV at night on the box, that their benefits of these connections are reduced. Why have many Mbps? On the other hand, this decision will impact the growth of companies in France who will pay significantly more than elsewhere in Europe for essentially the same service. This is not just a problem of technological backwardness but of competitiveness and performance of countries vis--vis its neighbors in Europe. France has chosen. We will not fight. Ovh still offer performance and attractive prices to companies based on standards that were validated by ARCEP. The tests have been validated in the lab and in production will be validated within a few months ... Roubaix Valley ... So the time of massive local loop unbundling will commence ... yeah we're going to laugh ... yeah ... what's the point of life if you can't laugh when you're doing well ... so, we hope that many of you will laugh with us on this new project

All the best,
Octave

Ashley
01-04-2010, 18:25
Quote Originally Posted by Myatu
Not to mention that it still gives invalid SSL certificate messages in Opera
I switched to Opera recently from Firefox (Dragonfly is awesome!) and yeah, errors for me too!

Myatu
01-04-2010, 17:00
Quote Originally Posted by gregoryfenton
If this is a poisson d'Avril joke it has been a long time in the making..
02-19-2010, 12:22 PM
Not to mention that it still gives invalid SSL certificate messages in Opera

gregoryfenton
01-04-2010, 16:26
If this is a poisson d'Avril joke it has been a long time in the making..
02-19-2010, 12:22 PM
Quote Originally Posted by oles@ovh.net
Hello,

Today we test SSL Certificates.

Do you have an error on this URL ?

http://test.ovh.com/

If yes, you interest me Can you send me email at oles@ovh.net with subject "bug ssl" and type in your browser ?

If you do not, it is "normal". We seek those who may have the error ... and why ...

Thanks in advance !

All the best,
Octave

unclebob
01-04-2010, 16:12
I can't figure out if this is a poisson d'Avril joke...

Euan
01-04-2010, 09:08
Remember the date and what they did last year, although it is quite a large piece of text / information so I am sceptical.

RimBlock
01-04-2010, 06:17
Sort of good news.

A little concern here;
It speaks well for 5 years. Go 2015. In this term we think it
will begin to force the hand of all the sysadmins who have not
made the shift to the "Secure Net.
Forced usage by either traffic restriction / disconnection or price hikes.

and

Nobody can sniff your packets, even an admin here.
From the last section about work on a MAC linked cert. Well lets all get ready to welcome back the torrent seeders of dubious nature (not the good torrent users who only share linux distros etc ). Wonder what backdoors will be expected by various governments in the name of 'War on terror'.

Personally, I think on the face of it that it is a noble idea.

OVH I am sure will just see the terms & conditions changed and people finding out when their servers stop working . European acceptance, I can hear the calls from all the welfare groups now..... 'wont somebody please think of the children'. Arguments that the encryption will make it harder to find paedophiles, hate organisations, terrorists etc. Every government will want to have keys to unlock the encryption.

Another consideration would be VPS's that are created with auto generated MAC addresses. Having the ablilty to build and destroy at will a VPS is one of the strenghs. Migration or duplication of VPS's may also pose an interesting issue.

RB

gregoryfenton
01-04-2010, 00:17
From what I can gather:

I think OVH is giving away free SSL certificates for domains either purchased or hosted at OVH.

Excellent

gregoryfenton
01-04-2010, 00:15
Hello,
The latest events give our reasons for thinking
that internal want to share with you today. Your
feedback is essential to enable us to take the decisions
necessary. Basically, you have to move the lines and
we believe that the movement must go from the hosts.

Here are our thoughts.

There are technologies that ensure the encryption
of data traveling over the Net. We speak of course,
SSL and more broadly of "digital keys" alias certificates.
Certificates to encrypt information between client / server,
server-server, but also to authenticate people. Except
that these technologies were held 2-3 by American giants, follow
my eyes, that block the use of these technologies through
price. It is no secret that the SSL costs
relatively expensive, and then finally even if we can afford to
buy one prefers not to put in place. Search for
simplicity? Too many technical problems? Lack usual?
Laziness? In any case it is because the technologies are
not free and that everyone can not use them in
everyday life that ultimately nobody uses them. And there are
many examples of problems that result: it took that
one giant American (follow my eyes) said the flight
sessions webmail from the Chinese, however, where everybody
knows that all traffic through the firewall government for
mandating SSL on their webmail. Only recently a
large French ISP has set up SSL on the page "My Account".
The place where you enter the login and password. And more
commonplace, many of our customers offering "my space"
without encrypt the information flowing. Phishing, spam,
hacks, sniffing the packets that exists is used and the
consequences range from a simple theft of information, money to
several years in prison because they think aloud what
people do not allow themselves to imagine.

We made this observation it several years ago. And that is
why we proposed a cheap SSL certificate ago
3 years. Then we dropped even the price of this technology
in there 3 times less than 12 months.

It is time to go even further and make all these
technologies at hand for system administrators and
developers instead of a few U.S. companies (follow
my view) that sell them too expensive.

A few weeks ago, we did a test certificate
SSL on https: / / test.ovh.com. Thank you for your feedback which we
have advanced in this project "Secure Net.

OVH will distribute free SSL certificates with all
domain names not only deposited at OVH, but all
domain names hosted at OVH. Including wildcards and
containers. With a guarantee of 1 Euro for class 1 to
1,000,000 Euro for the EV.
Totally free, but it will be your host name
fields at OVH, on shared hosting servers or
dedicated. And now you provide any free will and for
whatever you want. The objective is twofold. First make
these technologies available, like "open source" and
to popularize among system administrators, with
end users and visitors. Then create a network
fully secure the confidence that digital is not only
a law but it is an everyday reality.

Apart from the WEB (https) is desired awareness sysadmins
to use SSL on POP3, IMAP and SMTP. Failure to
provide the alternative S (SSL) of these 3 protocols should not be
a matter of choice but must win by itself. For this
we also offer SSL certificates totally
free for servers.

We will incorporate into our webmail "certificates of people"
that you can turn a simple click. Thus all the
emails you send from our webmail will be signed
with your certificate. The person who will receive your email,
be sure that the email comes from you and has not been
altered by one third, thanks to your public key. You sign
with your private key and allow you to verify your signature
with your public key. We think that after 12-18 months we
are going to add this level verification servers
to verify the signatures of all the emails and this
automatically. Then classify emails into spam or not, is
also based on this signature. In any case it will be
information that will take into account the detection algorithm
of SPAM.

Finally, we offer these "Certificates of people" to
replace the medium term, with authentication "login / password
password "by authenticating with a" soft token ". Indeed, to
access "My Account", "Manager", "my space" you will be able to
remember the login / password and use your certificate.
Forget phishing, forget the hack, forget the sniffing of
packets. In addition to the encrypted information has been
authenticated and then the server knows who is really connected.
It is a true technological breakthrough qu'Ovh you use to
provide a secure payment really secure. We did not think
to do otherwise by asking and storing your number
card, just to avoid mistakes that
others have done before us. Take my eyes, always
there for American giants. And no giant in Europe in all
these trades! Is this normal?

We have our webmail you can use it
safely without login / password only with your
certificate. You can sign and verify the signatures of
emails you receive and send. This is the ideal place to
offer a safe quality service with
timestamp and storage along time (30 years). Thus, each
received document is signed and therefore has a legal value, because
you're not able to backdate this document or any modification. But
you will say the document is always stored in "plain". It is
simple. It adds a layer of encryption in your safe and
all your documents are automatically encrypted with
your public key. They are now stored encrypted and
nobody can read them without your key ... private. Nothing to
do with space, shared ... euhh "safes" that
some insurers or banks begin to offer their customers.
A true technological joke ... Our safes authenticated,
encrypted, time stamped are smart in that they can
receive documents such as a pay slip or invoice.
Simply by email! Signing a document will
verify who signed it and then classify the document in your
safe. Automatically.

Certificates people class 1 will be based only on 1
item, such as your email. And Class 3 of 3 items and
therefore meet face-to-face "that you will be able to
perform ... at the Post Office or your Bank. Indeed, thanks to the
project IDeNum the French state licenses people will
become a reality in France on the horizon of 5 years. Already
declaring your income you will need such a
certificate that you can buy for a few euros on
the support "smart card". So why not generalize and
use the same certification for all interfaces on the
web. Forget all your logins / passwords on all sites,
simplify your life, secure your trade, log
so sure. Insert your smart card and surf so
secure.

It speaks well for 5 years. Go 2015. In this term we think it
will begin to force the hand of all the sysadmins who have not
made the shift to the "Secure Net. Indeed, even if free
of all these technologies, visitors still use http,
consult the email via POP3 and send emails without the
sign is that a sysadmin has not done its job.

Step 1 is to make it more expensive services without
encryption. That is, if you want qu'Ovh allows you
to use services "unencrypted" he will pay more.
2 times more expensive in 2015, 3 times in 2016 ... and 10 times more expensive
in 2025. Otherwise? Otherwise you will be able to use only
encrypted and secure services for the price unchanged. Step 2 is
the hard way. Starting in 2025 we think it will reduce
the resources allocated to these unsecure protocols and thus
reduce bandwidth. Now Step 3. From 2030
all services not secure our network will be cut
and permanently "Net Secure" is a reality on our
network at the shelter.

In parallel, the level of Internet access, OVH propose the
VDSL based on future VDSL2-S. This is an Internet access
34Mbps symmetrical about a single pair of copper with encryption
built. Not to be confused with a simple VPN is a service
on the IP layer.

Indeed, we are currently working with a giant U.S.
network equipment (take my eyes) on the future standard
VDSL2-S allowing a debit interesting but provide encryption
from end to end. Everything happens at the OSI layer 2 where
it wants to integrate the authentication of Ethernet packets through
certificates MAC and encryption between switches,
routers and modems. Each MAC has its own certificate and
can communicate with other MAC after an exchange of
certificate with the other MAC. Also, if a MAC has no
certificate it can not communicate with the other MAC.
Basically, exactly the same principle as SSL. Except that
integrating the certificate at the MAC, we can create
encrypted tunnels between the MAC and IP and thus establish the
secure connection between your post office and the final sites,
outside of our network, completely automatically. Nobody
can sniff your packets, even an admin here. Confidence
is good. Ensure trust across the technology is
better. This technology works in our lab but we
still have performance problems. As you can imagine,
it must encrypt a lot of information at very low level.
We think this problem will be solved here with the future arrival of
8 CPU cores that our partner will integrate directly at
the switch 2960-S. All dedicated server customers may
well benefit from a secure network to the OSI level 2 and this without
the dedicated VLAN, private VLAN, or mode of switchport protected.
The technical tinkering again because the technology has been
developed to ensure Security is not available.

For all these projects, OVH is given 10 years. If it succeeds it is because
you will use these technologies. And you use
if you agree with our findings and how it
wishes to implement to rectify the Internet today and
offer the "Secure Net" tomorrow.

oles@ovh.net
31-03-2010, 23:48
Hello,

Recent events give reasons for our internal discussions we wish to share with you today. Your feedback is essential to enable us to take the necessary decisions. Basically, you have to move the lines and think that the movement must go from the hosts.

Here are our thoughts.

There are technologies that ensure encryption information that is transferred on the Net. It speaks well of course SSL and more broadly of "digital keys" alias certificates. Certificates to encrypt information between client / server server / server, but also to authenticate people. Except that these technologies were held 2-3 by American giants, follow my eyes, that block the use of these technologies through the price. It is no secret that the SSL cost relatively expensive, and then finally even if we have the means to buy one prefers not to put in place. Search simplicity? Too many technical problems? Lack of habit? Laziness? In any case it is because the technologies are not free and that everyone can not use them newspaper that eventually no one uses them. And there Many examples of problems that result: it had to one of the giant American (follow my eyes) said the flight webmail sessions from the Chinese, however, where everyone knows that all traffic through the firewall Government for mandating SSL on their webmail. Only recently large French ISP has set up SSL on the page "My Account". The place where you enter the login and password. And more commonplace, many of our customers offering "my space" not encrypt the information flowing. Phishing, spam, the hacks, packet sniffing it exists, is used and consequences range from a simple theft of information, money several years in prison because they think aloud what people do not allow themselves to imagine.

We made this observation it several years ago. And it why we proposed a cheap SSL certificate ago 3 years. Then we even dropped the price of this technology 3 times in less than 12 months.

It is time to go even further and make all these technologies at hand for system administrators and developers instead of a few U.S. companies (follow my view) that sell them too expensively.

A few weeks ago, we did a test SSL certificate https://test.ovh.com. Thank you for your feedback which has led to progress in this "Secure Net" project.

OVH will distribute free SSL certificates with all domains not only deposited at OVH, but all domain names hosted at OVH. Including wildcards and containers. With a guarantee of €1 for class 1 to €1,000,000 for the EV. Totally free, but it will be your host domain names at OVH, on shared hosting or dedicated servers. And now you provide any free will and for anything you want. The objective is twofold. First visit all these technologies available, like "open source" and to popularise among system administrators, with end users and visitors. Then create a totally secure network where trust is not only digital a law but it is an everyday reality.

Outside the WEB (https) is desired awareness sysadmins the use of SSL on the POP3, IMAP and SMTP. The fact propose alternative S (SSL) of these 3 protocols should not be a matter of choice but must win by itself. For this We'll also offer SSL certificates fully free for servers.

We will incorporate into our webmail "certificates of persons" that you can turn a simple click. Thus all emails you send from our webmail will be signed with your certificate. The person who will receive your email, can verify that the email comes from you and has not been Amended by one third, thanks to your public key. You sign with your private key and allow you to verify your signature with your public key. We think that after 12-18 months, we going to add this check at the server level to verify the signatures of all the emails and this automatically. Then classify spam emails or not by also based on this signature. In any case it will be a information that take into account in the detection algorithm SPAM.

Finally, we offer these "Certificates of people" replace the medium term, with authentication "login / password Password "authentication by a soft-token." Indeed, for access "My Account", "Manager", "my space" you will be able forget login / password and use your certificate. Forget phishing, forget the hack, forget the sniffing of packages. In addition to the encrypted information has been authenticated and then the server knows who is really connected. It is a true technological breakthrough qu'Ovh use to you offer a secure payment really secure. We did not think otherwise you will be requesting and storing your number credit card to simply avoid mistakes that Other actors have done before us. Take my eyes, always where American giants. And no giant in Europe in all these trades! Is this normal?

We have our webmail you can use it without secure login / password only with your certificate. You can sign and verify signatures emails you receive and send. This is ideal for offer a safe high quality services with timestamp and storage along time (30 years). Thus, each received document is signed and therefore has a legal value, because you will not be able to backdate this document or any modification. But you will say the document is always stored in "plain". It is easy. It adds a layer of encryption in your safe and all your documents are automatically encrypted with your public key. They are now stored encrypted and nobody can read them without your key ... private. Nothing be pooled with spaces ... euhh "safes" that Some insurers and banks are beginning to offer their customers. A true technological joke ... Our safes authenticated encrypted, time stamped are smart in that they can receive documents such as a pay slip or invoice. Simply by email! Signing a document will verify who signed it and then classify the document in your safe. Automatically.

The certificates of persons class 1 will be based only on 1 element, such as your email. And Class 3 of 3 items and So a meeting face-to-face "that you will be able perform ... at the Post Office or your Bank. Indeed, thanks to Project IDeNum the French state licenses people will become a reality in France on the horizon of 5 years. Already to declare your income you will need such a certificate you will be able to buy some euros support "smart card". So why not generalize and use the same certification for all interfaces on the web. Forget all your logins / passwords on all sites Simplify your life, secure your trade, log so sure. Insert your smart card and surf so Secure.

It speaks well for 5 years. Go 2015. In this term we believe that will begin to force the hand of all the sysadmins who do not made the turn toward the "Secure Net. Indeed, even if free all these technologies, visitors still use http, consult emails via POP3 and send emails without sign is that a sysadmin has not done its job.

Step 1 is to make it more expensive services without encryption. That is, if you want allows you qu'Ovh to use services "unencrypted" he will pay more. 2 times more expensive in 2015, 3 times in 2016 ... and 10 times more expensive in 2025. Otherwise? Otherwise you can use only encrypted and secure services for the price unchanged. Step 2 is the hard way. Starting in 2025 we think it will reduce resources allocated to these protocols and therefore insecure decrease the bandwidth. Now Step 3. From 2030 All services not secure our network will be cut and finally the "Net Secure" is a reality on our wide network of accommodation.

In parallel, the level of Internet access, OVH propose the VDSL based on future VDSL2-S. This is an Internet access Symmetrical 34Mbps on a single pair of copper with encryption integrated. Not to be confused with a simple VPN is a service on the IP layer.

Indeed, we are currently working with a giant network equipment (take my eyes) on the future standard VDSL2-S allowing a debit interesting but will encrypt end to end. Everything happens at the OSI layer 2 where we want to integrate the authentication of Ethernet packets through MAC certificates and encryption between switches, modems and routers. Each MAC has its own certificate and can communicate with other MAC after an exchange of certificate with the other MAC. Also, if a MAC does not certificate it can not communicate with the other MAC. Basically, exactly the same principle as SSL. Except that integrating the certificate at the MAC, we can create encrypted tunnels between the MAC and IP and thus establish the secure connection between your post office and the final sites, outside of our network, completely automatically. Person can sniff your packets, even an admin here. Confidence is good. Ensuring trust through technology is better. This technology works in our lab but we still performance issues. As you can imagine, must encrypt a lot of information at very low level. We believe that this problem will be solved with the arrival of future 8 CPU cores that our partner will integrate directly at the switch 2960-S. All dedicated server customers may and enjoy a secure network to the OSI level 2 and this without the dedicated VLAN, private VLAN, or mode of switchport protected. Techniques of tinkering again because the technology has been developed to ensure security is not available.

For all these projects, OVH is given 10 years. If it succeeds because you will use these technologies. And you use If you agree with our findings and how they wants to put in place to rectify the Internet today and propose the "Secure Net" tomorrow.

Thanks for your feedback.

All the best,
Octave