We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Re: the "Net Secure" authentication and encryption


oles@ovh.net
04-02-2010, 04:12 PM
Hello,

If you did not believe our announcement on 1 April, you were wrong not to dream.

Our announcement is only 20% an April's Fool, or 30%. We do not block HTTP or POP3 ports.. Although TELNET is almost dead, isn't it? In short, we will be able to give you all the details as soon as the database has been finalised.

In any case, at OVH, you find a good domain name with national ecofax and class 1 SSL for 5,99 € ex. VAT / year all included and those who already have a domain name at OVH may also ask for these services and for free.

The movement is well underway ... it will be good for hosting ... but it will take some years ... and not the snap of fingers ...

Regarding the VSDL2, for technical issues this standard is prohibited in France. Indeed, the rates of VSDL2 are in Mbps approximately 20 times higher than ADSL because the signal is much stronger than that of ADSL2. This signal is so strong that ADSL is too disrupted and no longer works. Basically, the VSDL puts down the ADSL and therefore it is either ADSL or VSDL.

For France, ARCEP chose ADSL, presumably to protect the investments of telecom operators who have deployed their networks in the NRA with all DSLAM ADSL and all the BOX ADSL. With the VSDL, that all should be thrown to garbage. Not cool. Instead, operators must invest in the ... fiber optics. Will they do it? And why? To propose essentially the same thing you can have with the VSDL2 ... Not cool and not logical either.

On VSDL2 you can have a symmetrical 34Mbps/34Mbps or asymmetrical 10Mbps/100Mbps on a single copper wire which you have today on fibre optic, if you're lucky enough to live in the right place at the right time. We can therefore conclude that in France in 50 years everyone will have the equivalent rates that they can have already in Germany or Belgium. It is true that the market for individuals who watch TV at night on the box, their benefits of these connections are reduced. Why have so many Mbps? On the other hand, this decision will impact the growth of companies in France who will pay significantly more than elsewhere in Europe for essentially the same service. This is not just a problem of technological backwardness but of competitiveness and performance of countries against its neighbours in Europe. France has chosen. We will not fight. OVH will still offer performance and attractive prices to companies based on standards that were validated by ARCEP. The tests have been validated in the lab and will be validated in production within a few months ...in Roubaix Valley ... So the time of massive local loop unbundling will commence ... yeah we're going to laugh... yeah ... we have only one life so why not laughing loudly when we can ... We hope that many of you will laugh with us on this new project

Regards,
Octave

oles@ovh.net
04-01-2010, 01:48 AM
Hello,

The latest events give reason for our thoughts that we want to share with you today. Your feedback is essential to us, to enable us to make the decisions necessary. Basically, you have to move the lines and we believe that the movement must start from the hosting providers.

Here are our thoughts.

There are technologies that ensure the encryption of data traveling over the Net. We speak of course, SSL and more broadly of "digital keys" alias certificates. Certificates to encrypt information between client-server, server-server, but also to authenticate people. Except that these technologies were held by 2-3 American giants, follow my eyes, who block the use of these technologies through price. It is no secret that the SSL costs are relatively expensive, and then finally even if we can afford to buy one, it is not the easiest to put in place. Searching for simplicity? Too many technical problems? Laziness? In any case it is because the technologies are not free and that everyone can not use them in
every day life that ultimately nobody uses them. And there are many examples of problems that result from it: one giant American company (follow my eyes) found that Chinese steal webmail sessions, so they had to make SSL mandatory on their webmail, even though everyone knows that all traffic goes through governments firewalls. Only recently a large French ISP has set up SSL on the page "My Account". The place where you enter the login and password. And more commonplace, many of our customers are offering "space" without encrypting the information... Phishing, spam, hacks, sniffing the packets exist and are used and the consequences range from a simple theft of information or money to several years in prison because we think aloud what people do not allow themselves to imagine.

We made this observation several years ago. And that is why we proposed a cheap SSL certificate 3 years ago. Then we even dropped the price of this technology 3 times in less than 12 months.

It is time to go even further and make all these technologies at hand for system administrators and developers instead of a few U.S. companies (follow my eyes) that sell them too expensive.

A few weeks ago, we did a test certificate SSL on https://test.ovh.com. Thank you for your feedback that helped us to advance in this "Secure Net" project.

OVH will distribute free SSL certificates with all domain names not only deposited at OVH, but with all domain names hosted at OVH. Including wildcards and containers. With a guarantee of 1 Euro for class 1 to 1,000,000 Euro for the EV. Totally free, but you need to host your domains at OVH, on shared hosting or on dedicated servers. And now you can use it for whatever you want. The objective is twofold. First make these technologies available, like "open source" and to popularize among system administrators, with end users and visitors. Then create a network fully secure so that trust is not only in digital laws, but security is every day reality.

Apart from the WEB (https) is desired awareness from sysadmins to use SSL on POP3, IMAP and SMTP. Failure to provide the alternative S (SSL) of these 3 protocols should not be a matter of choice but must be taken for granted. For this we will also offer SSL certificates totally free for servers.

We will incorporate into our webmail "certificates of people" that you can turn a simple click. Thus all the emails you send from our webmail will be signed with your certificate. The person who receives your email, will be sure that the email comes from you and has not been altered by any third party, thanks to your public key. You sign with your private key and allow you to verify your signature with your public key. We think that after 12-18 months we are going to add this level of verification to servers to verify the signatures of all the emails automatically. Then classifying emails into spam or not, will also be based on this signature. In any case it will be information that will take into account the detection algorithm of spam.

Finally, we offer these "Certificates of people" to replace the medium term, with authentication "login / password" by authenticating with a "soft token". Indeed, to access "My Account", "Manager", "my space" you will be able to remember the login / password and use your certificate. Forget phishing, forget the hack, forget the sniffing of packets. In addition that the encrypted information has been authenticated, the server knows who is really connected. It is a true technological breakthrough of OVH you use to do a secure payment which is really secure. We did not think to do otherwise by asking and storing your card numbers, but to avoid mistakes that others have done before us. Follow my eyes, again here the American giants. And no giant in Europe in all these trades! Is this normal?

We have our webmail which you can use safely without login / password, with only your certificate. You can sign and verify the signatures of emails you receive and send. This is the ideal place to offer a safe quality service with timestamp and storage along time (30 years). Thus, each received document is signed and therefore has a legal value, because you're not able to backdate this document or do any modification. But you will say the document is always stored in "plain". It is simple. It adds a layer of encryption and all your documents are automatically encrypted with your public key. They are now stored encrypted and nobody can read them without your private key. Nothing to do with mutual space... "safes" that some insurers or banks begin to offer their customers. A true technological joke ... Our safes are authenticated, encrypted, time stamped and smart in that they can receive documents such as a pay slip or invoice. Simply by email! Signing a document will verify who signed it and then classify the document in your safe. Automatically.

Certificates class 1 will be based only on 1 item, such as your email. And Class 3 of 3 items and therefore you will be able to perform ... at the Post Office or your Bank. Indeed, thanks to the project IDeNum the French state licenses people will become a reality in France on the horizon of 5 years. Already declaring your income you will need such a certificate that you can buy for a few euros on the support "smart card". So why not generalize and use the same certification for all interfaces on the web. Forget all your logins / passwords on all sites, simplify your life, secure your trade, login with certainty. Insert your smart card and surf securely.

We are speaking about 5 years. Let say 2015. In this term we think it will begin to force the hand of all the sysadmins who have not made the shift to the "Secure Net". Indeed, even if all these technologies are free and visitors still use http, consult the email via POP3 and send emails without the signature means that a sysadmin has not done their job.

Step 1 is to make it more expensive services without encryption. That is, if you want, OVH allows you to use services "unencrypted", you will pay more. 2 times more expensive in 2015, 3 times in 2016 ... and 10 times more expensive in 2025. Otherwise? Otherwise you will be able to use only encrypted and secure services for the price unchanged. Step 2 is the hard way. Starting in 2025 we think it will reduce the resources allocated to these unsecure protocols and thus reduce bandwidth. Now Step 3. From 2030 all non-secure services on our network will be cut, permanently. "Net Secure" is a reality on our network.

In parallel, the level of Internet access, OVH proposes the VDSL based on future VDSL2-S. This is a 34 Mbps symmetrical Internet access, about a single pair of copper with encryption built in. Not to be confused with a simple VPN, its a service on the IP layer.

Indeed, we are currently working with a giant U.S. network equipment (follow my eyes) on the future standard VDSL2-S providing encryption from end to end. Everything happens at the OSI layer 2 where it wants to integrate the uthentication of Ethernet packets through MAC-certificates and encryption between switches, routers and modems. Each MAC has its own certificate and can communicate with other MAC after an exchange of certificate with the other MAC. Also, if a MAC has no certificate it cannot communicate with other MACs. Basically, exactly the same principle as SSL. Except that integrating the certificate at the MAC, we can create encrypted tunnels between the MAC and IP and thus establish the secure connection between your post office and the final sites, outside of our network, completely automatically. Nobody can sniff your packets, even an admin here. Confidence is good. Ensure trust across the technology is better. This technology works in our lab but we still have performance problems. As you can imagine, it must encrypt a lot of information at very low level. We think this problem will be solved here with the future arrival of 8 CPU cores that our partner will integrate directly at the switch 2960-S. All dedicated server customers may well benefit from a secure network to the OSI level 2 and this without the dedicated VLAN, private VLAN, or mode of switchport protected. The technical tinkering again because the technology has been developed to ensure Security, is not yet available.

For all these projects, OVH is given 10 years. If it succeeds it is because you will use these technologies. And you use if you agree with our findings and how it wishes to implement to rectify the Internet today and offer the "Secure Net" tomorrow.

You feedback is welcome.

Regards,
Octave