More from: Amazon

Cloud Providers compromise Domain Security

This just in via email from newsletter@feistyduck.com. More information is available here: https://community.letsencrypt.org/t/important-what-you-need-to-know-about-tls-sni-validation-issues/50811

Cloud provider vulnerability causes Let’s Encrypt to disable SNI domain validation

A major issue with some cloud providers allowed the unauthorized issuance of Let’s Encrypt certificates. Although the issue clearly lies with the cloud providers, Let’s Encrypt nevertheless has decided to disable the corresponding validation method.

Frans Rosén discovered that he could use the SNI validation method from the ACME protocol (https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/) to issue certificates for domains hosted on certain cloud providers. He explicitly mentions Heroku and Amazon CloudFront.

TL;DR: I was able to issue SSL certificates I was not supposed to be able to. AWS CloudFront and Heroku were among the affected. The issue was in the specification of ACME TLS-SNI-01 in combination with shared hosting providers. To be clear, Let’s Encrypt only followed the specification, they did nothing wrong here. Quite the opposite I would say.

The core of the issue is that these providers allow users to upload certificates that the system will serve automatically to TLS requests with the corresponding server name. The ACME SNI validation method uses temporary certificates that end with .acme.invalid.

After the issue was reported, Let’s Encrypt almost immediately disabled the TLS-SNI-01 validation method. Let’s Encrypt subsequently decided that, with a few exceptions, it will stay disabled. The newer TLS-SNI-02 method is vulnerable as well. A new TLS-SNI-03 method that considers this problem is being developed, but for the time being users should switch to either the HTTP or the DNS validation method.



UPC Code Discussion

If you follow this blog then you know we are shut out of Amazon.com because we cannot possibly pay $3,200 to buy a company UPC number. We objected to this, responded to an email from GS1 US, the company which sells UPC company numbers. They have told me that they are a not for profit, however I have not found them in the legal IRS database at http://www.irs.gov/Charities-&-Non-Profits/Exempt-Organizations-Select-Check. Also the cost of $3,200 to issue one UPC company number seems a bit more than a break even price. I am really not sure how their prices are fulfilling their stated purpose of “Making it possible for industries and companies to move their business forward”: rather it seems to me their prices are a roadblock to free market competition by erecting an extreme barrier to entry. I understand what she is saying about UPC resellers and why it is unwise to buy codes from them. I also ponder how there could be UPC resellers if GS1 US was selling at the cost (acting as a not for profit) there would be no profit opportunity for these UPC resellers to exist.

GS1 US’s email back to me and my response follow.

-jdn-

On 05/06/2013 12:51 PM, Smith, Rebecca wrote:

Good Afternoon John,

GS1 US is a not-for-profit organization.

I would make sure that your Trading Partner will accept those types of barcodes.

The barcodes that you will receive from a reseller will never recognize your company and most Trading Partner will not accept based on that. The barcodes will always go back to the original owner of the barcodes.

You don’t know if they have made up the barcodes or that they have already sold the barcodes to other companies.

We have had companies in the past buy from reseller barcoded their products and then their Trading Partner would not accept them. Then they had to come through us to get their barcodes and re-barcode all of their products.

Just don’t want you to get something your Trading Partner may not accept and it cost you more money.

Have A Wonderful Day,

Rebecca Smith | Customer Operations | GS1 US
7887 Washington Village Dr, Ste.300, Dayton, OH 45459
T +1 937.435.3870 | F +1 937.435.7317 | E rsmith@gs1us.org | www.GS1US.org
The Global Language of Business | Making it possible for industries and companies to move their business forward


Good afternoon Ms. Smith,

Thank-you for your kind reply.

I understand that buying from these UPC “resellers” does not provide a proper code for small businesses and I have no intention of buying from them. I really do not see, if you are acting as a not for profit and selling these company UPC numbers at cost, how these UPC resellers can exist — it should be impossible for them to sell at less than your price, thus removing any profit incentive. ICANN, which assigns all the domain names on the Internet, charges twenty cents. ICANN warehouses at least as much data as GS1 US and should have similar or higher costs.

This is why I must refuse to buy any UPC from anyone: not only can my small business not afford to pay hundreds or thousands of dollars to buy one company UPC number but also I feel that a charge of $3,200 to be assigned one number is unreasonable. If my small business brought in $32,000 due to UPC labeling I would probably not have a problem with paying out $3,200 to support you: but it does not as of yet, and it is not going to until it has UPC codes which, of course, I cannot buy. The problem is compounded by the need for many product codes since every possible combination of my product must have its own, unique code, whether I ever sell even one so specifically configured or not. In example, each belt that I craft can come in five widths, seven colors, with or without embossing, and in 26 lengths (from 12 inches to 58 inches, counting only the even numbers). This is some 1,800 codes (excluding any codes I need for other product lines) of which 10 might actually be ordered.

Yes, Amazon is forcing all small business to buy UPC company numbers as a condition of being allowed to trade any at all on Amazon.com. There has been some public outcry about that, which is apparently a move to improve search price comparisons by matching UPC codes instead of product names. But those of us who own small businesses, and account for 80% of the commerce in the US, also can choose not to use Amazon and we can tell them why: small businesses cannot afford to pay $3,200 for a UPC Company number.

I am providing honest customer feedback, which is very hard to get. I hope this helps rather than offends you. I feel that a $20 membership fee is sensible: a $3,200 membership fee is not. I feel that if a business does in fact have sales over $250,000 they should not object to donating more than grass roots businesses that have very little income yet.

The beauty of a free market system is that small businesses do have a choice. We could simply establish our own Open Source Product Code system (OSPCS) and operate it on the same basis as ICANN as a member benefit organization exempt from taxes under IRC section 501(c)(3). Membership fee could be $1. Retailers who chose to use OSPCS would gain grass roots loyalties to boost their sales in a down economy. This has worked well for dozens if not hundreds of distros of Linux and many other open source projects. We probably could also crowd source funding to get started. OSPCS network number assignments could be franchised to OSPCS Registrars who could compete in the OSPCS marketplace and sell the OSPCS numbers much as the global DNS system already works, reducing costs and drastically improving network performance through the availability of OSPCS lookup servers, while offering a profit opportunity to thousands of registrars. With the right agreement, sales of all products having OSPCS numbers could be accumulated providing another massive revenue source in the sale of reports.

Most sincerely,

John D. Nash, CEO
American Programmers Independent, LLC.
API Leather Crafting

P.S. It is understood that your company, GS1 US, is a not for profit, but did you realize that name is not in the official IRS database of all not for profits at http://www.irs.gov/Charities-&-Non-Profits/Exempt-Organizations-Select-Check. I’m not saying you are not a not for profit, I am simply letting you know that the official IRS database used to validate not for profit status of all organizations in the US does not have GS1 US in it, at least not by that name.


Mainstream Tablet Prices Dropping to $149

I have said for some time the primary and secondary price points for the glut of tablets that will become available this fall will be $149 and $249 with a distant tertiary point at $400. Here is another manufacturer who is adjusting their SRP to become salable. There is nothing wrong with the Nook Color: it is a fine tablet with snappy performance, can easily and intuitively store and use files (such as Microsoft Office files) from your PC, and has a pleasant form factor and passable battery life. The only thing the Nook is really missing is a good way to take notes on it, as there is no real app for that. You can also boot the Nook from a version of Android if you wish to load any of a number of boot images from CyanogenMod, using the Micro SD slot.

The only thing really wrong is that you cannot go to the most common market places unless you boot to Android and add Goggle Apps: the Amazon and Google Markets. This was a stupid blunder on the part of B&N, even through they told me it was Amazon who forbade them to allow their customers to shop also on Amazon. Seriously, guys, is Amazon.com so stupid that they don’t want people to buy from them just because they own a B&N Nook?

At ant rate, B&N is promoting the device at the primary market point now — $149. Google.com is promoting their Nexus 7 you can buy it for $199.  Let’s see what happens to the main contender in this price market, the Amazon Kindle ($199 – 40% = $120).