Slashdot Mirror
Google Joins Mozilla, Microsoft In Pushing For Early SHA-1 Crypto Cutoff (blogspot.com)
itwbennett writes: Due to recent research showing that SHA-1 is weaker than previously believed, Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism. Both companies have argued that there are millions of people in developing countries that still use browsers and operating systems that do not support SHA-2, the replacement function for SHA-1, and will therefore be cut off from encrypted websites that move to SHA-2 certificates.
Is irrelevant!
Sha-1 has been considered weak for years now. How is that early?
Irrational post is irrational.
I think you should consider how one can hold these two thoughts simultaneously:
"
You want to promote better security, I'm right there with you.
You want to cut off older technology, using security as an excuse for forced upgrades ... well, you can go fuck yourself.
"
The browser manufactures are saying that the upgraded browsers won't support SHA-1.
How does this force you to upgrade? It forces websites to upgrade, but you can stick with an insecure browser.
Good grief 15 years is a long time in technology. A very very long time. This platform has required workaround upon work around for over 10 years now.
The only reason die hards say it is not obsolete and great do not see what crippling and sacrifices are made just to bring a web page to render. Meanwhile the rest of us have inferior sites and products thanks to these cheap skates.
Time to move on. Maybe these poor Chinese will install Linux if they have very very old hardware? Anything from 2008 and newer can run a more secure and modern system
http://saveie6.com/
"Both companies have argued that there are millions of people in developing countries that still use browsers and operating systems that do not support SHA-2, the replacement function for SHA-1, and will therefore be cut off from encrypted websites that move to SHA-2 certificates."
that's ok - because they can just throw away perfectly good hardware because the software's out-of-date, discarding the older stuff in the hope that it doesn't end up in landfill but ends up in the developing world just like we do. wait... we're *already* talking about the developing world. so that means there's no fall-back - no incentive for the endless cycle of high-profit-with-bugs-and-security-vulnerabilities-so-you-buy-a-new-one, because there's not enough profit made from the sale of newer hardware in the developing market to justify pursuing it.
i _would_ recommend, at this point, that modular phones would be a good idea... except that if you now look at phonebloks you'll see that there's currently *six* separate and distinct, totally incompatible and entirely *not* open (i.e. not royalty-free, not patent-licensing-free etc.) hardware or open standard modular interoperable mobile phones.
plus, phones are not the only products that are insecure here: what about desktops, laptops and so on? it's not just the proprietary phones and proprietary tablets that will be *unable* to be upgraded because in order to effect an upgrade, it's likely that the entire OS will need to be replaced, it's *all* the computing devices that are hit by this problem.
as techies here on slashdot we understand that software keeps getting more and more complex, and that to recompile just one component (a security library) whilst keeping all the other, older components exactly the same is an extremely time-consuming software engineering task that NO PROPRIETARY HARDWARE VENDOR is going to commit to. in many cases they literally can't, especially the chinese OEMs, because the "O" for "originality" is a total sham in china: they receive binary-only (GPL-violating) distributions from an extremely secretive SoC manufacturer's close handful of partners, along with a Hardware Reference Design... and that's the end of the matter. they don't *HAVE* the source code. they *CAN'T* make the software upgrades even if they had customers willing to pay for the software engineers to do it.
so the only remaining choice, if the software cannot be upgraded, is to upgrade the hardware. and there literally isn't anyone except myself working on modular upgradeable computing appliances like laptops, desktops and so on. i've been looking for years, and i've even approached large companies: they've *actively* stated that they're not interested - the only reason i can think of is that they perceive there isn't enough guaranteed profit in modular computing because a competitor could come along and wipe them out with a faster or better compatible upgrade than they could produce in time. especially a chinese clone manufacturer.
so we're caught between a rock and a hard place, here. the current manufacturing-consumer cycle is highly-optimised for us in the 1st world, and we're effectively sleep-walking as to the consequences for ourselves and the rest of the world (which is just as the manufacturers want it) i outline this in more detail in a white paper i've written (below) - if in reading this you fully understand both the consequences and the nature of the problem and would like to do something about it, do contact me: i have some sponsors already and am open to more.
http://rhombus-tech.net/whitep...
Down-mod on the parent is ridiculous. "Using security as an excuse for forced upgrades" is indeed irrational. None of the three players makes money on hardware or OS upgrades, so the conjectured conspiracy theory is pure tinfoil-hattery.
SHA-1 is broken and needs to die. We aren't doing the developing world any favors by keeping it.
Since when has Slashdot become a Luddite websites for those that fear change?
XP is 15 years old! Things move on. We are tired of turning down 2008 era html 5 and leaving our phones with a better browser experience because of XP IE 6/8 compatibility from a different era. If the hardware is from 2008 or earlier you can install Linux for free?
Do you not change your oil and timing belts either
http://saveie6.com/
I have a printer that uses outdated crypto sitting on a VLAN only accessible from by internal computers. Because the powers that be have decided that it's insecure, I have to turn off https.... I just want to make sure that my recipe printed from my tablet before hauling my butt from the kitchen to the office.
Show a scary warning or something. But slightly weak crypto is better than pushing people to not use it.
Microsoft doesn't make money on OS upgrades? lolwut?
Isn't the option of sticking with SHA-1 essentially the same as saying, let's not use crypto?
Can't it easily be considered worse to developing countries to say "you are safe, because we use crypto", when in truth you mean "you are not safe, because we don't use functional crypto"?
The issue they face is not having access to functional crypto. It is not an issue of vendors taking crypto away. SHA-1 is broken, so it isn't an option for functional crypto, no matter if developing countries have access to it, SHA-2, neither, or both!
I'd like to point out that Firefox and Chrome still support all the way back to Windows XP (though Chrome support is ending April 2016). It is very easy to get a hold of the latest and most secure browsers available. If people are not willing to upgrade their browsers after the cutoff, well I doubt they will upgrade their operating system (because upgrading a browser is trivial, at least in comparison to upgrading an OS).
This is not what will force people to upgrade. Maybe other things, but not this.
Note: This was written more to answer the Microsoft side of the problem. Why would Google be pushing upgrades? (Genuine question)
Well, they do. But I don't think this will force OS upgrades (see above post "I'd like to point out that Firefox and Chrome...").
GGGP was calling out Google, not Microsoft.
Chrome upgrades are free. Mozilla upgrades are free. Why is it a bad thing to force upgrades in the name of security here? That doesn't make any sense to me. It's not like anybody actually uses Microsoft's browsers anyways.
Some of the talk about SHA-1 cutoff has been in terms of "Should we break the intertubes for the poor people who can't upgrade?"
Remember; we really don't have that choice. SHA-1 is doing the mathematical equivalent of creaking, groaning, and starting to splinter under load. Our choice is not whether to break SHA-1 or not; it is whether or not to pretend that SHA-1 isn't dangerously precarious.
It's like telling a structural engineer "We can't close that bridge! People need it to cross the river!". That's exactly why we must close the bridge; because if we don't there will be people on it when it falls into the river.
(That said, in environments where security is provided by other means, say a suitably isolated management-only network, there will continue to be a need for browsers that can interact with pitifully outdated SSL implementations for some time to come, probably a disgustingly long time; just as various ancient JVMs are currently kept around to interact with assorted horrible management interfaces, network KVMs, and the like. In practice, since virtualization is so cheap and such legacy systems should be kept the hell away from the internet, we'll probably just end up using an old browser version on a VM that is firewalled from everything except the legacy devices it is used to manage; but there will be places where compatibility will require accepting a known-pitiful authentication mechanism; but such environments should treat that mechanism purely as an archaic quirk, not as any sort of substitute for security.)
I'd like to point out that Firefox and Chrome still support all the way back to Windows XP (though Chrome support is ending April 2016). It is very easy to get a hold of the latest and most secure browsers available. If people are not willing to upgrade their browsers after the cutoff, well I doubt they will upgrade their operating system (because upgrading a browser is trivial, at least in comparison to upgrading an OS).
This is not what will force people to upgrade. Maybe other things, but not this.
Note: This was written more to answer the Microsoft side of the problem. Why would Google be pushing upgrades? (Genuine question)
If the OS is not secure anyway (XP was not designed with security in mind besides a password from the AOL/MSN era) and has not been patched in over a year and half defeats the purpose.
It should frankly be illegal to do any customer credit card processing on such systems.
If you are very poor Asian try putting Linux. The hardware will soon die anyway if you can't afford Windows 10 which will run on hardware from 2009 and later since it is based on the Windows 7.xx driver model.
http://saveie6.com/
GGGP was calling out Google, not Microsoft.
Good for them? That wasn't the person I was responding to. I was responding this the person who stated:
None of the three players makes money on hardware or OS upgrades
And these "three players" being referenced are Microsoft, Google and Mozilla.
Microsoft, as it turns out, sells something called "Office" that provides more revenue than any other division. Then there's cloud services, which is cannibalizing Windows licenses and contributing to an ever decreasing year-over-year revenue percentage for Windows itself. The last version of the desktop OS was given away for free.
Considering MS is not in the hardware business, Windows 10 was free, and MS is betting its future revenue on cloud services instead of Windows Server licenses.
MS isn't in the hardware business? What decade do you live in? Never heard of the Xbox, Surface, Surface Pro, Surface Book and Lumia?
So you'd prefer more crypto downgrade attacks?
(The AC from above)
If the OS is not secure anyway (XP was not designed with security in mind besides a password from the AOL/MSN era) and has not been patched in over a year and half defeats the purpose.
Valid point. However, I was really commenting on just the SHA-1 cutoff. It is true that a lack of security updates will force people to update, but that isn't affected by the SHA-1 cutoff as best I can tell. So the cutoff isn't the evil money-hungry thing BitZtream has portrayed it as.
It should frankly be illegal to do any customer credit card processing on such systems.
I agree! It is very dangerous at this point. Hopefully people will move on to Linux but... well we can hope.
If being a luddite means being against browser-specific "features" and being against browser wars, well, probably since inception. I invite you to read the comments on this 13 year old post:
http://slashdot.org/story/02/06/15/0013225/andreessen-on-the-browser-wars
There's plenty more, too.
Rather surprised with such a "low" UID you've not seen stuff like that for the past 15+ years.
GP probably used a perfectly good browser, just not IE. Stupid web dev probably detects user agent and only lets IE in.
Considering MS is not in the hardware business
So they make phones, tablets, consoles, their own laptop, fitness bands and keyboards and mice but they aren't in the hardware business?
Windows 10 was free,
For one year and only for consumers.
and MS is betting its future revenue on cloud services instead of Windows Server licenses.
And yet those licenses are still a big portion of their revenue and revenue from that grew 6% just their last quarter.
And to add, I don't believe that this removal of SHA-1 is to force OS or hardware upgrades, but your claims were simply patently false.
Hasn't LibreSSL just removed SHA-0 decades after it got deprecated ?
Manufacturers dump stuff on the market and never update it. Therefore poor people who can't afford to completely replace their devices can't use new crypto. Therefore either those people are screwed by being cut off, or the entire world is screwed by broken crypto. Note that this situation damages third parties.
The right answer is for governments to do their job and set some rules in the marketplace. I suggest these:
If you sell something, you are responsible for its software in perpetuity. You will release timely updates at no charge. When you stop releasing updates, even if it's been 50 years and even if the reason is that you're going out of business completely, you will unlock the devices and release full source code, documentation, and any necessary tool chain. You will also waive any IPR you have that might impede somebody else from releasing updates. And no, it is not enough to just let Grandma off in her village compile her own update; you have to let anybody who wants to distribute to her.
That's criminal law. If you don't do those things, those responsible for making that decision will go to prison. AND you will be civilly liable to anybody who's damaged by your failure.
Another possible item: If you own something and connect it to the Internet, you are civilly responsible for due diligence. Those updates the manufacturer provides? If you don't install them, and don't isolate the device properly, and your device gets used to hurt somebody else, you pay all their costs. Your un-updated phone got used to hack Intel? Hope you have liability insurance...
please think a little bit outside of the box of your own environment, and act responsibly.
And acting responsibly is to remove insecure crypto not to keep it around. Are you ignorant of all the crypto downgrade attacks that have been found just in the last year?
Slashdot has been a website for luddites and neo-reactionaries ever since Red Hat adopted systemd and people caught on to the fact that Linus Torvalds is a caustic asshole. Apparently the same kinds of people who thought "Free Software" was "too political" get offended when you suggest that Free Software operating systems standardize on halfway-decent system infrastructure or that development communities try not to be toxic pieces of shit.
And before those same predictable neo-reactionaries come back and say I'm wrong or a "feminist shill" or whatever; systemd isn't perfect but it's a hell of a lot better than the 30-year-old infrastructure we used to use; the Free Software community needs to treat women and minorities at least better than proprietary software companies do; and using broken crypto, such as SHA-1, is literally worse than just sending everything in the clear.
Why is it a bad thing to force upgrades in the name of security here?
The six year old car you are driving is not as secure as a car produced this year. You are required to upgrade.
The lock on your door is not as secure as today's locks. In the interest of security to your business you must change all locks on your premises.
Yes, these involve physical items and cost, but the concept is the same. What business is it of Microsoft, or Alphabet (Google), or Mozilla if someone is using an insecure piece of software? It's not their system.
Whatever happened to letting people decide how they manage their systems? Are we again dragging out the canard that developers or companies know more than the user considering every iteration of all three products don't simply fix bugs but break things, including the UI, or remove features people used.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Google's Android toolkit is unsigned, so I find Google's world view uneven at best.
They can issue their own certificates. and downloads of apps are signed, yet the toolkit to make those apps downloads unsigned,
Eclipse warns you about it when you try to install their developer kit on Eclipse, and there's nothing you can do to fix it. Well you could check the SH1 of the installer!
Does it run Linux?
Everything I write is lies, read between the lines.
I don't think that UA has been a good detection method for a long time.... they all purport to be Mozilla by default for one thing. Also, all the major browsers will let you change your UA to whatever you want.
My eyes reflect the stars and a smile lights up my face.
I don't know why you were down modded, because you are correct. Yes, security is a big issue, but is it really up to my browser to determine what sites I am permitted to see or not? Instead of prohibiting a site with SHA-1, at best the browser should intercept the call and display a message that the site might not be secure. The browser's job is to display content, not to determine what sites a person I or anybody else might want to use. SHA-1 site? Fine, warn me, but it should still be my decision if I want to view it or not.
millions of people in developing countries that still use browsers and operating systems that do not support SHA-2
A.K.A: botnets?
Well when baduu and facebook no longer load and give a message to upgrade people will do so or call someone who knows something.
I mean nothing lasts forever. Do you use 2002 era phones still too? The internet is dangerous. IE 8 uses ram when you have lots of tabs too. The users there are used to the bloat and Firefox/Chrome while being more cpu intensive render javascript much much faster JIT.
This is a nudge and my guess is any pc with 128 megs of ram would be dead with bad caps dying on the board or PSU. Many systems in China that run are newer hardware downgraded to XP to cut costs since everyone pirates over there and XP is easy to do so compared to 7.
Things change and there are chinese versions of Linux in Mandrin for these users sponsored by the government. Some even have an LUNA like UI too
http://saveie6.com/
Are you still using WEP? You would think people would be more concerned about security with all the hacks every 15 minutes actually getting media attention.
Actually, you're the one that needs to go fuck themselves.
So they make phones, tablets, consoles, their own laptop, fitness bands and keyboards and mice but they aren't in the hardware business?
Loss leaders to generate service revenue. Direct revenue from hardware sales is a drop in the bucket. That bucket is growing quarter over quarter, but so too is cost of revenue. Profit margins are low in hardware. But more importantly, and far more relevant to the "forced upgrade" argument: they do not sell PC's or server hardware that would be affected by killing SHA-1.
Windows 10 was free,
For one year and only for consumers.
When MS shuts off SHA-1 on July 1st, Windows 10 will still be free.
and MS is betting its future revenue on cloud services instead of Windows Server licenses.
And yet those licenses are still a big portion of their revenue and revenue from that grew 6% just their last quarter.
But with $15 billion invested in PaaS, there is nowhere to expand except by cannibalizing existing Windows Server revenue.
Actually the surface is Microsoft's 2nd biggest revenue now. But the intention is not to be evil. It is to protect their image and customers as security conscious. For those developing websites the day couldn't come quick enough.
Html 5 is more secure too and gives flexibility to website makers.
Jeez folks nothing wrong with change. It is not an evil conspiracy for increased security
http://saveie6.com/
Because you say so?
Why better?
Now you're at least making sense.
In the States we don't spend until after the collapse. And even then it's only because we need to put the bridge back up.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
All my modern hardware will have no problem with this change.
I have older hardware and software that simply doesn't know anything about SHA-2 and never will. Should that hardware stop functioning just because Google thinks that pulling down weather forecasts requires perfectly secure SSL connections?
Changing oil and timing belts don't obsolete the car, and they wear out. Software doesn't wear out, but for some reason we get forced into upgrades that INTENTIONALLY OBSOLETE FUNCTIONAL SOFTWARE ... and thats what I'm bitching about.
Just because you picked a nick that revolves around Microsoft doesn't mean my concerns have anything to do with MS, and indeed they don't. I could give a fuck what MS does.
And no, I won't install Linux just because you think I need an inferior experience. You assume Linux runs on my AVRs ... which it does not, just like SHA-2 doesn't, because there isn't enough CPU to do this shit in real time ... and I have many deployed with wiznet chips that do the TCP part ... including SSL ... and guess what ... linux doesn't run on them either, so fuck you and your linux fanboyism :)
Anything I have that will run Linux is capable of running FreeBSD so you won't catch me dead running Linux, and anything I have that isn't capable of running FBSD isn't capable of running Linux either, or Windows for that matter, so basically, STFU since you don't have any clue why I care.
Luddite, heh, do you even understand what the word means because you sure don't act like it.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
https://bugzilla.mozilla.org/s...
Firefox only currently supports DHE with SHA1. Are they going add support for SHA256 DHE when they disable SHA1?
To quote Michael Staruch from the above link: It looked more like attempts to discredit DHE and push everyone into ECC. And I am not so sure if that's best way to protect our privacy, especially with multiple TLS clients supporting only NSA Suite B curves.
Mozilla, we really need DHE to work with SHA256 and GCM. Sure, fallback to something else (with a second connection, if necessary) if weak dhparams are used by the server.
-=Lothsahn=-
The latest version of software doesn't run on an old OS on a clunky old PC.
Chrome dropped support for XP in April 2015. And does not have any support for OSX 10.4, which was the last good PPC release.
I'm guessing someone who is affluent wouldn't have noticed this. Not all of us can afford the hardware upgrade treadmill.
The lock on your door is not as secure as today's locks. In the interest of security to your business you must change all locks on your premises.
This happens all the time. Insurance companies force businesses to change their locks, install alarm systems, etc. Either by changing the goal post with their premiums, or by simply rejecting an application for property insurance. I don't recall any time in the US where operating a business was an inalienable right. (You may be outside of the US, I'm taking a guess here given the assumptions I believe you've made)
“Common sense is not so common.” — Voltaire
If the hardware is from 2008 or earlier you can install Linux for free?
It would be viable if we had a way to retrain millions of people in hundreds of countries who speak many different languages. I kind of hoped Ubuntu's founder would have the resources to do just that. But it doesn't seem to be happening.
“Common sense is not so common.” — Voltaire
What Mozilla, Microsoft, and Google do is largely irrelevant for adoption of standards. The adoption laggards are government-space IT, and they are still mandating support for 3DES and vendors still offer it to be able to meet procurement requirements. While Google can grandstand all they want, big fed-space vendors like CISCO will be offering SHA1 for decades to come. This means it is, and will be supported by default by a vast majority of networking infrastructure transporting and managing vast majority of data traveling through every network out there.
That aside, SHA1 is still part of mandatory TLS 1.0 ciphersuites, you can't deprecate it and still support TLS 1.0. There are also lots of issues with RSA and non-SHA1 diffie-hellman. As such, there are plenty of technical issues that still have to be solved prior to be able to drop it.
I'm pretty sure that it's possible to run an application effectively on a 128 MB - 256 MB machine that "top" reports as using 2.4 GB of resident memory. (Probably not 16 GB of virtual memory, though, as machines with physical RAM sizes that small are probably 32-bit.)
Maybe look up how RSS and VSIZE are computed? It's more complicated than you think and both generally significantly overestimate memory footprints of running applications.
>The six year old car you are driving is not as secure as a car produced this year. You are required to upgrade.
Windows XP is not a six year old car... is more a card without breaks. you are not allowed to drive a car without break on normal roads, but on your private road, you can do anything. you are not forced to trash the car, just can not use it for every day.
XP is way too limited. you can keep it if you want, but after that date, most sites will block you. browser internal networks or any still open site, just don't complain about those sites you can not enter.
Higuita
Use linux instead of windows. Problem solved!
Higuita
oops, press submit way too fast! :)
If you have a computer with 128MB of RAM, you are talking about pentium 1/2/3 /very old athlon computers!!!
buy a Raspberry PI !! it have more memory and probably faster and uses a lot less energy.
also, firefox uses as much memory as tabs you have open. a clean firefox with one tab open is using 230MB on a computer with 8GB... a 512MB computer is enough... not fast, but computers from that era aren't fast too
Higuita
When MS shuts off SHA-1 on July 1st, Windows 10 will still be free.
For one more month. I remember reading that Microsoft announced that the offer to upgrade compatible PCs with valid a Windows 7 or 8.1 license to Windows 10 without charge would be available only for the first year after the release of Windows 10. This year ends on July 29, 2016: "After the first year, upgrades will be paid via boxed product and VL Upgrades.”
Do you use 2002 era phones still too?
No, but I'm pretty sure my current phone was made in 2005 or earlier. It's an Audiovox 8610 flip phone, and I keep it because $7.50 per month on Virgin Mobile is a lot cheaper than a smartphone plan.
So weak crypto is worse than sending data in the clear? OK.
I think the rationale is that a false sense of security is worse than a true sense of insecurity.
Because some browser makers aren't smart enough to apply different policies to private internets from those that they apply to the public Internet. There's a reason IE implements the "Intranet zone", and other browser makers could likewise offer an option to be more lenient with addresses in 10/8, 172.16/12, and 192.168/16 prefixes.
SHA-1 is like a bridge marked for 10 tons of weight, but it actually can only carry 5 tons.
SHA-1 is like your 5-ton bridge marked as a 10-ton bridge when the occupied weight of a standard bus is 10 tons. I guess browser makers don't see much application for a 5-ton bridge apart from bicycles.
The notifications pages that come up need improvement to let people know what happened. Just because a certificate doesn't pass doesn't mean
Second there needs to be laws on the books that manufactures must abide by to sell embedded products.
1. They must offer security updates for all embedded devices for 25 years.
2. They can EOL their product anytime prior by opening the devices to external developers and firmware.
3. Going bankrupt does not negate these responsibilities so each product must have an immediate action plan to comply with #2.
4. Every company must be audited yearly for #3.
The Android Studio download page is signed with a TLS certificate issued to *.google.com with serial number 04:32:D9:AF:F1:79:D0:7E and SHA-256 fingerprint:
It links to a 1.2 GB file, also behind an HTTPS URI. How is HTTPS insufficient to specify the publisher?
I dropped WEP in favor of WPA in June 2014, once GameSpy had shut down. The last pre-WPA device I had that needed WEP was a Nintendo DS, and online games for DS had relied on GameSpy.
I haven't heard anything dramatic in the SHA-1 front for quite some time now. How recent is that research? Years?
Loss leaders to generate service revenue
So what? If they make and sell hardware they are in the hardware business.
All my modern hardware will have no problem with this change.
I have older hardware and software that simply doesn't know anything about SHA-2 and never will. Should that hardware stop functioning just because Google thinks that pulling down weather forecasts requires perfectly secure SSL connections?
Changing oil and timing belts don't obsolete the car, and they wear out. Software doesn't wear out, but for some reason we get forced into upgrades that INTENTIONALLY OBSOLETE FUNCTIONAL SOFTWARE ... and thats what I'm bitching about.
Just because you picked a nick that revolves around Microsoft doesn't mean my concerns have anything to do with MS, and indeed they don't. I could give a fuck what MS does.
And no, I won't install Linux just because you think I need an inferior experience. You assume Linux runs on my AVRs ... which it does not, just like SHA-2 doesn't, because there isn't enough CPU to do this shit in real time ... and I have many deployed with wiznet chips that do the TCP part ... including SSL ... and guess what ... linux doesn't run on them either, so fuck you and your linux fanboyism :)
Anything I have that will run Linux is capable of running FreeBSD so you won't catch me dead running Linux, and anything I have that isn't capable of running FBSD isn't capable of running Linux either, or Windows for that matter, so basically, STFU since you don't have any clue why I care.
Luddite, heh, do you even understand what the word means because you sure don't act like it.
It's possible that SHA-1 will soon be nothing but security theatre. Look at MD5; now it can be broken in mere seconds. What you're suggesting is that we wait until the same thing happens with SHA-1. This strikes me as a *horrible* idea.
Why do you need to use Google on your older hardware? Do you have a browser on it? If so, do you really think that's a good idea?
The fact that you don't seem to be able to appreciate these points makes me doubt your technical competence.
Actually the surface is Microsoft's 2nd biggest revenue now.
But even if it wasn't it would be absurd to say that a company that has been making and selling hardware for some 15 years is not in the hardware business. The entire claim is stupid.
They can always use a lower-footprint browser like Midori or others. I forget the name but there's a lightweight browser in some DSL versions. Those will run just fine but they'll want to install them (which you can do with DSL even though I've seen suggestions that you run it only from the live USB/CD) so as to have marginally better memory management options. It's certainly do-able and probably won't be all that slow so long as they're not trying to run a lot of applications on them. There are a pile of distros optimized for older hardware that will suit just fine - like you said.
When I met my g/f she was angry and beating up her poor laptop in a hotel lobby. The laptop had Vista on it and only 1 GB of RAM. It has, obviously, been replaced now but I cleaned it up and it still runs fine. We were able to recover and move her data just fine. It now has Lubuntu on it and is in her luggage somewhere or she may have unpacked it and put it somewhere around the house. I doubt it will make the trip back home with us but it might, she seems marginally attached to it still so I have no idea what she'll do with it. It's not like she needs to keep it or anything but maybe we can find someone to donate it to after the drive's completely wiped. Or, I guess, she can keep it. (She seems to have a strange notion that I'm going to kick her out and take all the stuff back. Gifts are gifts, you don't take those back no matter what happens. Ah well...)
Anyhow, point being, you can manage with older hardware. Sometimes I get bored and will see just how usable older systems are today. I usually opt for something with LXDE and even a 10 year old system with only 4 GB of RAM will run Lubuntu just fine. I seem to recall having installed it on systems with just 2 GB of RAM (aside from her laptop) and speaking only of modern, up to date, versions. Her old laptop, for example, has 15.10 on it because she just updated it the other day. It browses with Thunderbird open (she's using Opera and a few extensions I think) and has some sync apps and even has a VNC viewer installed so she can log in to a system back home if she wants. (She's never actually been to Maine with me - she's only seen the house through the security cameras. We just kinda bumped into each other and she stuck.)
I suspect that if I really dug (or anyone else did) you could find even smaller and lighter distros. There's that Puppy Linux - I think I played with that one in a VM once. DistroWatch surely has others that I've forgotten about. They can even refine their search to search for specific distros that are aimed at older hardware. If their hardware is that old then there's bound to be a distro that will run on it with little to no tweaking.
"So long and thanks for all the fish."
Ah, we were as eloquent then as we are today. It brings back joyful memories and nearly brings tears to my eyes to see such joyous postings filling the site with quality user-generated content. It's not just art, it's not just prose, it's something more. Something I can't quite put my finger on, something I can't quite name, and yet - even if I could, I'm not sure I'd want to name it for then, if named, the magic may be lost for good.
Err... I'm soooo posting this as an AC. Thanks for the memories. That made me chuckle.
Why do none of these companies take the fucking responsible approach and issue a high priority, even out of support stages, to any product that has this issue?
Let's face it, XP is STILL a hugely used OS. Microsoft certainly aren't doing SHIT to change that.
They certainly aren't doing SHIT to deal with ActiveX either.
The same can be said of others dropping support.
Just because you drop support for features doesn't mean you need to stop security updates.
You can certainly drop the frequency and resources used for it, but not completely halt it.
Even making people pay a little for these EOL products (which they do now), but instead they make people pay a shitload of money despite THEIR SITUATION BEING COMPLETELY UNCHANGED in the company.
> What business is it of Microsoft, or Alphabet (Google), or Mozilla if someone is using an insecure piece of software? It's not their system.
Herd immunity. Your insecure shit affects everybody on the internet. Which goes to the car thing... if your car is found to have a dangerous defect, the state you live in can black flag it and fine you or tow you if you drive it, until it is repaired. Or, in other cases you will not be able to get a certificate of inspection when your previous decal expires.
>Whatever happened to letting people decide how they manage their systems?
It turns out that 99% of them are fucking idiots that have open spam relays, scan other networks for, or otherwise cause problems.
But what's even funnier about your rant, is not, you don't have to upgrade your broken old crap. You just don't get to talk to my server. By being able to talk to my server with your broken shit, you make my server more insecure.
Good riddance, you lice infected cur.
> just because Google thinks that pulling down weather forecasts requires perfectly secure SSL connections?
Yes. Because *everything* that is served with a Google cookie or by a Google server should be protected by strong encryption so you can't use one function to attack another function inside the same domain. I'm pretty sure you're fucking clueless at the risk profiles at this point and why so many different groups want to get rid of SHA-1.
Software does wear out. It wears out when it becomes a serious risk to everyone that uses it.
If your shit is old, broken and obsolete, you are now responsible for putting a SHA2+ > SHA-1 conversion between them at your own cost.
CloudFlare have another pragmatic proposal - require CAs to randomize the certificate serial numbers instead of using predictable sequential numbers. Note that this precaution would have made even MD5 certificates safe against current known attacks.
https://blog.cloudflare.com/why-its-harder-to-forge-a-sha-1-certificate-than-it-is-to-find-a-sha-1-collision/
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
So then I was correct in what I said. You driving around in an insecure car endangers the rest of us. The same thing with not having a more secure lock on your business which drives up my insurance costs.
Thanks a lot you infected cur.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
If the server was compromised for example, you'd get right place, wrong file.
The same would be true if the build server was compromised.
In addition, for developers not quite as big as Google, one TLS certificate to obtain and keep renewed every year is cheaper in both time and CA fees than one TLS certificate for the website every year and one code signing certificate per platform per year. Or is there a counterpart to StartSSL or Let's Encrypt for code signing yet?
Whatever happened to letting people decide how they manage their systems? Are we again dragging out the canard that developers or companies know more than the user considering every iteration of all three products don't simply fix bugs but break things, including the UI, or remove features people used.
If your system isn't connected to a network and ultimately the internet it doesn't make much difference. If it is then things change - events on your system can impact other systems. That doesn't really happen in your lock changing scenario, does it?
SQL Slammer worm wreaks havoc on Internet
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
I bought my mother who is 63 a Nokia 640. $55 and works with tracfone. Apps, email, navigation, IE 11, and a nice on her eyes with big tiles.
http://saveie6.com/
I bought my mother who is 63 a Nokia 640. $55 and works with tracfone.
How much does service for a Lumia 640 on TracFone cost per month?