Slashdot Mirror
Google Joins Mozilla, Microsoft In Pushing For Early SHA-1 Crypto Cutoff (blogspot.com)
itwbennett writes: Due to recent research showing that SHA-1 is weaker than previously believed, Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism. Both companies have argued that there are millions of people in developing countries that still use browsers and operating systems that do not support SHA-2, the replacement function for SHA-1, and will therefore be cut off from encrypted websites that move to SHA-2 certificates.
Irrational post is irrational.
I think you should consider how one can hold these two thoughts simultaneously:
"
You want to promote better security, I'm right there with you.
You want to cut off older technology, using security as an excuse for forced upgrades ... well, you can go fuck yourself.
"
Good grief 15 years is a long time in technology. A very very long time. This platform has required workaround upon work around for over 10 years now.
The only reason die hards say it is not obsolete and great do not see what crippling and sacrifices are made just to bring a web page to render. Meanwhile the rest of us have inferior sites and products thanks to these cheap skates.
Time to move on. Maybe these poor Chinese will install Linux if they have very very old hardware? Anything from 2008 and newer can run a more secure and modern system
http://saveie6.com/
"Both companies have argued that there are millions of people in developing countries that still use browsers and operating systems that do not support SHA-2, the replacement function for SHA-1, and will therefore be cut off from encrypted websites that move to SHA-2 certificates."
that's ok - because they can just throw away perfectly good hardware because the software's out-of-date, discarding the older stuff in the hope that it doesn't end up in landfill but ends up in the developing world just like we do. wait... we're *already* talking about the developing world. so that means there's no fall-back - no incentive for the endless cycle of high-profit-with-bugs-and-security-vulnerabilities-so-you-buy-a-new-one, because there's not enough profit made from the sale of newer hardware in the developing market to justify pursuing it.
i _would_ recommend, at this point, that modular phones would be a good idea... except that if you now look at phonebloks you'll see that there's currently *six* separate and distinct, totally incompatible and entirely *not* open (i.e. not royalty-free, not patent-licensing-free etc.) hardware or open standard modular interoperable mobile phones.
plus, phones are not the only products that are insecure here: what about desktops, laptops and so on? it's not just the proprietary phones and proprietary tablets that will be *unable* to be upgraded because in order to effect an upgrade, it's likely that the entire OS will need to be replaced, it's *all* the computing devices that are hit by this problem.
as techies here on slashdot we understand that software keeps getting more and more complex, and that to recompile just one component (a security library) whilst keeping all the other, older components exactly the same is an extremely time-consuming software engineering task that NO PROPRIETARY HARDWARE VENDOR is going to commit to. in many cases they literally can't, especially the chinese OEMs, because the "O" for "originality" is a total sham in china: they receive binary-only (GPL-violating) distributions from an extremely secretive SoC manufacturer's close handful of partners, along with a Hardware Reference Design... and that's the end of the matter. they don't *HAVE* the source code. they *CAN'T* make the software upgrades even if they had customers willing to pay for the software engineers to do it.
so the only remaining choice, if the software cannot be upgraded, is to upgrade the hardware. and there literally isn't anyone except myself working on modular upgradeable computing appliances like laptops, desktops and so on. i've been looking for years, and i've even approached large companies: they've *actively* stated that they're not interested - the only reason i can think of is that they perceive there isn't enough guaranteed profit in modular computing because a competitor could come along and wipe them out with a faster or better compatible upgrade than they could produce in time. especially a chinese clone manufacturer.
so we're caught between a rock and a hard place, here. the current manufacturing-consumer cycle is highly-optimised for us in the 1st world, and we're effectively sleep-walking as to the consequences for ourselves and the rest of the world (which is just as the manufacturers want it) i outline this in more detail in a white paper i've written (below) - if in reading this you fully understand both the consequences and the nature of the problem and would like to do something about it, do contact me: i have some sponsors already and am open to more.
http://rhombus-tech.net/whitep...
Down-mod on the parent is ridiculous. "Using security as an excuse for forced upgrades" is indeed irrational. None of the three players makes money on hardware or OS upgrades, so the conjectured conspiracy theory is pure tinfoil-hattery.
SHA-1 is broken and needs to die. We aren't doing the developing world any favors by keeping it.
Since when has Slashdot become a Luddite websites for those that fear change?
XP is 15 years old! Things move on. We are tired of turning down 2008 era html 5 and leaving our phones with a better browser experience because of XP IE 6/8 compatibility from a different era. If the hardware is from 2008 or earlier you can install Linux for free?
Do you not change your oil and timing belts either
http://saveie6.com/
I have a printer that uses outdated crypto sitting on a VLAN only accessible from by internal computers. Because the powers that be have decided that it's insecure, I have to turn off https.... I just want to make sure that my recipe printed from my tablet before hauling my butt from the kitchen to the office.
Show a scary warning or something. But slightly weak crypto is better than pushing people to not use it.
GGGP was calling out Google, not Microsoft.
Chrome upgrades are free. Mozilla upgrades are free. Why is it a bad thing to force upgrades in the name of security here? That doesn't make any sense to me. It's not like anybody actually uses Microsoft's browsers anyways.
Keeping it around also makes everyone more vulnerable. Hope the people complaining about this enjoy the imminent downgrade attacks that will be used to MITM them.
Because if the history of Internet cryptography has shown us is that keeping around old ciphers and hashing algorithms is a wonderful idea. *rolls eyes*
Some of the talk about SHA-1 cutoff has been in terms of "Should we break the intertubes for the poor people who can't upgrade?"
Remember; we really don't have that choice. SHA-1 is doing the mathematical equivalent of creaking, groaning, and starting to splinter under load. Our choice is not whether to break SHA-1 or not; it is whether or not to pretend that SHA-1 isn't dangerously precarious.
It's like telling a structural engineer "We can't close that bridge! People need it to cross the river!". That's exactly why we must close the bridge; because if we don't there will be people on it when it falls into the river.
(That said, in environments where security is provided by other means, say a suitably isolated management-only network, there will continue to be a need for browsers that can interact with pitifully outdated SSL implementations for some time to come, probably a disgustingly long time; just as various ancient JVMs are currently kept around to interact with assorted horrible management interfaces, network KVMs, and the like. In practice, since virtualization is so cheap and such legacy systems should be kept the hell away from the internet, we'll probably just end up using an old browser version on a VM that is firewalled from everything except the legacy devices it is used to manage; but there will be places where compatibility will require accepting a known-pitiful authentication mechanism; but such environments should treat that mechanism purely as an archaic quirk, not as any sort of substitute for security.)
I'd like to point out that Firefox and Chrome still support all the way back to Windows XP (though Chrome support is ending April 2016). It is very easy to get a hold of the latest and most secure browsers available. If people are not willing to upgrade their browsers after the cutoff, well I doubt they will upgrade their operating system (because upgrading a browser is trivial, at least in comparison to upgrading an OS).
This is not what will force people to upgrade. Maybe other things, but not this.
Note: This was written more to answer the Microsoft side of the problem. Why would Google be pushing upgrades? (Genuine question)
If the OS is not secure anyway (XP was not designed with security in mind besides a password from the AOL/MSN era) and has not been patched in over a year and half defeats the purpose.
It should frankly be illegal to do any customer credit card processing on such systems.
If you are very poor Asian try putting Linux. The hardware will soon die anyway if you can't afford Windows 10 which will run on hardware from 2009 and later since it is based on the Windows 7.xx driver model.
http://saveie6.com/
Microsoft, as it turns out, sells something called "Office" that provides more revenue than any other division. Then there's cloud services, which is cannibalizing Windows licenses and contributing to an ever decreasing year-over-year revenue percentage for Windows itself. The last version of the desktop OS was given away for free.
Considering MS is not in the hardware business, Windows 10 was free, and MS is betting its future revenue on cloud services instead of Windows Server licenses.
So you'd prefer more crypto downgrade attacks?
Considering MS is not in the hardware business
So they make phones, tablets, consoles, their own laptop, fitness bands and keyboards and mice but they aren't in the hardware business?
Windows 10 was free,
For one year and only for consumers.
and MS is betting its future revenue on cloud services instead of Windows Server licenses.
And yet those licenses are still a big portion of their revenue and revenue from that grew 6% just their last quarter.
And to add, I don't believe that this removal of SHA-1 is to force OS or hardware upgrades, but your claims were simply patently false.
please think a little bit outside of the box of your own environment, and act responsibly.
And acting responsibly is to remove insecure crypto not to keep it around. Are you ignorant of all the crypto downgrade attacks that have been found just in the last year?
Slashdot has been a website for luddites and neo-reactionaries ever since Red Hat adopted systemd and people caught on to the fact that Linus Torvalds is a caustic asshole. Apparently the same kinds of people who thought "Free Software" was "too political" get offended when you suggest that Free Software operating systems standardize on halfway-decent system infrastructure or that development communities try not to be toxic pieces of shit.
And before those same predictable neo-reactionaries come back and say I'm wrong or a "feminist shill" or whatever; systemd isn't perfect but it's a hell of a lot better than the 30-year-old infrastructure we used to use; the Free Software community needs to treat women and minorities at least better than proprietary software companies do; and using broken crypto, such as SHA-1, is literally worse than just sending everything in the clear.
Why is it a bad thing to force upgrades in the name of security here?
The six year old car you are driving is not as secure as a car produced this year. You are required to upgrade.
The lock on your door is not as secure as today's locks. In the interest of security to your business you must change all locks on your premises.
Yes, these involve physical items and cost, but the concept is the same. What business is it of Microsoft, or Alphabet (Google), or Mozilla if someone is using an insecure piece of software? It's not their system.
Whatever happened to letting people decide how they manage their systems? Are we again dragging out the canard that developers or companies know more than the user considering every iteration of all three products don't simply fix bugs but break things, including the UI, or remove features people used.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Does it run Linux?
Everything I write is lies, read between the lines.
I don't think that UA has been a good detection method for a long time.... they all purport to be Mozilla by default for one thing. Also, all the major browsers will let you change your UA to whatever you want.
My eyes reflect the stars and a smile lights up my face.
I don't know why you were down modded, because you are correct. Yes, security is a big issue, but is it really up to my browser to determine what sites I am permitted to see or not? Instead of prohibiting a site with SHA-1, at best the browser should intercept the call and display a message that the site might not be secure. The browser's job is to display content, not to determine what sites a person I or anybody else might want to use. SHA-1 site? Fine, warn me, but it should still be my decision if I want to view it or not.
Well when baduu and facebook no longer load and give a message to upgrade people will do so or call someone who knows something.
I mean nothing lasts forever. Do you use 2002 era phones still too? The internet is dangerous. IE 8 uses ram when you have lots of tabs too. The users there are used to the bloat and Firefox/Chrome while being more cpu intensive render javascript much much faster JIT.
This is a nudge and my guess is any pc with 128 megs of ram would be dead with bad caps dying on the board or PSU. Many systems in China that run are newer hardware downgraded to XP to cut costs since everyone pirates over there and XP is easy to do so compared to 7.
Things change and there are chinese versions of Linux in Mandrin for these users sponsored by the government. Some even have an LUNA like UI too
http://saveie6.com/
Are you still using WEP? You would think people would be more concerned about security with all the hacks every 15 minutes actually getting media attention.
So they make phones, tablets, consoles, their own laptop, fitness bands and keyboards and mice but they aren't in the hardware business?
Loss leaders to generate service revenue. Direct revenue from hardware sales is a drop in the bucket. That bucket is growing quarter over quarter, but so too is cost of revenue. Profit margins are low in hardware. But more importantly, and far more relevant to the "forced upgrade" argument: they do not sell PC's or server hardware that would be affected by killing SHA-1.
Windows 10 was free,
For one year and only for consumers.
When MS shuts off SHA-1 on July 1st, Windows 10 will still be free.
and MS is betting its future revenue on cloud services instead of Windows Server licenses.
And yet those licenses are still a big portion of their revenue and revenue from that grew 6% just their last quarter.
But with $15 billion invested in PaaS, there is nowhere to expand except by cannibalizing existing Windows Server revenue.
Actually the surface is Microsoft's 2nd biggest revenue now. But the intention is not to be evil. It is to protect their image and customers as security conscious. For those developing websites the day couldn't come quick enough.
Html 5 is more secure too and gives flexibility to website makers.
Jeez folks nothing wrong with change. It is not an evil conspiracy for increased security
http://saveie6.com/
I agree with that.
Doesn't mean it's not the right thing to do...
Actually yes. Hiding the costs is not OK and externalizing them is worse.
In this particular case, though, it might actually be cheaper to just upgrade all the affected devices than to screw around with some of the proposed workarounds. It's not free for, say, Facebook to come up with whatever weird fallback hack they're pushing. By the time you add up the costs of everybody having to deploy that kind of crap, it would almost certainly be cheaper just to fund somebody to fix most or all of the affected devices. It might or might not be hard to raise the capital to do that. But as it stands you can't do it anyway, because there are a bunch of other barriers in the way.
In the States we don't spend until after the collapse. And even then it's only because we need to put the bridge back up.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
All my modern hardware will have no problem with this change.
I have older hardware and software that simply doesn't know anything about SHA-2 and never will. Should that hardware stop functioning just because Google thinks that pulling down weather forecasts requires perfectly secure SSL connections?
Changing oil and timing belts don't obsolete the car, and they wear out. Software doesn't wear out, but for some reason we get forced into upgrades that INTENTIONALLY OBSOLETE FUNCTIONAL SOFTWARE ... and thats what I'm bitching about.
Just because you picked a nick that revolves around Microsoft doesn't mean my concerns have anything to do with MS, and indeed they don't. I could give a fuck what MS does.
And no, I won't install Linux just because you think I need an inferior experience. You assume Linux runs on my AVRs ... which it does not, just like SHA-2 doesn't, because there isn't enough CPU to do this shit in real time ... and I have many deployed with wiznet chips that do the TCP part ... including SSL ... and guess what ... linux doesn't run on them either, so fuck you and your linux fanboyism :)
Anything I have that will run Linux is capable of running FreeBSD so you won't catch me dead running Linux, and anything I have that isn't capable of running FBSD isn't capable of running Linux either, or Windows for that matter, so basically, STFU since you don't have any clue why I care.
Luddite, heh, do you even understand what the word means because you sure don't act like it.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
https://bugzilla.mozilla.org/s...
Firefox only currently supports DHE with SHA1. Are they going add support for SHA256 DHE when they disable SHA1?
To quote Michael Staruch from the above link: It looked more like attempts to discredit DHE and push everyone into ECC. And I am not so sure if that's best way to protect our privacy, especially with multiple TLS clients supporting only NSA Suite B curves.
Mozilla, we really need DHE to work with SHA256 and GCM. Sure, fallback to something else (with a second connection, if necessary) if weak dhparams are used by the server.
-=Lothsahn=-
The lock on your door is not as secure as today's locks. In the interest of security to your business you must change all locks on your premises.
This happens all the time. Insurance companies force businesses to change their locks, install alarm systems, etc. Either by changing the goal post with their premiums, or by simply rejecting an application for property insurance. I don't recall any time in the US where operating a business was an inalienable right. (You may be outside of the US, I'm taking a guess here given the assumptions I believe you've made)
“Common sense is not so common.” — Voltaire
If the hardware is from 2008 or earlier you can install Linux for free?
It would be viable if we had a way to retrain millions of people in hundreds of countries who speak many different languages. I kind of hoped Ubuntu's founder would have the resources to do just that. But it doesn't seem to be happening.
“Common sense is not so common.” — Voltaire
What Mozilla, Microsoft, and Google do is largely irrelevant for adoption of standards. The adoption laggards are government-space IT, and they are still mandating support for 3DES and vendors still offer it to be able to meet procurement requirements. While Google can grandstand all they want, big fed-space vendors like CISCO will be offering SHA1 for decades to come. This means it is, and will be supported by default by a vast majority of networking infrastructure transporting and managing vast majority of data traveling through every network out there.
That aside, SHA1 is still part of mandatory TLS 1.0 ciphersuites, you can't deprecate it and still support TLS 1.0. There are also lots of issues with RSA and non-SHA1 diffie-hellman. As such, there are plenty of technical issues that still have to be solved prior to be able to drop it.
> Keeping it around also makes everyone more vulnerable.
No, that's the whole point of the Facebook/Cloudflare TLS switcher. Nobody gets SHA-1 signatures that can handle SHA-2.
There's something like 37 million people who can't handle SHA-2 yet. SHA-1 collisions are not a bigger risk than them running insecure HTTP instead of SHA-2-signed TLS.
Yes, if wishes were unicorns they'd all have DANE-validated TLSv1.2 with ECDHE and PFS, but not even Bernie can make that happen.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
>The six year old car you are driving is not as secure as a car produced this year. You are required to upgrade.
Windows XP is not a six year old car... is more a card without breaks. you are not allowed to drive a car without break on normal roads, but on your private road, you can do anything. you are not forced to trash the car, just can not use it for every day.
XP is way too limited. you can keep it if you want, but after that date, most sites will block you. browser internal networks or any still open site, just don't complain about those sites you can not enter.
Higuita
Use linux instead of windows. Problem solved!
Higuita
oops, press submit way too fast! :)
If you have a computer with 128MB of RAM, you are talking about pentium 1/2/3 /very old athlon computers!!!
buy a Raspberry PI !! it have more memory and probably faster and uses a lot less energy.
also, firefox uses as much memory as tabs you have open. a clean firefox with one tab open is using 230MB on a computer with 8GB... a 512MB computer is enough... not fast, but computers from that era aren't fast too
Higuita
When MS shuts off SHA-1 on July 1st, Windows 10 will still be free.
For one more month. I remember reading that Microsoft announced that the offer to upgrade compatible PCs with valid a Windows 7 or 8.1 license to Windows 10 without charge would be available only for the first year after the release of Windows 10. This year ends on July 29, 2016: "After the first year, upgrades will be paid via boxed product and VL Upgrades.”
Do you use 2002 era phones still too?
No, but I'm pretty sure my current phone was made in 2005 or earlier. It's an Audiovox 8610 flip phone, and I keep it because $7.50 per month on Virgin Mobile is a lot cheaper than a smartphone plan.
Manufacturers dump stuff on the market and never update it. Therefore poor people who can't afford to completely replace their devices can't use new crypto.
That is a load of crap. Either manufacturers have been creating things with poor security (different debate) or people are using equipment long past their usable life span. It's replacement has been around for 15 years. Windows XP and IE6 support SHA-2. Specific devices are most likely in a scrap heap in China, or used in such critical services that users know the exact risks and are either working around them or living with them (and unlikely to be browsing Facebook anyway).
So weak crypto is worse than sending data in the clear? OK.
I think the rationale is that a false sense of security is worse than a true sense of insecurity.
Because some browser makers aren't smart enough to apply different policies to private internets from those that they apply to the public Internet. There's a reason IE implements the "Intranet zone", and other browser makers could likewise offer an option to be more lenient with addresses in 10/8, 172.16/12, and 192.168/16 prefixes.
SHA-1 is like a bridge marked for 10 tons of weight, but it actually can only carry 5 tons.
SHA-1 is like your 5-ton bridge marked as a 10-ton bridge when the occupied weight of a standard bus is 10 tons. I guess browser makers don't see much application for a 5-ton bridge apart from bicycles.
The notifications pages that come up need improvement to let people know what happened. Just because a certificate doesn't pass doesn't mean
Second there needs to be laws on the books that manufactures must abide by to sell embedded products.
1. They must offer security updates for all embedded devices for 25 years.
2. They can EOL their product anytime prior by opening the devices to external developers and firmware.
3. Going bankrupt does not negate these responsibilities so each product must have an immediate action plan to comply with #2.
4. Every company must be audited yearly for #3.
You realize that phrase is self-contradictory, right?
You realize that PC operating systems aren't the big problem, right?
Facebook disagrees with your assessment of what people are using to browse Facebook, and is doing a lot of work to support those out of date systems.
The Android Studio download page is signed with a TLS certificate issued to *.google.com with serial number 04:32:D9:AF:F1:79:D0:7E and SHA-256 fingerprint:
It links to a 1.2 GB file, also behind an HTTPS URI. How is HTTPS insufficient to specify the publisher?
I dropped WEP in favor of WPA in June 2014, once GameSpy had shut down. The last pre-WPA device I had that needed WEP was a Nintendo DS, and online games for DS had relied on GameSpy.
Loss leaders to generate service revenue
So what? If they make and sell hardware they are in the hardware business.
They can always use a lower-footprint browser like Midori or others. I forget the name but there's a lightweight browser in some DSL versions. Those will run just fine but they'll want to install them (which you can do with DSL even though I've seen suggestions that you run it only from the live USB/CD) so as to have marginally better memory management options. It's certainly do-able and probably won't be all that slow so long as they're not trying to run a lot of applications on them. There are a pile of distros optimized for older hardware that will suit just fine - like you said.
When I met my g/f she was angry and beating up her poor laptop in a hotel lobby. The laptop had Vista on it and only 1 GB of RAM. It has, obviously, been replaced now but I cleaned it up and it still runs fine. We were able to recover and move her data just fine. It now has Lubuntu on it and is in her luggage somewhere or she may have unpacked it and put it somewhere around the house. I doubt it will make the trip back home with us but it might, she seems marginally attached to it still so I have no idea what she'll do with it. It's not like she needs to keep it or anything but maybe we can find someone to donate it to after the drive's completely wiped. Or, I guess, she can keep it. (She seems to have a strange notion that I'm going to kick her out and take all the stuff back. Gifts are gifts, you don't take those back no matter what happens. Ah well...)
Anyhow, point being, you can manage with older hardware. Sometimes I get bored and will see just how usable older systems are today. I usually opt for something with LXDE and even a 10 year old system with only 4 GB of RAM will run Lubuntu just fine. I seem to recall having installed it on systems with just 2 GB of RAM (aside from her laptop) and speaking only of modern, up to date, versions. Her old laptop, for example, has 15.10 on it because she just updated it the other day. It browses with Thunderbird open (she's using Opera and a few extensions I think) and has some sync apps and even has a VNC viewer installed so she can log in to a system back home if she wants. (She's never actually been to Maine with me - she's only seen the house through the security cameras. We just kinda bumped into each other and she stuck.)
I suspect that if I really dug (or anyone else did) you could find even smaller and lighter distros. There's that Puppy Linux - I think I played with that one in a VM once. DistroWatch surely has others that I've forgotten about. They can even refine their search to search for specific distros that are aimed at older hardware. If their hardware is that old then there's bound to be a distro that will run on it with little to no tweaking.
"So long and thanks for all the fish."
> What business is it of Microsoft, or Alphabet (Google), or Mozilla if someone is using an insecure piece of software? It's not their system.
Herd immunity. Your insecure shit affects everybody on the internet. Which goes to the car thing... if your car is found to have a dangerous defect, the state you live in can black flag it and fine you or tow you if you drive it, until it is repaired. Or, in other cases you will not be able to get a certificate of inspection when your previous decal expires.
>Whatever happened to letting people decide how they manage their systems?
It turns out that 99% of them are fucking idiots that have open spam relays, scan other networks for, or otherwise cause problems.
But what's even funnier about your rant, is not, you don't have to upgrade your broken old crap. You just don't get to talk to my server. By being able to talk to my server with your broken shit, you make my server more insecure.
Good riddance, you lice infected cur.
> just because Google thinks that pulling down weather forecasts requires perfectly secure SSL connections?
Yes. Because *everything* that is served with a Google cookie or by a Google server should be protected by strong encryption so you can't use one function to attack another function inside the same domain. I'm pretty sure you're fucking clueless at the risk profiles at this point and why so many different groups want to get rid of SHA-1.
Software does wear out. It wears out when it becomes a serious risk to everyone that uses it.
If your shit is old, broken and obsolete, you are now responsible for putting a SHA2+ > SHA-1 conversion between them at your own cost.
CloudFlare have another pragmatic proposal - require CAs to randomize the certificate serial numbers instead of using predictable sequential numbers. Note that this precaution would have made even MD5 certificates safe against current known attacks.
https://blog.cloudflare.com/why-its-harder-to-forge-a-sha-1-certificate-than-it-is-to-find-a-sha-1-collision/
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
So then I was correct in what I said. You driving around in an insecure car endangers the rest of us. The same thing with not having a more secure lock on your business which drives up my insurance costs.
Thanks a lot you infected cur.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
If the server was compromised for example, you'd get right place, wrong file.
The same would be true if the build server was compromised.
In addition, for developers not quite as big as Google, one TLS certificate to obtain and keep renewed every year is cheaper in both time and CA fees than one TLS certificate for the website every year and one code signing certificate per platform per year. Or is there a counterpart to StartSSL or Let's Encrypt for code signing yet?
Whatever happened to letting people decide how they manage their systems? Are we again dragging out the canard that developers or companies know more than the user considering every iteration of all three products don't simply fix bugs but break things, including the UI, or remove features people used.
If your system isn't connected to a network and ultimately the internet it doesn't make much difference. If it is then things change - events on your system can impact other systems. That doesn't really happen in your lock changing scenario, does it?
SQL Slammer worm wreaks havoc on Internet
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
I bought my mother who is 63 a Nokia 640. $55 and works with tracfone. Apps, email, navigation, IE 11, and a nice on her eyes with big tiles.
http://saveie6.com/
I bought my mother who is 63 a Nokia 640. $55 and works with tracfone.
How much does service for a Lumia 640 on TracFone cost per month?
You realize that phrase is self-contradictory, right?
I work for a company where the vendor calls us when someone else has support questions about their old equipment. Equipment that is EOL many years ago yet none the less is used in many places. The statement is only theoretically contradictory. In the business sense, legal sense, and practical sense it is a very real scenario.
.You realize that PC operating systems aren't the big problem, right?
Yes, did you see my point about equipment past usable life, and idiot vendors? Or did you just scroll straight down to the XP comment?
Facebook disagrees [facebook.com] with your assessment of what people are using to browse Facebook
They may disagree with what is being used to browse Facebook but they are unlikely disagreeing with why. Or do you actually think that 3-7% of Facebook's mostly millennial user base is using Windows 2000? Facebook shouldn't be working around the problem they should be identifying it and telling users to updated their broken old obsolete crap, because lets face it SHA-1 is most probably only a small part of the security issues affecting the devices in question.