You do that by going to a business, at which point they will look over it, decide if it's worth it, edit it, print it, get stores to put it on the shelves, and take a cut of your profits.
I believe these businesses are called 'book publishers'.
40% is an entirely normal markup on pretty much everything people buy retail. I have no idea why books would be any different than a pair of scissors or frozen pizzas. Sometimes it's going to one person, sometimes two, but I promise you, almost everything you purchase has about half the price go to some people in the middle somewhere.
And please notice that people in the middle actually moved the thing to you from the factory, either via their trucks, or via UPS. And processed your individual credit card purchase, and handled refunded and exchanges, and rented storefront and/or warehouse space, and paid clerks to sell it to you, etc, etc...
When you state it as a lump sum of 40% it seems unfair, but if you can do it cheaper, feel free to open your own store.
Also, 15% is not going to the 'producer' of a book. Publishing companies have editors, and they have printers, they are at the least 'co-producing' the book. In fact, if you apply theatre terminology, they would be called the actual 'producers'.
Try pointing out she's sexist, which is how I look at the whole gay marriage' thing. I don't care one whit about 'sexual orientation'. The only relevant fact is that in many places men can marry women, and women can't marry women. Females are excluded from marrying women because of their gender. Seems obviously sexist to me. It has nothing to do with any sort of 'orientation', protected right or otherwise, at all...it's straight-up sexual discrimination.
She'll try to pull 'They can each marry the opposite gender' crap...yeah, just like white and black people can each use their own different water fountain. Or men and women can go to their own different colleges. 'Separate but equal' is not acceptable, the fact that each gender has their own entirely separate set of people they can marry is not the same thing as non-discrimination.
I've never heard of the godaddy deal, that actually sounds reasonable. I have heard of the www thing, but never found a place that did it, just the wildcard card having the non-wildcard thrown in.
Last I looked at the thing, a few years ago, it was so complicated and I couldn't actually purchase one, so I just went with three IPs.
TLS instead of SSL should help with this as it occurs later within the HTTP negotiation so you can supply a certificate to match the virtual host.
That's not technically 'TLS', that's SNI (Server Name Indication) which is an extension to TLS. Also, it's the other way around...the cert isn't given later, the name is supplied earlier. Specifically, when the browser connects to the server and they're negotiating encryption, the browser, in addition to say 'I support 256-bit foo, 512-bit foo, and 512-bit bar ciphers' and other things like that, it also says 'I am trying to visit the domain example.org'. This allows the right cert can be given at cert-giving time, which is immediately after that negotiation segment.
After all that, on top of the encrypted connection that was just set up, a HTTP session starts, at which point the browser again supplies the Host: header, like it does during the unencrypted connections. This is the first time the server know the domain without SNI, but would be much too late for the server to supply the correct cert.
Browsers can support TLS but not SNI, like IE on XP. They won't provide that info during negotiations, and the server will just...guess the cert.
And you're right that SSL can't do it at all, although most people say 'SSL' to now mean 'TLS', so that's nice and confusing.
And the sole common browser that doesn't support it is any version of IE on XP. Sadly, that's a lot of users. Over 50% of Windows users are still on XP, and something like 80% of Windows users are in IE, so that comes out to something like 40% of total web visitors.
No one uses SAN. SAN certs are not even purchasable for normal mortals, you have to get special accounts at the few places that do them, and each name is the 'full price' of the high end certs. It's not like you can throw five domain names in a $10 cert.
And I actually think you're wrong, IE6 supports SAN. In fact, I think IE5 supported SAN. SAN was actually part of X.509 from the start, and almost everything that supports SSL supports it. It was just DOA because it's not how certs are purchased and sold, and are purchased for individual domains, and no one is going to go add a new domain to their existing cert and get it re-signed. Anyone big enough to be doing SAN is big enough to dedicate IPs to start with, or just wildcard it
In fact, wildcard certs are about the only SAN certs you'll ever run into in the wild, so they can do example.com and *.example.com on the same cert. Otherwise, no, they don't exist. I actually think it would be interesting to try to find an actual SAN-cert signed site (Say that three times fast.) out there. Anyone got a link? (Remember, we don't need a login or anything to see the cert.)
The problem is XP's lack of SNI. That's pretty much it.
MS, once again, is fucking over web development by refusing to implement new standards that fix serious problems.
Then you're an idiot or have no visitors, as that doesn't work on IE under XP for different certs.
Incidentally, SNI has only been in Apache for 5 years, so I have no idea what you thought you were doing those first five years, but it wasn't working unless you were using the same cert on all sites.
He says 'it's still better than plain-text!' and you say 'Unfortunately that is not the case.' because you're been trained that it's not the case.
And then you are forced to actually justify why it's not the case, and end up say 'So it is a bit better than plain text'.
So, basically, you admit he's right, but you've been told over and over he's wrong, so you somehow think he must be wrong, even though you just admitted he was right.
There is no justification for warning people about unsigned encrypted if you're going to let them do plaintext without a warning. Anyone who thinks about this has to admit that. Even people like you who can't admit it...have to admit it.
but if you care enough about the content to use HTTPS in the first place then "a bit better" is not enough.
What a dumb statement. If you care enough about content to used signed HTTPS, then obviously unsigned HTTPS is not enough.
Of course, NO ONE IS TALKING ABOUT LOWERING THE SECURITY OF ANY SITE. The question was explicitly talking about currently-plaintext sites. As is the article. There's no any possible way to misunderstand this.
Here's what's going on:
People have been told, and they 'know', that unsigned encryption is 'bad', and yet when actually faced with 'Hey, why don't we just have all plaintext websites use unsigned encryption', they cannot actually come up with the reasons that would be bad.
So they are forced to make a desperate leap sideways and pretend that people were talking about replacing signed certs with them, despite the question explicitly talking about plaintext, and explicitly saying that secure sites should be signed.
Really, folks, the next time you need to see 'cognitive dissonance' in action, ask 'Why can't I use self-signed certs instead of plaintext? Why is there a warning when I just want to protect a forum login? Isn't self-signed more secure than plaintext?' to people who 'know about security', aka, who have been trained with the common wisdom, and watch their brains melt down.
They know one thing, 'self-signed is insecure and shouldn't be used' and yet logic leads them to the opposite conclusion, 'self-signed is better than plaintext' and they end up producing the weirdest nonsense you've ever seen trying to explain it. It's fucking hilarious, it's textbook 'cognitive dissonance'. I've actually come to the conclusion it's almost a 'security troll' on Slashdot.
Sadly, now they have the 'Oh, but you can get signed cert cheaply' now to fall back on, so it's less fun, and they will always end there. Of course, that wasn't the question at all, and that doesn't work if you're IP-limited anyway, thanks to the non-support of SNI. Self-signed wildcards are the only workable solution there, or would be if you could use self-signed certs reasonably. As it is there's no solution.
The average fucking moron doesn't care if it's an SSL site at all.
And even if they have been trained, they've been trained to look for a locked padlock or a green bar, not 'https'. So the idea that 'millions would be fooled if we'd just show them the connect without doing the 'secure' indicators is just total nonsense. No one's been trained to 'https'. Just show them the damn site without a padlock.
Of course, even if they have learned enough that it should be a locked padlock or even a green bar, they can tricked with by intercepting the unencrypted paypal.com, and sending them to paypal.securityblahblah.com. Oh, look, a green bar, that must be secure!
Like I said above...we've decided that the way to stop people from being tricked is to require all doors on the internet to be steel doors laser-etched with a hologram of their address.
This hasn't, in any way, actually solved any security issue, because the problem is not, and has never been, people setting up fake doors at the correct address of the business, aka, man-in-the-middle attacks. The problem is people directing users to fake locations, where they can, indeed, provide real, verified doors that are for that address....in case anyone cares about the laser-etched doors, which they don't.
Meanwhile, almost nowhere has any doors to start with, because they are expensive and complicated.
Without some way for Bob to verify that the person claiming to be "Alice" is, indeed, the real Alice that's about as much use as an ashtray on a motorbike.
There's a whole section of attacks at that are made impossible with unverified SSL. Likes passive sniffing.
I used to try to nicely convince people of this, but fuck it. You morons are arguing that wooden doors shouldn't exist because people can break in through them.
No one can actually think that protecting people against passive sniffing is a bad thing we should warn users about. That is it somehow worse than an unencrypted connection. It is literally impossible to actually hold that thought in your head, so stop regurgitating the nonsense you've had drilled into your brain about this, and actually THINK about the actual thing you're saying.
A world where all current HTTP connections were encrypted without verification would be vastly more secure, in multiple ways, than the current unencrypted connections. And that system does not, in any way, exclude the existence of current signed HTTPS connections. But thanks to morons who think 'Weak security is worse than none at all', we instead have a system set up where we have...no security at all.
We know about goddamn hypothetical man-in-the-middle attacks. And we know that for every hypothetical man-in-the-middle attacks, it was ten times easier for someone to just sniff your connection and steal your email login, and, oh, request a new password from Paypal or whatever. Because your webmail is at a shared host that can't run SSL on the same IP.
Good job requiring all doors to be made out of solid steel with the street address of the company laser-etched into them in an unforgeable hologram. Now all those imaginary fake doors that people might hypothetical been throwing up can't happen
Of course, in the actual world, people just use a similar address, that they actually own, and can actually get a legit door for. And most buildings don't have any fucking doors at all because they're too expensive to get and set up.
I understand AT&T has an overloaded network. I understand they need to control how much data goes over it, both in an absolute amount, and worries about the packet size and stuff. (Which probably just means they need to worry about total packet size, instead of payload size.) They can charge people whatever they think is reasonable for that, in different ways, with different plans.
But I don't quite see why they have the right to worry about where the data is coming from or going. I know they claim to have such a right, and perhaps they do under the law, but I don't understand why they would have that right.
What isn't clear here, and I wish they'd clarify, is if they only care about people with unlimited data plans.
I have a 200 meg plan, and I don't come to anywhere near using it, thanks to wifi. But I also am jailbroken and have a tethering program that I can use in case of emergencies where I need data on my laptop.
I paid for that data. I paid for 200 megs. Are they really going to bitch and moan that I downloaded some web pages in Firefox instead of their web browser, or that I checked my email in firefox so I could get the damn wifi password from it that someone just emailed me?
Assholes using it as their sole ISP are one thing, and I was astonished that AT&T left grandfather'd plans that let people keep unlimited data. I understand fighting misuse like that.
But are they going after people who are well under the actual limit they bought?
Hell, I'd probably go ahead and buy tethering...if they sold it as a $5 addition instead of requiring people to buy a fucking 4 gig plan. 200meg is too much for me! If they sold a 20meg plan, I'd buy that instead, too. I am the anti-problem for AT&T's data issues...but heaven forbid if I tether.
AT&T needs to decide what the fuck they want customers to do, and then actually sell them the plans, not bitch and moan about 'misuse'. Some of us are responsible and have our fucking wifi set up and have almost no data usage...and now they're going to threaten us if some of our microscopic data usage is because we want to fire up Google Earth on our laptop on a long drive?
BOTH are "Derived" from ancestors reaching back as far as 1992-1994 iirc... so, your point is what?
Yes, moron, and those have bugs also. Which somehow did not make it into your total.
I loved the fact you included IE9, BTW. Wow, something released 4 days ago hasn't had a lot of security issues found yet? Why, that's amazing!
In your very clever system, if the last Linux release had been named '2.7' instead of 2.6.38', Linux 2.7 would be the best OS choice, because it has never had any bugs.
In fact, I don't see why you get to arbitrarily decide the second version number is where you stop. Linux 2.8.38 has never had a security issue, unpatched or otherwise, and hence, by your incredibly stupid math, that makes it the best choice.
In actuality, of course, the comparison would be 'The amount of security issues found over a set period of time, in the current version of Linux compared to the current version of Windows.' Which, I as pointed out, is about 40 every year.
Except Linux patches theirs better. And, of course, as Secrunia themselves says:
PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.
Did you just point out that Linux has 6% unpatched security issues compared to 10% in Windows 7? And you thought that was a victory for Windows?
Or were you trying to point out that Windows 7 had a total of 59 security issues, vs. 256 for Linux 2.6? Which is only impressive if you don't know that Windows 7 is a year and half old, and Linux 2.6 is six and a half years old. Statistically, they both have about 40 a year.
Granted, this is a pretty stupid comparison, as not all security vulnerabilities are created equal. Let's check to see what is the most secure unpatched vulnerability:
The most severe unpatched Secunia advisory affecting Microsoft Windows 7, with all vendor patches applied, is rated Highly critical
The most severe unpatched Secunia advisory affecting Linux Kernel 2.6.x, with all vendor patches applied, is rated Less critical.
The difference is that a) you can't run downloaded programs by default without marking them executable, and b) Linux users don't install software that way, they use the software repositories
Which is what Windows needs. Stop having legitimate programs that you're supposed to download and double-click on to install, and on top of that require a specific permission change (not a prompt, make the user initiate it) before you can do that, and perhaps users will go 'Hey, wait, this isn't how I normally install software, maybe I shouldn't do this.'.
As I've said before, most of my 'diagnosing problems' has nothing to do with any special knowledge I have...it's my willingness to google the damn problem, plus maybe having learned a couple of hours' worth of vocabulary. (Which is also googleable.)
People ask me stuff like 'How do I make a table in Word?' 'Well, I have no fucking idea, I don't ever use Word, but, let's hover over this button, nope, this one, maybe, *click*, nope, this one, okay, *click* there we go, how big?'
Same with email. People ask me how to do make an attachment in their gmail. 'I haven't memorized gmail's interface, have you looked for a place that says attach?' 'Oh, there it is, now where are my files?' 'I have no idea, it's your computer. Perhaps you are keeping them in the My Documents folder, that seems to be a popular choice?' 'Oh, there they are.' It's not so much 'solving problems' as 'doing the next fucking obvious thing'.
'Being good with computers' appears to be a very small amount of knowledge, essentially a single cheat sheet on each concept like 'email'. Something that, like you said, can be easily found in the help system or online or even in a textbook. Plus a willingness to actually figure the problem out instead of just giving up because 'you don't know how'.
That said, I have to disagree with you. I think Windows computers should be 'locked down' on what they can install, just like Linux ones are. That is, they should come with some 'software repositories', and programs downloaded from elsewhere shouldn't be executable without manually changing the properties. This repository listing, and one of the repositories, should be operated by a non-profit thing funded by large software companies, but should be fairly easy to get your software into the public repository, and moderately easy to get your own repository in. (Which would be for people selling software.) And you can make 'Download' links on web pages that send people there.
People who know things about computers would have no problem with that system, and could override it if they want, but everyone else would quickly get trained 'How you install software is to bring up Install Software and select it from the list', instead of being trained that 'downloading and double clicking' is a method for that.
All the software that people install should come either from a 'authorized' online place, or a CD.
People talk about the fact that Linux has very few viruses, but they don't look at why. It's because Linux users almost never download and install programs.
They either install software from a package manager, or they add a repository that shows the software and then install from there. Linux users do not download and run untrusted software. That simply is not the paradigm for getting software on the system.
I'm sure everyone here is horrified at the suggestion that MS somehow be in control of the software on a computer....well, that's not my suggestion. I would suggest having the big names in software create some sort of non-profit whose sole purpose is to maintain an automated list of locations that people can safely install Windows software from.
Getting on the list should be pretty easy, but you should have to demonstrate who you actually are, either a company or a person, and, of course, provide malware and you'll be blacklisted, and, hell, arrested.
And that is now 'How you install software', and we have everyone fucking trained that "The way to install software is to go to 'Install software', select it, and install. Or click a link on a web page which brings up 'Install software' panel. (Like iTunes does.)"
That's how you train people not to run random programs, you have a different way for them to install legit software. They do not download and run it, and in fact they cannot download and run it. If they really want to do that, they have to the control panel, enable something, and then go into each executable's properties they want to run mark it back executable, and run it, which is a strange enough process that it should throw some warning flags. It's not a stupid prompt they can say 'Yes' to without reading.
Yeah, it's not MS's fault at this point. Yeah, yeah, Windows 9x had no permissions, but XP came out almost a decade ago, and any developer that writes a program that stores information anywhere but the user directory should be shot.
Anything which mentions 'running as admin' clearly exists in a post-XP universe, because otherwise there aren't other users, so is inherently poorly-designed. Unless it came out in that microscopic window where XP was first released and it was quickly and poorly updated, no, that's inexcusable.
It doesn't help that development tools basically have to run as admin, (Because of OS restrictions that are entirely reasonable and kept developers from using really idiotic things like inventing their own 'shared memory' system.), but results in developers never actually testing under non-admin situations, or at least not until the end of development, where it's called a 'bug' and the 'fix' is to run it as admin. No, that should have failed the second it was written, so it was rewritten correctly, not discovered when they're testing release candidates.
Microsoft is still trying to solve that stupidity, Windows 7 has a way to 'fake' the system directories for programs that try to write to them. 'You want to write there? Okay, we'll just keep that file over here, instead, and you'll see it every time you look into the system directory, but no one else will'.
A lot of people end up blaming the wrong people for computer programs. A funny issue is driver problems that cause crashes, which dumb people blame on MS, smarter people blame on the hardware manufacturers that made them, and the smartest people lay the blame back at the feet of MS again, because the OS developer are supposed to be the people making the drivers, like every other OS does. Yes, the manufacturer wrote a shitty driver, probably because, I dunno, they're hardware people and don't know how to write software? Maybe if you're selling a damn OS you should spend your time and money writing hardware drivers, which are literally the only 'OS' part of an OS, and stop spending all your time and effort on a media player?
I agree that any scientific theory that references is God is pretty stupid to start with, and is not actually a 'scientific theory'.
I was just pointing out that, strictly speaking, the 'not a scientific theory' of intelligent design is falsifiable. Not scientifically falsifiable, but historically falsifiable.
Intelligent design fails to qualify as a science theory because it doesn't make any predictions, which is what people generally mean as 'falsifiable' in science, but is not strictly correct when talking about 'What happened in the past', which is all Intelligent Design concerns itself with.
Intelligent Design would be more properly classified as 'crazy history theories' than 'scientific theories'. We call those 'conspiracy theories'. It's a crazy conspiracy theory, it's the-Illuminati-had-JFK-shot 'history theory' and is, strictly speaking, falsifiable.
Although in that case, we probably should consider it 'falsified' only if someone else steps forward as his assassin with a lot of evidence, and not just take the word of the Illuminati if they show up and claim it wasn't them. Likewise, God has a lot of rather strange claims, so perhaps we should only consider Intelligent Design falsified if the FSM shows up and says that he did it instead.
Believing in God is not the same thing as believing in Intelligent Design.
Einstein, for example, was the classic 'watchmaker' type of believer, which a lot of scientists are...he thought God built a universe (For him, the word 'maybe' should be inserted, as Einstein somewhat tended to waver back and forth.), turned it on, and then didn't mess with it.
And of all the scientists on that list, only one ever heard of evolution and thought that God had interfered with it. Lord Kelvin. That's it. That's the entire list of 'Intelligent Design' scientists.
Everyone else was either pre-evolution, and had no theories on different species other than 'I guess God did it', or they were in the 'watchmaker' camp, thought evolution did it all, and would be offended that someone's idea of God required God to meddle in his own design as it went along, and that he didn't get it right to start with.
And it's worth pointing out that the theory of evolution Lord Kelvin thought wouldn't work had no basis...no one had discovered DNA yet, and wouldn't for a very long time, so all these hypothetical 'inherited traits' had no way to actually inherit. Hell, genes hadn't even been figured it...Mendel figured out they came in sets, inheriting one from each parent, but didn't bother to tell anyone at the time.
Someone objecting to evolution in 1880 is not the same as someone objecting today, after the discovery of genes, DNA, and actual observations of evolutionary changes. It's a very common misconception, in both people who accept evolution and people who don't, that Darwin just magically figured it all out, but it wasn't until the 1900s that we knew sorta kinda who genetics worked, and until the 1950s or so no one had actually come up with a mechanism for genes to work via.
So Darwin's theory that differences between animals was due to inheritance was just floating in midair with no support. (And that theory has, itself, changed over the year, too. Darwin's theory, strictly speaking, is wrong in many ways.)
Creationism is, in fact, falsifiable. God could show up and explain he didn't do it.
Generally, by 'falsifiable', science means 'disprovable', which creationism is not, and hence not science. There is no testable theory to demonstrate that.
But, strictly speaking, it could be falsified, because it states an entity did something, and for that to be false, all we would need is for that entity to say so.
We are talking about 'history', not 'science' at that point, and God is a primary source, in fact, the only source. If he shows up and say 'No, it wasn't me', we should pretty much consider our historic theory wrong. Likewise, if he says 'It was me', we should accept it.
It's the same way that saying 'The house seems dirty. I think Bill tracked some mud into the house yesterday' is not a scientific theory, but is a theory of history and is a falsifiable if Bill wakes up and says he didn't go outside yesterday.
Of course, God or Bill could be lying, which also needs to be taken into account.
And all these seems moot as no one can seem to get God to get down here and tell us what happened.
Slashdot Mirror
You do that by going to a business, at which point they will look over it, decide if it's worth it, edit it, print it, get stores to put it on the shelves, and take a cut of your profits.
I believe these businesses are called 'book publishers'.
40% is an entirely normal markup on pretty much everything people buy retail. I have no idea why books would be any different than a pair of scissors or frozen pizzas. Sometimes it's going to one person, sometimes two, but I promise you, almost everything you purchase has about half the price go to some people in the middle somewhere.
And please notice that people in the middle actually moved the thing to you from the factory, either via their trucks, or via UPS. And processed your individual credit card purchase, and handled refunded and exchanges, and rented storefront and/or warehouse space, and paid clerks to sell it to you, etc, etc...
When you state it as a lump sum of 40% it seems unfair, but if you can do it cheaper, feel free to open your own store.
Also, 15% is not going to the 'producer' of a book. Publishing companies have editors, and they have printers, they are at the least 'co-producing' the book. In fact, if you apply theatre terminology, they would be called the actual 'producers'.
Try pointing out she's sexist, which is how I look at the whole gay marriage' thing. I don't care one whit about 'sexual orientation'. The only relevant fact is that in many places men can marry women, and women can't marry women. Females are excluded from marrying women because of their gender. Seems obviously sexist to me. It has nothing to do with any sort of 'orientation', protected right or otherwise, at all...it's straight-up sexual discrimination.
She'll try to pull 'They can each marry the opposite gender' crap...yeah, just like white and black people can each use their own different water fountain. Or men and women can go to their own different colleges. 'Separate but equal' is not acceptable, the fact that each gender has their own entirely separate set of people they can marry is not the same thing as non-discrimination.
I've never heard of the godaddy deal, that actually sounds reasonable. I have heard of the www thing, but never found a place that did it, just the wildcard card having the non-wildcard thrown in.
Last I looked at the thing, a few years ago, it was so complicated and I couldn't actually purchase one, so I just went with three IPs.
TLS instead of SSL should help with this as it occurs later within the HTTP negotiation so you can supply a certificate to match the virtual host.
That's not technically 'TLS', that's SNI (Server Name Indication) which is an extension to TLS. Also, it's the other way around...the cert isn't given later, the name is supplied earlier. Specifically, when the browser connects to the server and they're negotiating encryption, the browser, in addition to say 'I support 256-bit foo, 512-bit foo, and 512-bit bar ciphers' and other things like that, it also says 'I am trying to visit the domain example.org'. This allows the right cert can be given at cert-giving time, which is immediately after that negotiation segment.
After all that, on top of the encrypted connection that was just set up, a HTTP session starts, at which point the browser again supplies the Host: header, like it does during the unencrypted connections. This is the first time the server know the domain without SNI, but would be much too late for the server to supply the correct cert.
Browsers can support TLS but not SNI, like IE on XP. They won't provide that info during negotiations, and the server will just...guess the cert.
And you're right that SSL can't do it at all, although most people say 'SSL' to now mean 'TLS', so that's nice and confusing.
And the sole common browser that doesn't support it is any version of IE on XP. Sadly, that's a lot of users. Over 50% of Windows users are still on XP, and something like 80% of Windows users are in IE, so that comes out to something like 40% of total web visitors.
No one uses SAN. SAN certs are not even purchasable for normal mortals, you have to get special accounts at the few places that do them, and each name is the 'full price' of the high end certs. It's not like you can throw five domain names in a $10 cert.
And I actually think you're wrong, IE6 supports SAN. In fact, I think IE5 supported SAN. SAN was actually part of X.509 from the start, and almost everything that supports SSL supports it. It was just DOA because it's not how certs are purchased and sold, and are purchased for individual domains, and no one is going to go add a new domain to their existing cert and get it re-signed. Anyone big enough to be doing SAN is big enough to dedicate IPs to start with, or just wildcard it
In fact, wildcard certs are about the only SAN certs you'll ever run into in the wild, so they can do example.com and *.example.com on the same cert. Otherwise, no, they don't exist. I actually think it would be interesting to try to find an actual SAN-cert signed site (Say that three times fast.) out there. Anyone got a link? (Remember, we don't need a login or anything to see the cert.)
The problem is XP's lack of SNI. That's pretty much it.
MS, once again, is fucking over web development by refusing to implement new standards that fix serious problems.
Then you're an idiot or have no visitors, as that doesn't work on IE under XP for different certs.
Incidentally, SNI has only been in Apache for 5 years, so I have no idea what you thought you were doing those first five years, but it wasn't working unless you were using the same cert on all sites.
He says 'it's still better than plain-text!' and you say 'Unfortunately that is not the case.' because you're been trained that it's not the case.
And then you are forced to actually justify why it's not the case, and end up say 'So it is a bit better than plain text'.
So, basically, you admit he's right, but you've been told over and over he's wrong, so you somehow think he must be wrong, even though you just admitted he was right.
There is no justification for warning people about unsigned encrypted if you're going to let them do plaintext without a warning. Anyone who thinks about this has to admit that. Even people like you who can't admit it...have to admit it.
but if you care enough about the content to use HTTPS in the first place then "a bit better" is not enough.
What a dumb statement. If you care enough about content to used signed HTTPS, then obviously unsigned HTTPS is not enough.
Of course, NO ONE IS TALKING ABOUT LOWERING THE SECURITY OF ANY SITE. The question was explicitly talking about currently-plaintext sites. As is the article. There's no any possible way to misunderstand this.
Here's what's going on:
People have been told, and they 'know', that unsigned encryption is 'bad', and yet when actually faced with 'Hey, why don't we just have all plaintext websites use unsigned encryption', they cannot actually come up with the reasons that would be bad.
So they are forced to make a desperate leap sideways and pretend that people were talking about replacing signed certs with them, despite the question explicitly talking about plaintext, and explicitly saying that secure sites should be signed.
Really, folks, the next time you need to see 'cognitive dissonance' in action, ask 'Why can't I use self-signed certs instead of plaintext? Why is there a warning when I just want to protect a forum login? Isn't self-signed more secure than plaintext?' to people who 'know about security', aka, who have been trained with the common wisdom, and watch their brains melt down.
They know one thing, 'self-signed is insecure and shouldn't be used' and yet logic leads them to the opposite conclusion, 'self-signed is better than plaintext' and they end up producing the weirdest nonsense you've ever seen trying to explain it. It's fucking hilarious, it's textbook 'cognitive dissonance'. I've actually come to the conclusion it's almost a 'security troll' on Slashdot.
Sadly, now they have the 'Oh, but you can get signed cert cheaply' now to fall back on, so it's less fun, and they will always end there. Of course, that wasn't the question at all, and that doesn't work if you're IP-limited anyway, thanks to the non-support of SNI. Self-signed wildcards are the only workable solution there, or would be if you could use self-signed certs reasonably. As it is there's no solution.
The average fucking moron doesn't care if it's an SSL site at all. And even if they have been trained, they've been trained to look for a locked padlock or a green bar, not 'https'. So the idea that 'millions would be fooled if we'd just show them the connect without doing the 'secure' indicators is just total nonsense. No one's been trained to 'https'. Just show them the damn site without a padlock.
Of course, even if they have learned enough that it should be a locked padlock or even a green bar, they can tricked with by intercepting the unencrypted paypal.com, and sending them to paypal.securityblahblah.com. Oh, look, a green bar, that must be secure!
Like I said above...we've decided that the way to stop people from being tricked is to require all doors on the internet to be steel doors laser-etched with a hologram of their address.
This hasn't, in any way, actually solved any security issue, because the problem is not, and has never been, people setting up fake doors at the correct address of the business, aka, man-in-the-middle attacks. The problem is people directing users to fake locations, where they can, indeed, provide real, verified doors that are for that address....in case anyone cares about the laser-etched doors, which they don't.
Meanwhile, almost nowhere has any doors to start with, because they are expensive and complicated.
Without some way for Bob to verify that the person claiming to be "Alice" is, indeed, the real Alice that's about as much use as an ashtray on a motorbike.
There's a whole section of attacks at that are made impossible with unverified SSL. Likes passive sniffing.
I used to try to nicely convince people of this, but fuck it. You morons are arguing that wooden doors shouldn't exist because people can break in through them.
No one can actually think that protecting people against passive sniffing is a bad thing we should warn users about. That is it somehow worse than an unencrypted connection. It is literally impossible to actually hold that thought in your head, so stop regurgitating the nonsense you've had drilled into your brain about this, and actually THINK about the actual thing you're saying.
A world where all current HTTP connections were encrypted without verification would be vastly more secure, in multiple ways, than the current unencrypted connections. And that system does not, in any way, exclude the existence of current signed HTTPS connections. But thanks to morons who think 'Weak security is worse than none at all', we instead have a system set up where we have...no security at all.
We know about goddamn hypothetical man-in-the-middle attacks. And we know that for every hypothetical man-in-the-middle attacks, it was ten times easier for someone to just sniff your connection and steal your email login, and, oh, request a new password from Paypal or whatever. Because your webmail is at a shared host that can't run SSL on the same IP.
Good job requiring all doors to be made out of solid steel with the street address of the company laser-etched into them in an unforgeable hologram. Now all those imaginary fake doors that people might hypothetical been throwing up can't happen
Of course, in the actual world, people just use a similar address, that they actually own, and can actually get a legit door for. And most buildings don't have any fucking doors at all because they're too expensive to get and set up.
Concluding, encryption without verification is useless and more dangerous than plain HTTP because the user assumes that the connection is secure.
Only in retard land, where you live.
Where the rest of us live, users base the security on a site with whether or the padlock is locked, or whether or not the bar is green.
Exactly.
I understand AT&T has an overloaded network. I understand they need to control how much data goes over it, both in an absolute amount, and worries about the packet size and stuff. (Which probably just means they need to worry about total packet size, instead of payload size.) They can charge people whatever they think is reasonable for that, in different ways, with different plans.
But I don't quite see why they have the right to worry about where the data is coming from or going. I know they claim to have such a right, and perhaps they do under the law, but I don't understand why they would have that right.
What isn't clear here, and I wish they'd clarify, is if they only care about people with unlimited data plans.
I have a 200 meg plan, and I don't come to anywhere near using it, thanks to wifi. But I also am jailbroken and have a tethering program that I can use in case of emergencies where I need data on my laptop.
I paid for that data. I paid for 200 megs. Are they really going to bitch and moan that I downloaded some web pages in Firefox instead of their web browser, or that I checked my email in firefox so I could get the damn wifi password from it that someone just emailed me?
Assholes using it as their sole ISP are one thing, and I was astonished that AT&T left grandfather'd plans that let people keep unlimited data. I understand fighting misuse like that.
But are they going after people who are well under the actual limit they bought?
Hell, I'd probably go ahead and buy tethering...if they sold it as a $5 addition instead of requiring people to buy a fucking 4 gig plan. 200meg is too much for me! If they sold a 20meg plan, I'd buy that instead, too. I am the anti-problem for AT&T's data issues...but heaven forbid if I tether.
AT&T needs to decide what the fuck they want customers to do, and then actually sell them the plans, not bitch and moan about 'misuse'. Some of us are responsible and have our fucking wifi set up and have almost no data usage...and now they're going to threaten us if some of our microscopic data usage is because we want to fire up Google Earth on our laptop on a long drive?
Hey, don't look at me, I was speaking as hypothetical Republican.
BOTH are "Derived" from ancestors reaching back as far as 1992-1994 iirc... so, your point is what?
Yes, moron, and those have bugs also. Which somehow did not make it into your total.
I loved the fact you included IE9, BTW. Wow, something released 4 days ago hasn't had a lot of security issues found yet? Why, that's amazing!
In your very clever system, if the last Linux release had been named '2.7' instead of 2.6.38', Linux 2.7 would be the best OS choice, because it has never had any bugs.
In fact, I don't see why you get to arbitrarily decide the second version number is where you stop. Linux 2.8.38 has never had a security issue, unpatched or otherwise, and hence, by your incredibly stupid math, that makes it the best choice.
In actuality, of course, the comparison would be 'The amount of security issues found over a set period of time, in the current version of Linux compared to the current version of Windows.' Which, I as pointed out, is about 40 every year.
Except Linux patches theirs better. And, of course, as Secrunia themselves says:
PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.
Did you just point out that Linux has 6% unpatched security issues compared to 10% in Windows 7? And you thought that was a victory for Windows?
Or were you trying to point out that Windows 7 had a total of 59 security issues, vs. 256 for Linux 2.6? Which is only impressive if you don't know that Windows 7 is a year and half old, and Linux 2.6 is six and a half years old. Statistically, they both have about 40 a year.
Granted, this is a pretty stupid comparison, as not all security vulnerabilities are created equal. Let's check to see what is the most secure unpatched vulnerability:
The most severe unpatched Secunia advisory affecting Microsoft Windows 7, with all vendor patches applied, is rated Highly critical
The most severe unpatched Secunia advisory affecting Linux Kernel 2.6.x, with all vendor patches applied, is rated Less critical.
Hmmm, interesting.
Do we know if the botnets were being used for spam, or other purposes? They might be 'attack' botnets.
The difference is that a) you can't run downloaded programs by default without marking them executable, and b) Linux users don't install software that way, they use the software repositories
Which is what Windows needs. Stop having legitimate programs that you're supposed to download and double-click on to install, and on top of that require a specific permission change (not a prompt, make the user initiate it) before you can do that, and perhaps users will go 'Hey, wait, this isn't how I normally install software, maybe I shouldn't do this.'.
As I've said before, most of my 'diagnosing problems' has nothing to do with any special knowledge I have...it's my willingness to google the damn problem, plus maybe having learned a couple of hours' worth of vocabulary. (Which is also googleable.)
People ask me stuff like 'How do I make a table in Word?' 'Well, I have no fucking idea, I don't ever use Word, but, let's hover over this button, nope, this one, maybe, *click*, nope, this one, okay, *click* there we go, how big?'
Same with email. People ask me how to do make an attachment in their gmail. 'I haven't memorized gmail's interface, have you looked for a place that says attach?' 'Oh, there it is, now where are my files?' 'I have no idea, it's your computer. Perhaps you are keeping them in the My Documents folder, that seems to be a popular choice?' 'Oh, there they are.' It's not so much 'solving problems' as 'doing the next fucking obvious thing'.
'Being good with computers' appears to be a very small amount of knowledge, essentially a single cheat sheet on each concept like 'email'. Something that, like you said, can be easily found in the help system or online or even in a textbook. Plus a willingness to actually figure the problem out instead of just giving up because 'you don't know how'.
That said, I have to disagree with you. I think Windows computers should be 'locked down' on what they can install, just like Linux ones are. That is, they should come with some 'software repositories', and programs downloaded from elsewhere shouldn't be executable without manually changing the properties. This repository listing, and one of the repositories, should be operated by a non-profit thing funded by large software companies, but should be fairly easy to get your software into the public repository, and moderately easy to get your own repository in. (Which would be for people selling software.) And you can make 'Download' links on web pages that send people there.
People who know things about computers would have no problem with that system, and could override it if they want, but everyone else would quickly get trained 'How you install software is to bring up Install Software and select it from the list', instead of being trained that 'downloading and double clicking' is a method for that.
Two words: Software repositories.
All the software that people install should come either from a 'authorized' online place, or a CD.
People talk about the fact that Linux has very few viruses, but they don't look at why. It's because Linux users almost never download and install programs. They either install software from a package manager, or they add a repository that shows the software and then install from there. Linux users do not download and run untrusted software. That simply is not the paradigm for getting software on the system.
I'm sure everyone here is horrified at the suggestion that MS somehow be in control of the software on a computer....well, that's not my suggestion. I would suggest having the big names in software create some sort of non-profit whose sole purpose is to maintain an automated list of locations that people can safely install Windows software from.
Getting on the list should be pretty easy, but you should have to demonstrate who you actually are, either a company or a person, and, of course, provide malware and you'll be blacklisted, and, hell, arrested.
And that is now 'How you install software', and we have everyone fucking trained that "The way to install software is to go to 'Install software', select it, and install. Or click a link on a web page which brings up 'Install software' panel. (Like iTunes does.)"
That's how you train people not to run random programs, you have a different way for them to install legit software. They do not download and run it, and in fact they cannot download and run it. If they really want to do that, they have to the control panel, enable something, and then go into each executable's properties they want to run mark it back executable, and run it, which is a strange enough process that it should throw some warning flags. It's not a stupid prompt they can say 'Yes' to without reading.
Yeah, it's not MS's fault at this point. Yeah, yeah, Windows 9x had no permissions, but XP came out almost a decade ago, and any developer that writes a program that stores information anywhere but the user directory should be shot.
Anything which mentions 'running as admin' clearly exists in a post-XP universe, because otherwise there aren't other users, so is inherently poorly-designed. Unless it came out in that microscopic window where XP was first released and it was quickly and poorly updated, no, that's inexcusable.
It doesn't help that development tools basically have to run as admin, (Because of OS restrictions that are entirely reasonable and kept developers from using really idiotic things like inventing their own 'shared memory' system.), but results in developers never actually testing under non-admin situations, or at least not until the end of development, where it's called a 'bug' and the 'fix' is to run it as admin. No, that should have failed the second it was written, so it was rewritten correctly, not discovered when they're testing release candidates.
Microsoft is still trying to solve that stupidity, Windows 7 has a way to 'fake' the system directories for programs that try to write to them. 'You want to write there? Okay, we'll just keep that file over here, instead, and you'll see it every time you look into the system directory, but no one else will'.
A lot of people end up blaming the wrong people for computer programs. A funny issue is driver problems that cause crashes, which dumb people blame on MS, smarter people blame on the hardware manufacturers that made them, and the smartest people lay the blame back at the feet of MS again, because the OS developer are supposed to be the people making the drivers, like every other OS does. Yes, the manufacturer wrote a shitty driver, probably because, I dunno, they're hardware people and don't know how to write software? Maybe if you're selling a damn OS you should spend your time and money writing hardware drivers, which are literally the only 'OS' part of an OS, and stop spending all your time and effort on a media player?
I agree that any scientific theory that references is God is pretty stupid to start with, and is not actually a 'scientific theory'.
I was just pointing out that, strictly speaking, the 'not a scientific theory' of intelligent design is falsifiable. Not scientifically falsifiable, but historically falsifiable.
Intelligent design fails to qualify as a science theory because it doesn't make any predictions, which is what people generally mean as 'falsifiable' in science, but is not strictly correct when talking about 'What happened in the past', which is all Intelligent Design concerns itself with.
Intelligent Design would be more properly classified as 'crazy history theories' than 'scientific theories'. We call those 'conspiracy theories'. It's a crazy conspiracy theory, it's the-Illuminati-had-JFK-shot 'history theory' and is, strictly speaking, falsifiable.
Although in that case, we probably should consider it 'falsified' only if someone else steps forward as his assassin with a lot of evidence, and not just take the word of the Illuminati if they show up and claim it wasn't them. Likewise, God has a lot of rather strange claims, so perhaps we should only consider Intelligent Design falsified if the FSM shows up and says that he did it instead.
Remember, requiring people to purchase health insurance of some sort so they aren't a drain on the system: Big Government
Requiring them to provide documenation about their abortion: Small Government
Believing in God is not the same thing as believing in Intelligent Design.
Einstein, for example, was the classic 'watchmaker' type of believer, which a lot of scientists are...he thought God built a universe (For him, the word 'maybe' should be inserted, as Einstein somewhat tended to waver back and forth.), turned it on, and then didn't mess with it.
And of all the scientists on that list, only one ever heard of evolution and thought that God had interfered with it. Lord Kelvin. That's it. That's the entire list of 'Intelligent Design' scientists.
Everyone else was either pre-evolution, and had no theories on different species other than 'I guess God did it', or they were in the 'watchmaker' camp, thought evolution did it all, and would be offended that someone's idea of God required God to meddle in his own design as it went along, and that he didn't get it right to start with.
And it's worth pointing out that the theory of evolution Lord Kelvin thought wouldn't work had no basis...no one had discovered DNA yet, and wouldn't for a very long time, so all these hypothetical 'inherited traits' had no way to actually inherit. Hell, genes hadn't even been figured it...Mendel figured out they came in sets, inheriting one from each parent, but didn't bother to tell anyone at the time.
Someone objecting to evolution in 1880 is not the same as someone objecting today, after the discovery of genes, DNA, and actual observations of evolutionary changes. It's a very common misconception, in both people who accept evolution and people who don't, that Darwin just magically figured it all out, but it wasn't until the 1900s that we knew sorta kinda who genetics worked, and until the 1950s or so no one had actually come up with a mechanism for genes to work via.
So Darwin's theory that differences between animals was due to inheritance was just floating in midair with no support. (And that theory has, itself, changed over the year, too. Darwin's theory, strictly speaking, is wrong in many ways.)
Creationism is, in fact, falsifiable. God could show up and explain he didn't do it.
Generally, by 'falsifiable', science means 'disprovable', which creationism is not, and hence not science. There is no testable theory to demonstrate that.
But, strictly speaking, it could be falsified, because it states an entity did something, and for that to be false, all we would need is for that entity to say so.
We are talking about 'history', not 'science' at that point, and God is a primary source, in fact, the only source. If he shows up and say 'No, it wasn't me', we should pretty much consider our historic theory wrong. Likewise, if he says 'It was me', we should accept it.
It's the same way that saying 'The house seems dirty. I think Bill tracked some mud into the house yesterday' is not a scientific theory, but is a theory of history and is a falsifiable if Bill wakes up and says he didn't go outside yesterday.
Of course, God or Bill could be lying, which also needs to be taken into account.
And all these seems moot as no one can seem to get God to get down here and tell us what happened.