Why would someone risk their order going into the wrong time slice? The time slice would be defined by when the central exchange timestamps it's arrival.
Much like one comes to trust anything. First tentatively and in matters of little consequence, then moreso over time. Trust is a funny thing.
Consider, for some reason, Smiling Sam gets his online used car dealership the highest level of verified cert. So I can absolutely trust that the site really is..... created by someone I know absolutely nothing about. OTOH, some student creates a page with a few useful formulas and tables on it and self-signs. I look it over and see that the ones I remembert he has correct. I trust him more than I trust Sam. I trust his signature on his friend's site more than I trust Dam's signature on a mechanic who will happily certify that Sam's cars are the best.
What I really need from most certs is assurance that the site I'm seeing today is the same one that slowly earned my trust over time. Or if it's a new cert, that someone who has earned my trust over time can verify that the site is the same one I have come to trust.
The CA's are really sort of a last resort since they boil down to "someone I have never heard of says someone else I have never heard of told them that his name is Joe Blow. Is that REALLY stronger assurance than a stranger walking up and saying "Hi, I'm Joe Blow"?
Back in the mid '90s, when https and Certs were just starting to be promoted, I talked to a Verisign rep at a show. He actually told me that I can trust the identity of any website with a cert because they contractually agreed to not lie when Verisign issued the cert. Because crooks never dare violate the terms of an unsigned contract.
Web of trust also means that If I trust example.com, I have every reason to place just as much trust in it signing a.example,com. No need to travel cross country for the 184th Buggy Whip manufacturer's Association of America convention.
That's because they did it wrong. The big mistake was having the browser refuse to do as it was told rather than just providing informative messages. The second was depending on the site operator's instructiopns rather than just remembering the cert it saw before as a matter of course.
Sounds like perhaps it should be possible to get the browser to encrypt without a cert or at least with a self-signed cert.
Compare the cases:
Self signed cert: Joe blow says he's Joe Blow. Sure, anyone might claim that but honestly, I don't actually know him anyway. It might be nice to have pinning so I at least know the guy I'm talking to today is the same one I was talking to yesterday, but in the end, it's string controlled airplanes, not my banking details.
CA signed cert. Great, now I know that the guy who says he's Joe Blow also told a CA (that has no reasonable means to check) that he's Joe Blow. Whoopty! It still might be nice if the browser could let me know the Joe Blow I'm talking to today is or is not the same one I was talking to yesterday.
There are certs where (hopefully) more ID verification happens. If you're doing your banking, you should make sure the cert is one of those. But those cost a lot more amd you won't be getting one of those from Let's Encrypt.
As for rat bastard ISPs, how many people WON'T run a program provided by their ISP to "optimise" their internet experience that also (or only) slips them in as a valid CA for purposes of launching a man in the middle attack? I submit that the people who will not run such a thing are exactly the ones who could handle self-signed certs with pinning and a web of trust.
Sounds to me like someone just wants a decent browser that will actually take "just shut up about the cert and show me the damned page" for an answer.
If Google actually cared about transmission security, they'd implement cert pinning, including for self-signed certs.
If it was actually just about security and identification and not rent seeking, then any cert could be used to sign subdomain certs. If you trust that I am the right and proper owner of example.com, why is it not good enough if I vouch for alpha.example.com?
Have a look at the CAs accepted by your browser. Do you actually trust each and every one of those entities to never issue a cert in error? Have you even heard of most of them?
Currently, HTTPS proves that the site is run by someone with at least average photoshop skills such that they convinced some CA you've never heard of that they are the true proprietors of entity you've never heard of.
How much would you be willing to spend to adulterate the text of "The story of Mel"? How many years in prison would you be willing to risk by hacking a router in order to do it?
If the answer to that is anything above zero, I would suggest looking up mental health services instead.
What, so Dr. Evil can make subtle changes to people's needlepoint patterns so that just looking at the finished "Home Sweet Home" hanging on the wall infects the viewer with a subtle mind virus (through the optic nerve) that makes them like Nickelback?
They also happen when someone sets their AWS s3 permissions wrong or someone gets a shell on the server. Occasionally because someone's PHP doesn't sanitize requests.
Slashdot Mirror
I have a few web based apps that can't use the automated method. Their dhort expiration convinced me to just self sign a cert and call it good.
Why would someone risk their order going into the wrong time slice? The time slice would be defined by when the central exchange timestamps it's arrival.
It wouldn't matter when in that quantum the order was placed, everyone would be working from the results of the last quantum.
Much like one comes to trust anything. First tentatively and in matters of little consequence, then moreso over time. Trust is a funny thing.
Consider, for some reason, Smiling Sam gets his online used car dealership the highest level of verified cert. So I can absolutely trust that the site really is ..... created by someone I know absolutely nothing about. OTOH, some student creates a page with a few useful formulas and tables on it and self-signs. I look it over and see that the ones I remembert he has correct. I trust him more than I trust Sam. I trust his signature on his friend's site more than I trust Dam's signature on a mechanic who will happily certify that Sam's cars are the best.
What I really need from most certs is assurance that the site I'm seeing today is the same one that slowly earned my trust over time. Or if it's a new cert, that someone who has earned my trust over time can verify that the site is the same one I have come to trust.
The CA's are really sort of a last resort since they boil down to "someone I have never heard of says someone else I have never heard of told them that his name is Joe Blow. Is that REALLY stronger assurance than a stranger walking up and saying "Hi, I'm Joe Blow"?
Back in the mid '90s, when https and Certs were just starting to be promoted, I talked to a Verisign rep at a show. He actually told me that I can trust the identity of any website with a cert because they contractually agreed to not lie when Verisign issued the cert. Because crooks never dare violate the terms of an unsigned contract.
Web of trust also means that If I trust example.com, I have every reason to place just as much trust in it signing a.example,com. No need to travel cross country for the 184th Buggy Whip manufacturer's Association of America convention.
That's because they did it wrong. The big mistake was having the browser refuse to do as it was told rather than just providing informative messages. The second was depending on the site operator's instructiopns rather than just remembering the cert it saw before as a matter of course.
Perhaps they're losing their edge.
Sounds like perhaps it should be possible to get the browser to encrypt without a cert or at least with a self-signed cert.
Compare the cases:
Self signed cert: Joe blow says he's Joe Blow. Sure, anyone might claim that but honestly, I don't actually know him anyway. It might be nice to have pinning so I at least know the guy I'm talking to today is the same one I was talking to yesterday, but in the end, it's string controlled airplanes, not my banking details.
CA signed cert. Great, now I know that the guy who says he's Joe Blow also told a CA (that has no reasonable means to check) that he's Joe Blow. Whoopty! It still might be nice if the browser could let me know the Joe Blow I'm talking to today is or is not the same one I was talking to yesterday.
There are certs where (hopefully) more ID verification happens. If you're doing your banking, you should make sure the cert is one of those. But those cost a lot more amd you won't be getting one of those from Let's Encrypt.
As for rat bastard ISPs, how many people WON'T run a program provided by their ISP to "optimise" their internet experience that also (or only) slips them in as a valid CA for purposes of launching a man in the middle attack? I submit that the people who will not run such a thing are exactly the ones who could handle self-signed certs with pinning and a web of trust.
It seems like it would be easier all around if let's encrypt used longer expiration dates.
Sounds to me like someone just wants a decent browser that will actually take "just shut up about the cert and show me the damned page" for an answer.
If Google actually cared about transmission security, they'd implement cert pinning, including for self-signed certs.
If it was actually just about security and identification and not rent seeking, then any cert could be used to sign subdomain certs. If you trust that I am the right and proper owner of example.com, why is it not good enough if I vouch for alpha.example.com?
Have a look at the CAs accepted by your browser. Do you actually trust each and every one of those entities to never issue a cert in error? Have you even heard of most of them?
Currently, HTTPS proves that the site is run by someone with at least average photoshop skills such that they convinced some CA you've never heard of that they are the true proprietors of entity you've never heard of.
I feel more secure already!
Wrong argument. Nobody has even attempted to argue that NO site should use HTTPS.
What the browser should so is what I tell it to do.
How much would you be willing to spend to adulterate the text of "The story of Mel"? How many years in prison would you be willing to risk by hacking a router in order to do it?
If the answer to that is anything above zero, I would suggest looking up mental health services instead.
What, so Dr. Evil can make subtle changes to people's needlepoint patterns so that just looking at the finished "Home Sweet Home" hanging on the wall infects the viewer with a subtle mind virus (through the optic nerve) that makes them like Nickelback?
No, actually you have. And you did it because you WANT to be pissed off and spiteful about something. That is, if you actually even own a car.
Meanwhile, there are 49 other states, perhaps you should move.
I believe someone else already pointed out to you that OEM parts is not a requirement.
According to some here, no but they do all they can to convince you otherwise.
They also happen when someone sets their AWS s3 permissions wrong or someone gets a shell on the server. Occasionally because someone's PHP doesn't sanitize requests.
I'll grant that particular issue is a load of crap, but your "solution" is probably too far in the other direction.
VW's cheating started 10 years ago.
Perhaps you should sue the company that bought the manufacturer for screwing up the paperwork.
What people want right now is for the process to actually begin rather than looking in to how we can subsidize coal.
They also managed without clothes, the wheel, stone tools, or fire at one point. You first.
In this case, it wouldn't have. Other breeches involve grabbing files out of storage. In those cases it makes all the difference.
In turn we all get to laugh at you now since this is about the merger being permitted, not what has apparently become your favorite hobby horse.
VW diesels all pass the tailpipe test but they are a lot dirtier in every other condition.