The article (I know, I must leave now) does NOT say he quit G+. It says that he along with the top Mgmt at Google all seem to have opted for tighter privacy controls overnight. The number of friends and followers can no longer be *tracked*.
1) The topic at hand is the 'every webpage'- don't let dogma (even based on sound rational principles) blind you to the situation we're dealing with. That said you and I both know it's not a trivial problem for any old organization to end up with a trusted root cert in the vast majority of browsers. It is certainly less likely to occur over and over again than IPv6 to roll out or SNI support to get baked into nearly all browsers.
2&3) Go look for my posts then. I assure you I am familiar with the technologies of which you speak. There is however still a requirement of: a) one unique layer 3 destination per hostname, -or- b) SNI support -or- c) Fancy (wildcard/SAN) certificates
Them's the facts as best I know them.
FYI *all* of the numbers you quoted are for 1k keys- which are no longer a going concern. To get 2k key performance numbers (in ideal conditions aka nothing is effed up in how they implement the chips) you can roughly divide by five so that is 15k/4k/2k respectively. And these things all cost money...
1) You don't get the issue at all. I mean technically I'm sure you could teach the course on it, but this is a business problem not a technology problem. And yes let's all become root CAs *
2) Does it make a commodity 64bit server slow down to 100s of new connections per second? Does it do all of the things that the business needs it to do to efficiently and effectively manage and serve a rich web application? Yeah didn't think so. Guess what- SSL doesn't improve anything about the immediate end user experience or the maintainability of the site. And even Servlets don't hold a candle to asymmetric key exchanges using 2k+ keys...
3) Answered about 30 times over in the comments... Let me summarize: Because it is the only way to preserve the vanity of the experience. This is important because without it there is no need to use separate hostnames for each site.
* Lemme guess- you're the/an alpha geek wherever you are. You know why that's totally ludicrous but don't expect anyone else to- so you like to throw crap like that out to try to shut people up.
See my above reply... I don't disagree with you, nor does it sound like you significantly disagree with me.
Group in your #1 is not so very small, and they are the ones that will freak out and tell everyone on Facebook that your site hacked their computer when they get the security popup...
In another year or two hopefully everyone will be using SNI...
You obviously don't understand the real world well. Web sites are marketing tools. It is marketing people that decide to use a 'vanity' domain/host name. It is 'marketing' people that dictate that the site must work on everyone's computer without throwing scary messages.
So 1) Sure, this is a valid response. I was just pointing out that they are not, in fact, free. 2) Bullshit this is about server capacity and not primarily latency. General purpose CPUs suck at crypto. A piece of commodity hardware that could serve 10,000 requests per second can probably do about 500 2048bit key exchanges per second. And before you go off about GPUs, most servers won't be using them for SSL, and beyond that most places are moving to virtualized hardware. Defeats the purpose of virtualization when you get no VM density... 3) This is not even remotely FUD, it is FACT. There are very few organizations in the world that would write off the large swath of users whose browsers do not support SNI. There are even fewer that would accept a url that looks like https://support.foo.com:97863/ they would just be using https://www.foo.com/support if they didn't care.
To a business a MASSIVE increase in cost, decrease in performance, and scaring off 10-20% of your most skittish users with security warnings is a HUGE problem which makes your customers feel even less secure. In reality the lack of HTTPS is something unwashed geeks worry about and 99% of customers are clueless about.
The problem is that the SSL negotiation happens before the HTTP session begins so there is no Host header available when the server has to cough up a certificate.
There are really only 3 options for HTTPS virtual hosting: 1) Wildcard certificates if all the sites are in the same domain 2) SAN certificates if the certificate ifs purchased with up to 5 names on it 3) An extension to SSL called SNI that sends the host information in the SSL negotiation.
The OP is referring to the fact that SNI is far from universally supported today.
1) SSL certificates are not free 2) SSL key exchanges are horribly expensive compared with serving a web page 3) Right now EVERY web site would require a unique IP address
How much more direct could a confirmation be? The only question is the veracity of the anonymous source.
They haven't gotten anyone who knows to confirm it... only people who are also speculating.
Note that "an American expert in nuclear intelligence" would specifically not be someone who works in the gov't- If they could claim an anonymous official source they would.
It's only a "gross violation" if you are forced to do it. There is an opt-out.
Your opt-out is to have someone actually touch you in a way that anywhere else (save while under arrest) would result in punching or macing the attacker. This isn't because you failed a non-invasive screening procedure, it's because you don't want to take your clothes off.
Maybe I'm just shamelessly immodest, but I support these scanners if they can be shown to speed up the process of checking in.
It is literally an order of magnitude slower than standard screening. You have to stand still with your arms raised for at least 15 second after they start the scan. Then you need to stand and wait for the "all clear" over the radio. Or you need to wait for someone to take like a minute to make a rucus about you opting out and then explain the procedure you're about to go through.
We live in a world where airplanes attract way more than their fair share of terrorism - we need to accept that fact. We can't pretend that people won't try to bomb airplanes, even if there are much easier ways to kill people.
Nobody has proved that an undergarment bomb can be effective at bringing down an airliner. Besides what stops an up the ass or breast implant based device?
Ignore armanox- he is obviously confused about his setup. Unless he has some uber exotic display device there is no way it's from 1992 and decodes ATSC without an issue...
Slashdot Mirror
never got over resenting authority figures when they were 13.
That was only like a year ago, cut them some slack!
The article (I know, I must leave now) does NOT say he quit G+. It says that he along with the top Mgmt at Google all seem to have opted for tighter privacy controls overnight. The number of friends and followers can no longer be *tracked*.
Actually lets totally forget that, m'kay? Sometimes there is no need for shades of grey.
They want their homebrew computer back.
As an aside: this is obviously someone who uses a Mac to be a hipster...
1) The topic at hand is the 'every webpage'- don't let dogma (even based on sound rational principles) blind you to the situation we're dealing with. That said you and I both know it's not a trivial problem for any old organization to end up with a trusted root cert in the vast majority of browsers. It is certainly less likely to occur over and over again than IPv6 to roll out or SNI support to get baked into nearly all browsers.
2&3) Go look for my posts then. I assure you I am familiar with the technologies of which you speak. There is however still a requirement of:
a) one unique layer 3 destination per hostname,
-or-
b) SNI support
-or-
c) Fancy (wildcard/SAN) certificates
Them's the facts as best I know them.
FYI *all* of the numbers you quoted are for 1k keys- which are no longer a going concern. To get 2k key performance numbers (in ideal conditions aka nothing is effed up in how they implement the chips) you can roughly divide by five so that is 15k/4k/2k respectively. And these things all cost money...
1) You don't get the issue at all. I mean technically I'm sure you could teach the course on it, but this is a business problem not a technology problem. And yes let's all become root CAs *
2) Does it make a commodity 64bit server slow down to 100s of new connections per second? Does it do all of the things that the business needs it to do to efficiently and effectively manage and serve a rich web application? Yeah didn't think so. Guess what- SSL doesn't improve anything about the immediate end user experience or the maintainability of the site. And even Servlets don't hold a candle to asymmetric key exchanges using 2k+ keys...
3) Answered about 30 times over in the comments... Let me summarize: Because it is the only way to preserve the vanity of the experience. This is important because without it there is no need to use separate hostnames for each site.
* Lemme guess- you're the/an alpha geek wherever you are. You know why that's totally ludicrous but don't expect anyone else to- so you like to throw crap like that out to try to shut people up.
Of the dozens of organizations I deal with, not one uses StartSSL certs.
See my above reply... I don't disagree with you, nor does it sound like you significantly disagree with me.
Group in your #1 is not so very small, and they are the ones that will freak out and tell everyone on Facebook that your site hacked their computer when they get the security popup...
In another year or two hopefully everyone will be using SNI...
You obviously don't understand the real world well. Web sites are marketing tools. It is marketing people that decide to use a 'vanity' domain/host name. It is 'marketing' people that dictate that the site must work on everyone's computer without throwing scary messages.
So
1) Sure, this is a valid response. I was just pointing out that they are not, in fact, free.
2) Bullshit this is about server capacity and not primarily latency. General purpose CPUs suck at crypto. A piece of commodity hardware that could serve 10,000 requests per second can probably do about 500 2048bit key exchanges per second. And before you go off about GPUs, most servers won't be using them for SSL, and beyond that most places are moving to virtualized hardware. Defeats the purpose of virtualization when you get no VM density...
3) This is not even remotely FUD, it is FACT. There are very few organizations in the world that would write off the large swath of users whose browsers do not support SNI. There are even fewer that would accept a url that looks like https://support.foo.com:97863/ they would just be using https://www.foo.com/support if they didn't care.
To a business a MASSIVE increase in cost, decrease in performance, and scaring off 10-20% of your most skittish users with security warnings is a HUGE problem which makes your customers feel even less secure. In reality the lack of HTTPS is something unwashed geeks worry about and 99% of customers are clueless about.
The problem is that the SSL negotiation happens before the HTTP session begins so there is no Host header available when the server has to cough up a certificate.
There are really only 3 options for HTTPS virtual hosting:
1) Wildcard certificates if all the sites are in the same domain
2) SAN certificates if the certificate ifs purchased with up to 5 names on it
3) An extension to SSL called SNI that sends the host information in the SSL negotiation.
The OP is referring to the fact that SNI is far from universally supported today.
If this isn't a new meme I'm not aware of, my head hurts...
1) SSL certificates are not free
2) SSL key exchanges are horribly expensive compared with serving a web page
3) Right now EVERY web site would require a unique IP address
Enough reasons?
Nobody buys a Ferrari or Lambo to get an ultra reliable sports car. Nor do they buy them to get an easy/comfortable to drive car.
Maybe a more apt comparison would be an Acura to a Chevy.
How much more direct could a confirmation be? The only question is the veracity of the anonymous source.
They haven't gotten anyone who knows to confirm it... only people who are also speculating.
Note that "an American expert in nuclear intelligence" would specifically not be someone who works in the gov't- If they could claim an anonymous official source they would.
Lately I just feel sorry for you.
Thanks! It's nice to know someone cares.
In this case whoever did it seems to have averted war at least for a few years.
Indeed- all they have confirmed is that people think the US and Israel did it...
The only new bit in the article (to me) was that they think Israel successfully managed to set up a bunch of P1 style centrifuges and test the worm...
If we're going here then I'd say Citrix Receiver is far more the 'killer app' since road warriors are not using VNC, sorry...
(BTW
This might have been true in 1997 but it's certainly not anymore.
The most effective DDoS attacks are layer 7 attacks.
It is pretty easy to deal with layer 4 attacks, trivially so to deal with layer 3 attacks.
For DDoS attacks the harder to differentiate between an attacker and legitimate user the harder it is to protect against.
Besides never being allowed on an airplane again- even after you get out of federal prison? ;)
It's only a "gross violation" if you are forced to do it. There is an opt-out.
Your opt-out is to have someone actually touch you in a way that anywhere else (save while under arrest) would result in punching or macing the attacker. This isn't because you failed a non-invasive screening procedure, it's because you don't want to take your clothes off.
Maybe I'm just shamelessly immodest, but I support these scanners if they can be shown to speed up the process of checking in.
It is literally an order of magnitude slower than standard screening. You have to stand still with your arms raised for at least 15 second after they start the scan. Then you need to stand and wait for the "all clear" over the radio. Or you need to wait for someone to take like a minute to make a rucus about you opting out and then explain the procedure you're about to go through.
We live in a world where airplanes attract way more than their fair share of terrorism - we need to accept that fact. We can't pretend that people won't try to bomb airplanes, even if there are much easier ways to kill people.
Nobody has proved that an undergarment bomb can be effective at bringing down an airliner. Besides what stops an up the ass or breast implant based device?
This is what we need for the DNS system - a decentralized distributed directory.
Oh wait that's EXACTLY WHAT IT IS! Notice how there was no outage because the H-root was down.
And like sibling jojoba points out- p2p DNS would be HORRIBLE from a trust perspective.
Ignore armanox- he is obviously confused about his setup. Unless he has some uber exotic display device there is no way it's from 1992 and decodes ATSC without an issue...
Exactly the right way to look at it.
After 17+ years on the Internet I don't have many 'firsts' anymore... This was one of them though!