The attack they are trying to fix is a bad actor on the server.
If the software on the user's computer is compromised or the user is stupid enough to print it on paper and leave it at the desk unattended... then those kind of things are out of a web application programmer.
The real problem is eventually you have to present the clear text to the user, what the user does with the clear text isn't an easy problem to solve.
I'm glad if they at least solved the untrusted server problem.
If you read the article, you would find they download the signed application code and have a generic browser extension which verifies the signature of the code.
This is some what similar to what CryptoCat does, but the browser extension works only with CryptoCat.
But as their browser extension is generic then it can be made into a standard to be part of every browser, so their would be nothing to install.
On the other hand, it's good that most Docker deployments would only be running a single process and have an easy way to deploy an updated version. As you mentioned lots of people using Docker also use Jenkins for doing automated unit tests. So at least when they've created an updated version they can subject it to testing.
I wouldn't dismiss it from the start, we'll have to see how this plays out.
Bitcoin isn't like your normal economy you might know so well, because it is a deflationary currency, so people want to keep their coins because the value increases over time.
Hundreds of providers ? I'm not so sure. Building infrastructure is (really) expensive. I wouldn't be surprised if many of them outsource the transports to other companies.
Like DSL in many cities in Canada, a lot of times runs over Bell Canada telephone lines.
Slashdot Mirror
And Solaris (and open source forks) with Zones has had this for many, many years too.
This was a non-US citizen trying to get into the country.
She had a student visa, put on the no-fly list and when she left the country for a few days, it was revoked.
I think changing her name and sending the education institute a copy of the new passport and asking for a new student visa might actually have worked.
If it works, it would probably be a hell of a lot faster than 9 year.
"Layers are a bit like mathematical models, they're simplifications of reality."
Don't forget that when you add to many layers, it isn't simple anymore.
Sounds like closures to me: https://en.wikipedia.org/wiki/...
If you control both sides, use your own CA.
Really, it isn't that difficult.
But please don't disable validation.
Actually, OpenShift doesn't use containers, it uses SELinux to do that.
I wouldn't be surprised if they are working on moving to something that does both: containers secured by SELinux.
The attack they are trying to fix is a bad actor on the server.
If the software on the user's computer is compromised or the user is stupid enough to print it on paper and leave it at the desk unattended... then those kind of things are out of a web application programmer.
The real problem is eventually you have to present the clear text to the user, what the user does with the clear text isn't an easy problem to solve.
I'm glad if they at least solved the untrusted server problem.
I wonder if you read the PDF, if you did you would know they use a browser extension to verify signed Javascript/HTML/CSS code.
So an attacked of the server can not modify the code unless they have the private key which is used for signing.
"How do I notice that the Javascript they serve me is secure, if I'm not to trust the server?"
They use a browser extension to very the signature of the downloaded Javascript code.
But their browser extension is generic, so it could be made into a standard so it will be part of the browser.
"The fact that Mozilla supports DRM now means that soon I can't even trust Firefox without any addons."
As far as I know Mozilla/Firefox does not support Encrypted Media Extensions and don't seem to have the intention to do so.
Did you know Mozilla is building a new browser engine build in their new safe Rust language so fix that problem ones and for all ?
http://en.wikipedia.org/wiki/S...
http://en.wikipedia.org/wiki/R...
That method would at least eliminate all those pesky buffer overflow bugs in browsers.
If you read the article, you would find they download the signed application code and have a generic browser extension which verifies the signature of the code.
This is some what similar to what CryptoCat does, but the browser extension works only with CryptoCat.
But as their browser extension is generic then it can be made into a standard to be part of every browser, so their would be nothing to install.
On the other hand, it's good that most Docker deployments would only be running a single process and have an easy way to deploy an updated version. As you mentioned lots of people using Docker also use Jenkins for doing automated unit tests. So at least when they've created an updated version they can subject it to testing.
I wouldn't dismiss it from the start, we'll have to see how this plays out.
I thought the classic use case is to have the same environment in dev, test, qa, production, wherever. Anywhere you can run a modern Linux kernel.
And why do people rub brains together ? What kind of improvement do you get from doing that ? Does it work if you only have one brain to rub ?
yes, many, many questions.
Let me add something: it is extra risk in comparison to non-DNSSEC DNS deployment.
The complexity of DNSSEC makes it easier to make such a mistake.
Not that I think RPKI is bad, or it's good what RIPE is doing, but these stats say nothing about validation in the field.
Actually, ComCast is one of the few large providers that deploys DNSSEC and IPv6:
http://dns.comcast.net/
http://www.comcast6.net/
It isn't just the administrative burden.
A failure to get DNSSEC right could take down the domain for hours without an easy way to recover.
There is a chance this will change in the (near ?) future.
The US government says they are going to let ICANN 'go global':
http://www.ntia.doc.gov/press-...
Bitcoin isn't like your normal economy you might know so well, because it is a deflationary currency, so people want to keep their coins because the value increases over time.
Browser vendors need to know how developers use features to know what direction they need to go in. Or what next to standardize.
Hundreds of providers ? I'm not so sure. Building infrastructure is (really) expensive. I wouldn't be surprised if many of them outsource the transports to other companies.
Like DSL in many cities in Canada, a lot of times runs over Bell Canada telephone lines.
The fact that ours doesn't is
the result of money: businesses having to much (in)direct influence.
If it doesn't lead to corrupted politicians, it's at least corrupting democracy.
Have you tried enabling it ?:
http://youtube.com/html5
It has been improving, but only very slowly.