There is no reason people can't keep using HTTP and they will, for a very long time.
Anyway it would be pretty stupid to curse the W3C for this, because W3C deals with HTML, not HTTP. The IETF are the ones that work on protocols like HTTP.
If somebody still wants the CA-system to work, we need to change the financial model. The incentive should be for them to make it as secure as possible, instead of as efficient/cheap as possible.
The whole idea of s signing party is pretty shitty anyway. Looking at a passport from a country I've never been to to verify a person I've never met before ?
Because there is also a technical reason why they want to use SSL/TLS.
On the current Internet it is impossible to deploy a new HTTP-protocol like HTTP/2.0 or SPDY without TLS.
Because there are to many stupid proxy servers and ad-replacing middle boxes and other stuff that should never have been between you and the server inspecting or even manipulating the content. Trying to pass a new protocol through those boxes just doesn't work, errors is the only thing you'll get.
That is why I think DNSSEC might be a good idea afterall, you already depend on DNS for your domainname. with DANE you can restrict the certs that your browser will accept (by 1 or multiple CAs or by 1 or more fingerprints, thus certs).
http is just a transport, port 80 (http) is the the only port that is actually open on most networks, the next pupulair is 443 (https).
the transport is supported by the browser, I'm pretty sure it will remain supported for a very, very long time.
especially if handling certificates remains to suck as bad as it does now the group of people that will deploy HTTP/2.0 will remain some what small.
DNSSEC/DANE is the only alternative, which isn't supported by any browser by default right now.
Most operating systems don't even support it, which would be the most elegant want to support DNSSEC from the browser.
Not everyone is convinced DNSSEC is a solution, but somewhere in between both camps, probably closer to, deploying DNSSEC is a good thing: we already depend on DNS, your DNS-provider, the registrar, the registry and the root. We are just securing DNS.
If you don't want to use a CA: DNS is what points you to your self-signed certificate server. Might as well make sure it is the right self-signed certs with signed-DNS.
If you want more, CA-signed certs or even CA-signed EV-certs can still be used with DNSSEC. It actually more secure because you can specify which certs the browser should expect or which CAs are allowed to sign it. Remember that 1000s of CA-problem ? DNSSEC solves that.
So really, from first glance this doesn't sound new in any way.
The writer of the article thinks the 'voting system' (multiple people pledge to pay for a feature/bugfix) is a novel idea though. I've not looked at the others, it might be.
Slashdot Mirror
There is no reason people can't keep using HTTP and they will, for a very long time.
Anyway it would be pretty stupid to curse the W3C for this, because W3C deals with HTML, not HTTP. The IETF are the ones that work on protocols like HTTP.
Only for some browsers on some operating systems.
Good luck with BYOD :-)
If somebody still wants the CA-system to work, we need to change the financial model. The incentive should be for them to make it as secure as possible, instead of as efficient/cheap as possible.
The whole idea of s signing party is pretty shitty anyway. Looking at a passport from a country I've never been to to verify a person I've never met before ?
That is at least as absurd as the alternatives.
Funny you should mention centralized, one of the reasons people dislike the current CA-system is because there are to many players.
So far, nobody has come up with a proper distributed trust model that people would trust to do their banking and similar stuff with.
Actually, certificates are free. Look at StartSSL.
A VPS with it's own dedicated IP-address is 5 dollars a month, if you don't mind managing it yourself.
So where does that $150 come from ? You are using the wrong provider.
Well, only slightly naive.
Because there is also a technical reason why they want to use SSL/TLS.
On the current Internet it is impossible to deploy a new HTTP-protocol like HTTP/2.0 or SPDY without TLS.
Because there are to many stupid proxy servers and ad-replacing middle boxes and other stuff that should never have been between you and the server inspecting or even manipulating the content. Trying to pass a new protocol through those boxes just doesn't work, errors is the only thing you'll get.
But you are right, they are pissed of.
That is why I think DNSSEC might be a good idea afterall, you already depend on DNS for your domainname. with DANE you can restrict the certs that your browser will accept (by 1 or multiple CAs or by 1 or more fingerprints, thus certs).
http is just a transport, port 80 (http) is the the only port that is actually open on most networks, the next pupulair is 443 (https).
the transport is supported by the browser, I'm pretty sure it will remain supported for a very, very long time.
especially if handling certificates remains to suck as bad as it does now the group of people that will deploy
HTTP/2.0 will remain some what small.
DNSSEC/DANE is the only alternative, which isn't supported by any browser by default right now.
Most operating systems don't even support it, which would be the most elegant want to support DNSSEC from the browser.
Not everyone is convinced DNSSEC is a solution, but somewhere in between both camps, probably closer to, deploying DNSSEC is a good thing:
we already depend on DNS, your DNS-provider, the registrar, the registry and the root. We are just securing DNS.
If you don't want to use a CA: DNS is what points you to your self-signed certificate server. Might as well make sure it is the right self-signed certs with signed-DNS.
If you want more, CA-signed certs or even CA-signed EV-certs can still be used with DNSSEC. It actually more secure because you can specify which certs the browser should expect or which CAs are allowed to sign it. Remember that 1000s of CA-problem ? DNSSEC solves that.
HTTP/2.0 is garanteed to be defined in the RFC as SSL-only, because proxies on the public internet just won't understand the completely protocol.
The real question is, will HTTP/2.0 with non-verified certs be allowed for http:/// URL's.
Probably not, http:/// isn't visible in the more than half of all browsers anymore.
The people at the IETF basically wanted to do this:
Not encrypted: http:///
Encrypted, not verified: http:///
Encrypted, verified: https:///
The reason for this is: when a page requests has a https:/// link they actually are asking for secure.
Because encrypted, not verified is NOT secure.
It ONLY helps you against a passive attacker.
Do you think it applies to Germany ? because I don't.
That is a very US-centric view.
The funny thing is, oil still does. And it might surprise you, but it's more than solar and wind.
Worldwide there is 5 times more money spent on military than medical.
I wonder what that is like in the US ;-)
Mozilla, behind the scenes, no in the open, at W3C and IETF is making sure it stays that way as much as possible.
If you think things can't change you clearly don't live in the real world.
Mozilla was important and Mozilla remains important.
As an example is iOS. An other example is Androidm which is getting more and more closed:
http://arstechnica.com/gadgets/2013/10/googles-iron-grip-on-android-controlling-open-source-by-any-means-necessary/
Could this be a good reason for deploying 2 factor authentication ?
I don't believe in bio-metrics, so it would have to be something you know and something you have, like a USB-key or something like that.
If you think this is about attracting random talent, you are so wrong.
This is about compensating known experts for their time spent on doing the audit.
It takes a lot of time to do an audit.
The demo uses mplayer.
But whatever, details, who cares, right ? :-)
Obviously, many services already exists which provide bounties for open source development:
https://www.google.com/search?q=open+source+bounty
So really, from first glance this doesn't sound new in any way.
The writer of the article thinks the 'voting system' (multiple people pledge to pay for a feature/bugfix) is a novel idea though. I've not looked at the others, it might be.
Sounds a bit like kickstarter as well.
They are stating the truth though:
http://iswebrtcreadyyet.com/
I'm sure the Firefox developers will release an implementation soon enough:
http://www.youtube.com/watch?v=S6-rAv6bU8Q
The foundation is about making money, Money for the foundation and the business partners.
Please, just stop calling it a charity.
Nothing people didn't already know, but shows people how simple it is.
It has been known for years CAN bus needs authentication.
Yeah, I think it took them a long time to agree on what the audio standard would be.