I don't know what it is, but Firefox memory use seems to vary dramatically between people.
It obviously depends upon the content of the pages. 20 tabs of Google searches will not use up all that much. 20 tabs of Youtube videos and Myspace pages probably will.
When was the last time you saw Comcast advertising "unlimited" Internet access? Seriously. Maybe as little as 5 years ago, but I'd guess that they stopped doing it longer ago than that. For example, I couldn't find the word on their webpage from 2003: http://web.archive.org/web/20030207135808/comcast.com/Products/Internet_Details.html?LinkID=21 In fact, on my brief reading of the archived pages, I didn't see the word "unlimited" anywhere, going as far back as 1999.
Of course, they may have been using the word in TV and print ads. I don't have an archive for that.
Regardless, I haven't seen a broadband provider use that word in the US in a very long time, with the sole exception of cellular providers, who use 5GB and "unlimited" interchangeably when referring to their data plans.
But what's not cheap, in this case, is storage space. It's pretty common for these time capsules to be filled with all sorts of things. Devoting a quarter of the space to various formats of the same data is probably not acceptable.
Well, the at least expect the customer to go to the base URL first, and if they do a redirect, that makes bookmarking hard.
Citibank (I used them as an example in another post) redirects any connections on port 443 of their main page to the port 80 version of their site with the redirecty URL (/us/something). That means that verifying them is extremely hard. That makes me sad.
In Firefox 3 (which is what everyone's talking about, I believe), you have to do the following:
Click the "Or you can add an exception" link.
Click the "Add Exception..." button.
Click the "Get Certificate" button.
Click the "Confirm Security Exception" button. ("Permanently store this selection" seems to be selected by default.)
No saving to files. No figuring out where to import it. The process of retrieving and importing is made almost as easy as possible (seems like you could omit step 2, and possibly replace step 3 with just viewing the certificate.)
I said that it is hard to really learn. The order of the words changes the connotation significantly. It's pretty trivial to whip up a page in PHP. Debugging it can be hard when things don't act as you expect them to.
There's nothing inherently insecure about PHP.
It's far easier to make a mistake with a full programming language than with server side includes.
The poster in question was not just talking about standard headers and footers, but a fully templated website with a consistent visual style.
If that was his intent, he didn't make it clear. He said a consistent design. That is easily achieved with SSI and CSS. If he meant templates, he should have said templates.
Also, please note that it's possible to disagree with someone and to rebut their post without being an ass about it. So go to hell, and don't bother replying to my message.
Well, the point is that HTTP offers no authentication. A self-signed cert offers no authentication. The question is why we bother differentiating between the two in the browser? The answer is because a self-signed cert may indicate a man-in-the-middle attack. But most self-signed certs are not evidence of MITM--they're evidence of cheap domain owners. And most users don't think about security, ever--those that do type in https:/// manually. Thus, I propose the following, which is a modification to the above suggestion.
If the user performs an action which takes him to a new page, and which was performed outside of the context of the current page (examples are clicking a shortcut on their desktop, using a bookmark, or typing into the address bar) in a method which is insecure (examples are leaving off the protocol or explicitly typing "http" instead of "https", or with a bookmark which is "http"), then everything works as normal. If the user performs one of those actions, but uses https, throw up big warnings for certs which have changed, or which are self-signed. The user obviously cares about security (typed "https") or has visited the site before (bookmarked/copied link to desktop), and so Firefox should make sure that they're aware of any potential security issues.
Now, say the user navigates to an https page from an http page. There's no implied security context here. If the https page is CA-signed, great. Do things like we're doing them. If the https page is self-signed, however, there should be no UI change indicating security or insecurity. After all, it's no more authenticated than HTTP, right? Why even bother telling the user that it's HTTPS?
It's pretty trivial to enable SNI on your servers. You can either use a reverse-proxy which supports it (like nginx), or patch lighttpd to support it, or use mod_gnutls under Apache. Then you don't need that IP address.
As for the cert cost, you can get them for under $30 (from Godaddy) or for free for 90 days from Comodo (instantssl.com), though I don't know if these can be renewed.
If I were guessing, I'd think "very few." Now if a site instantly redirects to their SSL-enabled site, and the user then bookmarks the site, and they weren't being MITMed during this visit to the site, then they may hit the SSL-enabled version of the site every time that they're using that browser/computer. But that's a lot of conditionals. There are probably some people who match it, though.
I've seen web logs from some smaller webmail providers (mostly just people I know who were curious about the same sorts of things.) A lot of people hit the port 80 version of the site first.
Some level of verification can be done automatically. Mail the technical contact at the domain for authorization. Get a response. Now, an attacker has to be able to read that mailbox or poison the CA's DNS long enough to get the message. Possible? Sure. Easy? Not if they're patched.
What level of identity verification is acceptable to you? What would a human do to both verify your identity and verify that you're the one who owns that domain? Seriously, I'm genuinely curious.
It's irrelevant for routers because they won't have a domain name. But a lot of the people railing against ca-signed certs seem to be under the false impression that they cost hundreds of dollars per year. That's what I was refuting.
You're not the average user. Most people on Slashdot aren't the average user.
But what you are saying is that browser should just accept the invalid certificate and submit the data anyway.
I didn't say that anywhere. Please do not put words in my mouth.
What I am saying is that a lot of users don't have an expectation of privacy. They only notice problems. When there aren't warning dialogs popping up, they don't think about security. I'm saying that the entire paradigm is flawed because of this. Instead of SSL being the exception, it should be the rule, and deviation from the rule should be pointed out to the user every single time.
But even then, it probably wouldn't be enough. People have to have their crazy cursors and their dancing baby desktops.
You seem to have written your entire post with the assumption that I was agreeing or disagreeing with any of the posts directly above me. Not everyone automatically shares or rejects the opinions of the posts to which they reply. I simply thought it might spawn interesting discussion to point out that users may fall for MITM if they never even see a lock up in the corner of their browser window.
Want some evidence? People fall for phishing. I work for an ISP which has monitored phishing in the past, and quite simply, people will reply to the e-mails with their passwords and visit the webpages entering in their credentials. Every major phishing event has included people doing this. What makes you think that these same people will suddenly be security-aware when someone is intercepting their connections to mybank.com over port 80?
What happens when you go to that site? You go there, you click on "log me in" or whatever, and then it switches to SSL. Think the user is going to notice if it doesn't switch to SSL? Probably not. So one could MITM this site pretty easily and harvest logins. SSL never even comes into play. All of the "self-signed certs are no worse" or "ca-signed certs are way better" arguments don't even matter, now.
And then you just have an extra step that malware authors tell the users to do in order to install their software. If 'homebrew software' (or more specifically, open source software) is popular enough, people will already be used to this annoyance and they will perform it without thinking. The only thing this gains us is more irritation.
That said, it could be a boon for open source developers. They could buy a signing cert, and then sell binary versions of their software while giving away the source. The binary version would have a real value to it--the OS won't complain when you install it.
When there is no certificate, the user has no expectation of security and may adjust their behaviour accordingly by witholding their personal data.
But they probably won't.
Instead, the user who is used to browsers warning him of insecure connections, will likely note the lack of a warning and input his credit card number right into the box. Hey, Firefox didn't say it was bad! (Well, it probably warned him against transmitting data to the server insecurely the first time he did it, way back when he first performed a Google search with his shiny new Firefox.)
Slashdot Mirror
I don't know what it is, but Firefox memory use seems to vary dramatically between people.
It obviously depends upon the content of the pages. 20 tabs of Google searches will not use up all that much. 20 tabs of Youtube videos and Myspace pages probably will.
It's a strange feeling having the page display the same (with the same code!) in all major browsers.
This is just a beta release. Give it time--I'm sure that Microsoft will fix this obvious bug before IE8 release.
When was the last time you saw Comcast advertising "unlimited" Internet access? Seriously. Maybe as little as 5 years ago, but I'd guess that they stopped doing it longer ago than that. For example, I couldn't find the word on their webpage from 2003: http://web.archive.org/web/20030207135808/comcast.com/Products/Internet_Details.html?LinkID=21 In fact, on my brief reading of the archived pages, I didn't see the word "unlimited" anywhere, going as far back as 1999.
Of course, they may have been using the word in TV and print ads. I don't have an archive for that.
Regardless, I haven't seen a broadband provider use that word in the US in a very long time, with the sole exception of cellular providers, who use 5GB and "unlimited" interchangeably when referring to their data plans.
But what's not cheap, in this case, is storage space. It's pretty common for these time capsules to be filled with all sorts of things. Devoting a quarter of the space to various formats of the same data is probably not acceptable.
Yeah, I'm still pissed that I can't use WoW on my iPhone. It says it supports the whole Internet!
There's another way that this can fail. Here's a hint: the URL to install the Perspectives plugin is http://www.cs.cmu.edu/~perspectives/Perspectives.xpi
How many colons and right parentheses does a $5000 gaming rig get you?
You're simply incorrect. *shrug*
Only one B A is required....
http://en.wikipedia.org/wiki/Konami_Code
Well, the at least expect the customer to go to the base URL first, and if they do a redirect, that makes bookmarking hard.
Citibank (I used them as an example in another post) redirects any connections on port 443 of their main page to the port 80 version of their site with the redirecty URL (/us/something). That means that verifying them is extremely hard. That makes me sad.
In Firefox 3 (which is what everyone's talking about, I believe), you have to do the following:
No saving to files. No figuring out where to import it. The process of retrieving and importing is made almost as easy as possible (seems like you could omit step 2, and possibly replace step 3 with just viewing the certificate.)
Is reading hard for you?
You say that PHP is really hard to learn.
I said that it is hard to really learn. The order of the words changes the connotation significantly. It's pretty trivial to whip up a page in PHP. Debugging it can be hard when things don't act as you expect them to.
There's nothing inherently insecure about PHP.
It's far easier to make a mistake with a full programming language than with server side includes.
The poster in question was not just talking about standard headers and footers, but a fully templated website with a consistent visual style.
If that was his intent, he didn't make it clear. He said a consistent design. That is easily achieved with SSI and CSS. If he meant templates, he should have said templates.
Also, please note that it's possible to disagree with someone and to rebut their post without being an ass about it. So go to hell, and don't bother replying to my message.
Well, the point is that HTTP offers no authentication. A self-signed cert offers no authentication. The question is why we bother differentiating between the two in the browser? The answer is because a self-signed cert may indicate a man-in-the-middle attack. But most self-signed certs are not evidence of MITM--they're evidence of cheap domain owners. And most users don't think about security, ever--those that do type in https:/// manually. Thus, I propose the following, which is a modification to the above suggestion.
If the user performs an action which takes him to a new page, and which was performed outside of the context of the current page (examples are clicking a shortcut on their desktop, using a bookmark, or typing into the address bar) in a method which is insecure (examples are leaving off the protocol or explicitly typing "http" instead of "https", or with a bookmark which is "http"), then everything works as normal. If the user performs one of those actions, but uses https, throw up big warnings for certs which have changed, or which are self-signed. The user obviously cares about security (typed "https") or has visited the site before (bookmarked/copied link to desktop), and so Firefox should make sure that they're aware of any potential security issues.
Now, say the user navigates to an https page from an http page. There's no implied security context here. If the https page is CA-signed, great. Do things like we're doing them. If the https page is self-signed, however, there should be no UI change indicating security or insecurity. After all, it's no more authenticated than HTTP, right? Why even bother telling the user that it's HTTPS?
Why didn't you permanently add the router's certificate to your browser? That way it wouldn't happen every time.
It's pretty trivial to enable SNI on your servers. You can either use a reverse-proxy which supports it (like nginx), or patch lighttpd to support it, or use mod_gnutls under Apache. Then you don't need that IP address.
As for the cert cost, you can get them for under $30 (from Godaddy) or for free for 90 days from Comodo (instantssl.com), though I don't know if these can be renewed.
If I were guessing, I'd think "very few." Now if a site instantly redirects to their SSL-enabled site, and the user then bookmarks the site, and they weren't being MITMed during this visit to the site, then they may hit the SSL-enabled version of the site every time that they're using that browser/computer. But that's a lot of conditionals. There are probably some people who match it, though.
I've seen web logs from some smaller webmail providers (mostly just people I know who were curious about the same sorts of things.) A lot of people hit the port 80 version of the site first.
Some level of verification can be done automatically. Mail the technical contact at the domain for authorization. Get a response. Now, an attacker has to be able to read that mailbox or poison the CA's DNS long enough to get the message. Possible? Sure. Easy? Not if they're patched.
What level of identity verification is acceptable to you? What would a human do to both verify your identity and verify that you're the one who owns that domain? Seriously, I'm genuinely curious.
godaddy.com has certs for $29.99/year, and they get cheaper if you buy them for longer than 1 year.
It's irrelevant for routers because they won't have a domain name. But a lot of the people railing against ca-signed certs seem to be under the false impression that they cost hundreds of dollars per year. That's what I was refuting.
You're not the average user. Most people on Slashdot aren't the average user.
But what you are saying is that browser should just accept the invalid certificate and submit the data anyway.
I didn't say that anywhere. Please do not put words in my mouth.
What I am saying is that a lot of users don't have an expectation of privacy. They only notice problems. When there aren't warning dialogs popping up, they don't think about security. I'm saying that the entire paradigm is flawed because of this. Instead of SSL being the exception, it should be the rule, and deviation from the rule should be pointed out to the user every single time.
But even then, it probably wouldn't be enough. People have to have their crazy cursors and their dancing baby desktops.
You seem to have written your entire post with the assumption that I was agreeing or disagreeing with any of the posts directly above me. Not everyone automatically shares or rejects the opinions of the posts to which they reply. I simply thought it might spawn interesting discussion to point out that users may fall for MITM if they never even see a lock up in the corner of their browser window.
Want some evidence? People fall for phishing. I work for an ISP which has monitored phishing in the past, and quite simply, people will reply to the e-mails with their passwords and visit the webpages entering in their credentials. Every major phishing event has included people doing this. What makes you think that these same people will suddenly be security-aware when someone is intercepting their connections to mybank.com over port 80?
Take a major banking website:
http://www.citibank.com/us/index.htm
(I found this page by simply typing citibank.com into my browser.)
What happens when you go to that site? You go there, you click on "log me in" or whatever, and then it switches to SSL. Think the user is going to notice if it doesn't switch to SSL? Probably not. So one could MITM this site pretty easily and harvest logins. SSL never even comes into play. All of the "self-signed certs are no worse" or "ca-signed certs are way better" arguments don't even matter, now.
That's reasonable then. I just don't think that it's a good idea to train users in bad habits. They have enough of them without our help.
Nothing's a guarantee. See the recent story about how a researcher managed to get a cert for login.live.com from a major CA.
That's pretty awful training. You should be providing the certificate, or at a bare minimum, a card with the cert's fingerprint.
You are no less secure, but your users are. What if they are being MITMed during the first time that they accept the cert?
And then you just have an extra step that malware authors tell the users to do in order to install their software. If 'homebrew software' (or more specifically, open source software) is popular enough, people will already be used to this annoyance and they will perform it without thinking. The only thing this gains us is more irritation.
That said, it could be a boon for open source developers. They could buy a signing cert, and then sell binary versions of their software while giving away the source. The binary version would have a real value to it--the OS won't complain when you install it.
When there is no certificate, the user has no expectation of security and may adjust their behaviour accordingly by witholding their personal data.
But they probably won't.
Instead, the user who is used to browsers warning him of insecure connections, will likely note the lack of a warning and input his credit card number right into the box. Hey, Firefox didn't say it was bad! (Well, it probably warned him against transmitting data to the server insecurely the first time he did it, way back when he first performed a Google search with his shiny new Firefox.)