Are you talking about the same system that was susceptible to remote code execution through DNS answers?
Not only the NT architecture (and most of MS software) has fundamentally broken design ("oh nice binary blob I've got here, wonder what it does... I know! I'll just execute it and see what it does!") , Microsoft creates shoddy code, nothing (as over 20 years of this company showed) can change that.
Re:Just so nobody is confused, this post ^^^ is wr
on
Kernel.org Compromised
·
· Score: 0
It's quite different to "have to go through hoops to make the file executable" and "have to click one big button". First is an action requiring conscious thought the other is automatic for 99% of people. That's why the latter doesn't work.
Second: On Windows it's really hard to disallow users to run any programs but the ones in C:\Windows and C:\Program Files while it's trivially easy in UNIX-like systems.
Add a big scary red warning that can't be set as "always allow" to the "You are submitting data over unsecured connection. You have no way of knowing if the website you see is served by and has not been modified in transit. Are you SURE you want to continue? NEVER continue if you entered any personal info such as names, birthdays, passwords or credit card info." when HTTP is used and we're set.
The coffee shop may not, but its customers not so much. You can't trust hotels in countries such as Burma or Lesotho (hell, you can't trust most hotels in Egypt!).
Doing ARP cache poisoning (even if you're using cable, not WiFi) is painfully easy and networks with open access can't have any measurements against them as you don't know the MACs addresses of devices that will connect to it.
It does this for a very good architectural reason, it's a whitelist mechanism: you need to get a response saying "yes, we did issue this cert, it's valid", not the blacklist mechanism of CRL "we did revoke those certificates".
OCSP forces the CA to know and remember all certificates it had issued, this way even if the private key was used to create a rogue subCA it won't be valid as OCSP won't give the "yes it's valid" response. The DigiNotary case shows this is a real problem, they don't know which or how many certificates have been created. With OCSP validation model they are useless.
Now if only Firefox, Chrome, Safari and IE actually required OCSP response to mark cert as valid... By default only Opera marks connection as insecure on OCSP resolver unreachability.
Both CertPatrol and Convergance have to fix this problem on their side. If you have load balancing between few datacenters (like google does and few other companies, just look at Amazon web services) you don't want to use a single certificate for all of them. It's a really bad idea from security perspective.
A much better situation would be if google published a list of SHA-1 and SHA-256 fingerprints of all web server certificates they use in a single place on a server which uses EV certificate from a single CA that changes only on expiration (or compromise).
Anonymization of your browsing history is important. If you use Perspectives without CertPatrol it won't cache the certificates it got from the Notary. It will query the Notary every time it visits a HTTPS site.
Convergence also can use anything else as a source of certificates: DNSSEC records, CA cert store, list of certificates you checked yourself, your friend's list...
It's just far more extensible.
speedtest results aren't statistically sound, article you're citing is from 4 years ago. And to top it off, we don't even see "no limits" used in advertising anymore as it has become so obvious. Besides that, it's cheaper.
You're talking about the same planet on which scientists/engineers crash multi-million space probes again and again, because of conversions from ass-backwards measurement system to the universally agreed upon?
Yet still, somehow, the average broadband speeds are faster in Poland than in USA! Not to mention that data caps are non-existent on copper connections (both DSL and TV cable).
And it's not like we don't use Facebook, YouTube and p2p here.
Slashdot Mirror
Are you talking about the same system that was susceptible to remote code execution through DNS answers?
Not only the NT architecture (and most of MS software) has fundamentally broken design ("oh nice binary blob I've got here, wonder what it does... I know! I'll just execute it and see what it does!") , Microsoft creates shoddy code, nothing (as over 20 years of this company showed) can change that.
It's quite different to "have to go through hoops to make the file executable" and "have to click one big button". First is an action requiring conscious thought the other is automatic for 99% of people. That's why the latter doesn't work.
Second: On Windows it's really hard to disallow users to run any programs but the ones in C:\Windows and C:\Program Files while it's trivially easy in UNIX-like systems.
Add a big scary red warning that can't be set as "always allow" to the "You are submitting data over unsecured connection. You have no way of knowing if the website you see is served by and has not been modified in transit. Are you SURE you want to continue? NEVER continue if you entered any personal info such as names, birthdays, passwords or credit card info." when HTTP is used and we're set.
The coffee shop may not, but its customers not so much. You can't trust hotels in countries such as Burma or Lesotho (hell, you can't trust most hotels in Egypt!).
Doing ARP cache poisoning (even if you're using cable, not WiFi) is painfully easy and networks with open access can't have any measurements against them as you don't know the MACs addresses of devices that will connect to it.
It does this for a very good architectural reason, it's a whitelist mechanism: you need to get a response saying "yes, we did issue this cert, it's valid", not the blacklist mechanism of CRL "we did revoke those certificates".
OCSP forces the CA to know and remember all certificates it had issued, this way even if the private key was used to create a rogue subCA it won't be valid as OCSP won't give the "yes it's valid" response. The DigiNotary case shows this is a real problem, they don't know which or how many certificates have been created. With OCSP validation model they are useless.
Now if only Firefox, Chrome, Safari and IE actually required OCSP response to mark cert as valid... By default only Opera marks connection as insecure on OCSP resolver unreachability.
Both CertPatrol and Convergance have to fix this problem on their side. If you have load balancing between few datacenters (like google does and few other companies, just look at Amazon web services) you don't want to use a single certificate for all of them. It's a really bad idea from security perspective.
A much better situation would be if google published a list of SHA-1 and SHA-256 fingerprints of all web server certificates they use in a single place on a server which uses EV certificate from a single CA that changes only on expiration (or compromise).
Anonymization of your browsing history is important. If you use Perspectives without CertPatrol it won't cache the certificates it got from the Notary. It will query the Notary every time it visits a HTTPS site.
Convergence also can use anything else as a source of certificates: DNSSEC records, CA cert store, list of certificates you checked yourself, your friend's list...
It's just far more extensible.
Google offers most javascript libraries (like jQuery) on their servers.
Allegedly it does speed up the 'net because the browser can use the cached version of the script.
And how does that make it impossible to change glue records in ccTLDs or .com?
Aren't we talking about the database engine that was used (if not still in use) by the likes of Amazon and Facebook only few years back?
They do have overlapping features
Now imagine if 1% of the money spent on DoD had been given to companies like SpaceX insted...
We would be already on mars...
speedtest results aren't statistically sound, article you're citing is from 4 years ago. And to top it off, we don't even see "no limits" used in advertising anymore as it has become so obvious. Besides that, it's cheaper.
Our computer clocks are all using UTC already
Not if you use Windows
You're talking about the same planet on which scientists/engineers crash multi-million space probes again and again, because of conversions from ass-backwards measurement system to the universally agreed upon?
The length of day is dependent on rotation of the planet, not the size of the star or how far the plant from the star is.
Mars "day", or local sol as scientists call it, is a bit over 24.5h, Venusian sol is over 243 day's long (that is 5832h)
Most electronic devices can convert between them easily
Apart from the elephant in the room in the form of MS Windows that still doesn't keep hardware real time clock in UTC...
You think DST is bad? Read about leap seconds! They are added twice a year and are announced only with few months of warning.
Now your talking pure science-fiction!
tripling 14g (instead of ½) will make your math skills less rusty so you won't make as many mistakes in your tax form...
Yet still, somehow, the average broadband speeds are faster in Poland than in USA! Not to mention that data caps are non-existent on copper connections (both DSL and TV cable).
And it's not like we don't use Facebook, YouTube and p2p here.
That's why I don't use optical media for anything but regularly refreshed backups.
Having everything in big RAID arrays is just more convenient and makes moving to new disk drives a breeze.
I won't worry for telcos bribing suits, long time before that happens we will have software patents in Europe.
As this doesn't seem anytime soon I still sleep well.
At least the SSL they have is configured properly https://www.ssllabs.com/ssldb/analyze.html?d=twitter.com
Unlike some banks...
With KDE4 exposé you can just type the window's title and it will start showing only the windows that their title match.
But it's not shown in advertising. While in Britain (and most of EU AFAIK) price in advertising must include sales tax.