That's not good, but at least someone would have to break into Slashdot's servers to get the passwords. Why don't they hash the password with some salt and store the hash in the database?
It's not a WiFi vulnerability. The vulnerability is that without HTTPS, passwords and cookies are sent in the clear, so that anyone who can see your Internet traffic can impersonate you on sites you log into. This could happen on a WiFi network or on a wired network. Slashdot does not support HTTPS at all as far as I can tell.
Well, how are you going to get job security doing that? I suppose you make sure you fully document and comment your code, too. Expect to be replaced with fresh-out-of-college kids or an offshore development team!
My point wasn't that it was intentional. My point was that it was in fact unintentional, but anyone could have seen it coming. I remember those who insisted that all that matters is that it works in IE 6 because that's what everyone was using. I responded to them by saying that there's no guarantee it will work on another browser, another OS, or even another version of IE on Windows. I suppose those people are now saying, "Oh, now I understand what that guy was trying to explain!" Oh, who am I kidding. They forgot what I said five minutes after they dismissed it offhand.
Corporations should have insisted that their web applications *worked* on some other browser, even if they were standardized on *using* IE. A web application that ran on Mozilla or Opera in addition to IE 6 would allow corporations to switch away from IE 6.
There's a world of difference between standardizing on using version X of product Y, and trying to pretend that any other products and any other versions do not exist. If your specifications state that a solution must work only on version X of product Y, you will have vendor/version lock-in.
The problem was that IE had a 95% share of the market, so developers thought they could get away with developing web applications that would work only on IE 6 for Windows. And, of course, they did. The companies that bought these applications because they didn't realize this would mean that the applications would not work in other operating systems, other browsers, or even other versions of IE are now stuck with IE 6, which means they're stuck with Windows XP. It's worse than vendor lock-in. It's vendor/version lock-in.
You're right. I just tested in Firefox, and it gives a warning for an image loaded using an HTTP URL from a different server than the HTTPS page. Is there a good reason? Is it to help prevent some type of XSS attack?
I read that when Google switched Gmail over to HTTPS that their server load increased by 1%. Today's CPUs are blazingly fast. Why would you think that the server load would be an issue with encryption and decrypting all communication? A web site is largely about having a large enough Internet connection and a large and fast enough database to keep up with the Internet traffic. Those CPUs are mostly just sitting around twiddling their thumbs waiting for I/O.
You don't mind the GNAA making posts using your account on Slashdot I suppose. And I'm sure future employeers will not mind when they see that stuff posted using your name when they search the Internet prior to hiring you.
SSL certificates cost about $10-$15 per year for each subdomain. Unless your site is like Slashdot's with a subdomain for each topic (e.g. apple.shasdot.org, ask.slashdot.org,..., yro.slashdot.org) the cost for SSL certificates is minimal. Yeah, let's just encrypt everything all the time, except for very small sites that do not use any authentication.
Slashdot Mirror
Half the DPI? You think someone wants 40 DPI monitors? Hey, the 80s called and they want their 40 DPI monitors back!
No matter what nationalities you use, it doesn't make sense to work on monitors with half the DPI of current monitors, does it?
Let's see... "Engineers are hard at work on new monitors with half the DPI of current monitors." Yeah, I see what you mean!
Is that what Opera called cookies?
That's not good, but at least someone would have to break into Slashdot's servers to get the passwords. Why don't they hash the password with some salt and store the hash in the database?
It's not a WiFi vulnerability. The vulnerability is that without HTTPS, passwords and cookies are sent in the clear, so that anyone who can see your Internet traffic can impersonate you on sites you log into. This could happen on a WiFi network or on a wired network. Slashdot does not support HTTPS at all as far as I can tell.
Delicious delicacies!
Vulnerable to what?
Well, how are you going to get job security doing that? I suppose you make sure you fully document and comment your code, too. Expect to be replaced with fresh-out-of-college kids or an offshore development team!
My point wasn't that it was intentional. My point was that it was in fact unintentional, but anyone could have seen it coming. I remember those who insisted that all that matters is that it works in IE 6 because that's what everyone was using. I responded to them by saying that there's no guarantee it will work on another browser, another OS, or even another version of IE on Windows. I suppose those people are now saying, "Oh, now I understand what that guy was trying to explain!" Oh, who am I kidding. They forgot what I said five minutes after they dismissed it offhand.
Corporations should have insisted that their web applications *worked* on some other browser, even if they were standardized on *using* IE. A web application that ran on Mozilla or Opera in addition to IE 6 would allow corporations to switch away from IE 6.
There's a world of difference between standardizing on using version X of product Y, and trying to pretend that any other products and any other versions do not exist. If your specifications state that a solution must work only on version X of product Y, you will have vendor/version lock-in.
The problem was that IE had a 95% share of the market, so developers thought they could get away with developing web applications that would work only on IE 6 for Windows. And, of course, they did. The companies that bought these applications because they didn't realize this would mean that the applications would not work in other operating systems, other browsers, or even other versions of IE are now stuck with IE 6, which means they're stuck with Windows XP. It's worse than vendor lock-in. It's vendor/version lock-in.
Ah, that sweet, sweet sound of technobabble.
It must have been a Star Trek communicator. Maybe she was talking to Lt. Uhura?
You can get certificates from StartSSL for free. If you want to pay, they're only $10-15 per year, not $50 per year.
You're right. I just tested in Firefox, and it gives a warning for an image loaded using an HTTP URL from a different server than the HTTPS page. Is there a good reason? Is it to help prevent some type of XSS attack?
You insensitive clod! bunratty is my real name!
My point was that Firesheep can be used to impersonate you, not just invade your privacy.
Yes, I understand. But I was under the impression the HTTP element had to be on the same site as the HTTPS page. Is that not the case?
Do they throw up a warning even when all traffic to one site is SSL and all traffic to another site is non-SSL?
I read that when Google switched Gmail over to HTTPS that their server load increased by 1%. Today's CPUs are blazingly fast. Why would you think that the server load would be an issue with encryption and decrypting all communication? A web site is largely about having a large enough Internet connection and a large and fast enough database to keep up with the Internet traffic. Those CPUs are mostly just sitting around twiddling their thumbs waiting for I/O.
You don't mind the GNAA making posts using your account on Slashdot I suppose. And I'm sure future employeers will not mind when they see that stuff posted using your name when they search the Internet prior to hiring you.
SSL certificates cost about $10-$15 per year for each subdomain. Unless your site is like Slashdot's with a subdomain for each topic (e.g. apple.shasdot.org, ask.slashdot.org, ..., yro.slashdot.org) the cost for SSL certificates is minimal. Yeah, let's just encrypt everything all the time, except for very small sites that do not use any authentication.
Last I heard there were plans for high speed rail in the US which would cut oil use by 125 million barrels per year.
Observations of the Earth's climate agrees with the climate models. The predictions of warming due to increased concentrations of carbon dioxide in the atmosphere date back to the 18th century, and we've observed the predicted warming and other effects for decades. We have high confidence because observations match predictions. That's how science is done.