CAs should be non-profit, or at least heavily penalized for issuing false certificates, if this is going to work.
The problem is the same with Moody's, actually: the central issue is that the people doing the auditing are being paid by the people they're auditing. Simply having browser users pay CAs (or investors pay rating agencies) would put the economic incentives in the right place, but that idea doesn't sit well with a lot of people.
So instead, we're left with imperfect and leaky regulation. CAs really should be subject to more regular audits, and their trust bits should be removed by browser vendors when they are abused.
Other languages have different vulnerabilities. There's no substitute for a brain behind the keyboard when writing software that's supposed to be secure.
Besides, Mozilla-family browsers are mostly written in Javascript, whereas Webkit is a C++ package. Yet somehow kids here consider Webkit interesting and cool, and Mozilla obsolete garbage. I happen to disagree.
It's actually rather amusing that people here proclaim Pascal-style strings as the solution to all our woes.
It's because certificates use ASN.1, essentially a modern-day Pascal string, that these vulnerabilities are possible. If certificates instead were encoded using C-style strings, NULLs wouldn't be an issue.
Idiots? I think not. Put yourself in the shoes of programmers in the 70s. Could you have come up with a better idea that did all these?
didn't use more than one byte of extra memory
worked for both static and dynamically-allocated strings
did the right thing when embedded in structures initialized to zero
allowed for easy, efficient string concatenation
Sure, today, C strings might seem like a poor decision today, in this age of virtual memory, C++ classes, and sophisticated optimizing compilers. But at the time, C strings were the least bad of the available alternatives.
If Pascal strings had become standard, we'd be dealing with 256-bytes length limits all over the place as Pascal only use eight bits to store the string length. I imagine there'd be attacks that involved making the length counter overflow. We'd still have bugs, but different bugs.
Now that's an oxymoron definition. If it's genuinely important to the nation to keep a document secret, then classify it. If it's not important enough to classify, then it's not important enough to keep from the public. A transparent government is a good government.
The strange thing is that he used shutdown -r now instead of this newfangled reboot the kids like to type. If you know what shutdown does, you should know when to not use it.
Sorry, but once a phone is in my hands, it's mine. Period. If Apple would like to dictate terms that apply to phones it actually owns, so be it. But if I were to buy an iPhone, it'd be my property, not Apple's, and Apple would have no right to tell me what to do with it. That's the reason I never bought an iPhone: I need to have control over my own property.
I can install anything I want with no DRM whatsoever. I can even ssh into the phone. The applications are written in plain old Javascript, even the built-in ones, so they can be trivially modified. The Pre is a hacker's dream phone.
It'll be a cold day in hell before I use a closed phone again.
Verisign is untrustworthy, so why should I care if a certificate is signed or not?
Erhm, CAs do actually provide a measure of trust. Sure, they make mistakes, but in the vast majority of cases, the system works as designed. You're being disingenuous.
Antivirus programs don't actually do much anyway other than provide that warm, fuzzy feeling. If you run without administrator privileges and keep your machine updated, there's really no need for one.
You know, it's fucking ridiculous that people harp about cookies, which are entirely under the user's control, but ignore the CSS browser-history hack that allows any site to probe whether you've visited another completely unrelated site.
Wake up people! If you want security, worry about the issues that are actually dangerous, not the ones that just sound the scariest.
Why are you sticking up for the interests of a giant, faceless corporation over those of people just like yourself? The EU's requirements are quite reasonable. When your market domination becomes as complete as Microsoft's, and your product becomes critical to the functioning of the modern world, you ought to expect to be regulated more like a public utility than Joe's Flash Games GmBH.
And you tolerade adware being on your computer longer than the time it takes to find a removal tool? Egahds. I don't know how you'd manage to live with the computer equivalent of a brain slug attached to your head.
Say what you will about that movie, but one scene struck me: Borat sleeps on the ground outside one of those born-again megachurches, and a crowd arrives for a Sunday service. Instead of trying to help him, churchgoers just step over Borat and try to ignore him on their way to the service. If that isn't the antithesis of every teaching of Jesus in the New Testament, I don't know what is.
When we repealed the (very good) legislation enacted in response to the Great Depression, we restore to market to its natural boom-bust cycle. We'll keep going through these periods until we restore the safeguards that our great-grandparents wisely created. Even without the dubious benefits of computer models and Chicago economics, these people gave us 50 years of prosperity that we've managed to wreck in a decade. Shouldn't we stop arrogantly assuming that they were wrong, we are right, and accept that we might need regulation after all?
Slashdot Mirror
The problem is the same with Moody's, actually: the central issue is that the people doing the auditing are being paid by the people they're auditing. Simply having browser users pay CAs (or investors pay rating agencies) would put the economic incentives in the right place, but that idea doesn't sit well with a lot of people.
So instead, we're left with imperfect and leaky regulation. CAs really should be subject to more regular audits, and their trust bits should be removed by browser vendors when they are abused.
By the way: I remove Comodo root certificates from any browser I use. Comodo allows its affiliates to issue certificates to anyone without verification, and therefore I do not trust Comodo.
Other languages have different vulnerabilities. There's no substitute for a brain behind the keyboard when writing software that's supposed to be secure.
Besides, Mozilla-family browsers are mostly written in Javascript, whereas Webkit is a C++ package. Yet somehow kids here consider Webkit interesting and cool, and Mozilla obsolete garbage. I happen to disagree.
It's actually rather amusing that people here proclaim Pascal-style strings as the solution to all our woes.
It's because certificates use ASN.1, essentially a modern-day Pascal string, that these vulnerabilities are possible. If certificates instead were encoded using C-style strings, NULLs wouldn't be an issue.
Idiots? I think not. Put yourself in the shoes of programmers in the 70s. Could you have come up with a better idea that did all these?
Sure, today, C strings might seem like a poor decision today, in this age of virtual memory, C++ classes, and sophisticated optimizing compilers. But at the time, C strings were the least bad of the available alternatives.
If Pascal strings had become standard, we'd be dealing with 256-bytes length limits all over the place as Pascal only use eight bits to store the string length. I imagine there'd be attacks that involved making the length counter overflow. We'd still have bugs, but different bugs.
So quit. Life is too short to keep working at a job you've come to hate.
Now that's an oxymoron definition. If it's genuinely important to the nation to keep a document secret, then classify it. If it's not important enough to classify, then it's not important enough to keep from the public. A transparent government is a good government.
The OP's insane speculation reminds me of the Electric Universe crazies. Every field has its lunatic fringe.
The strange thing is that he used shutdown -r now instead of this newfangled reboot the kids like to type. If you know what shutdown does, you should know when to not use it.
30?
Sorry, but once a phone is in my hands, it's mine. Period. If Apple would like to dictate terms that apply to phones it actually owns, so be it. But if I were to buy an iPhone, it'd be my property, not Apple's, and Apple would have no right to tell me what to do with it. That's the reason I never bought an iPhone: I need to have control over my own property.
I can install anything I want with no DRM whatsoever. I can even ssh into the phone. The applications are written in plain old Javascript, even the built-in ones, so they can be trivially modified. The Pre is a hacker's dream phone.
It'll be a cold day in hell before I use a closed phone again.
Erhm, CAs do actually provide a measure of trust. Sure, they make mistakes, but in the vast majority of cases, the system works as designed. You're being disingenuous.
Antivirus programs don't actually do much anyway other than provide that warm, fuzzy feeling. If you run without administrator privileges and keep your machine updated, there's really no need for one.
You know, it's fucking ridiculous that people harp about cookies, which are entirely under the user's control, but ignore the CSS browser-history hack that allows any site to probe whether you've visited another completely unrelated site.
Wake up people! If you want security, worry about the issues that are actually dangerous, not the ones that just sound the scariest.
Sir, I believe you have the makings of an April Fools RFC.
Who knows what else that program is doing to your computer?
All right, that's enough. I'm cutting myself off: no more posting for me today.
Why are you sticking up for the interests of a giant, faceless corporation over those of people just like yourself? The EU's requirements are quite reasonable. When your market domination becomes as complete as Microsoft's, and your product becomes critical to the functioning of the modern world, you ought to expect to be regulated more like a public utility than Joe's Flash Games GmBH.
Pat Buchanan would still be the better browser.
Now with free remote code execution! Get real. The inclusion of that item makes it impossible to take the rest of your post seriously.
And you tolerade adware being on your computer longer than the time it takes to find a removal tool? Egahds. I don't know how you'd manage to live with the computer equivalent of a brain slug attached to your head.
Say what you will about that movie, but one scene struck me: Borat sleeps on the ground outside one of those born-again megachurches, and a crowd arrives for a Sunday service. Instead of trying to help him, churchgoers just step over Borat and try to ignore him on their way to the service. If that isn't the antithesis of every teaching of Jesus in the New Testament, I don't know what is.
Greed is a constant of human nature. The failure is in effectively channeling and mitigating greed, which in turn is a failure of policy.
When we repealed the (very good) legislation enacted in response to the Great Depression, we restore to market to its natural boom-bust cycle. We'll keep going through these periods until we restore the safeguards that our great-grandparents wisely created. Even without the dubious benefits of computer models and Chicago economics, these people gave us 50 years of prosperity that we've managed to wreck in a decade. Shouldn't we stop arrogantly assuming that they were wrong, we are right, and accept that we might need regulation after all?