Plain HTTP is less secure, it also doesn't give a false sense of security
Users don't interact with HTTP, they interact with the browser. And the browser can choose when to provide the appearance of security, based on more than just what protocol it happens to be using to talk to the server.
If you think the data is secure then you are likely to transmit information that you consider confidential
And since plain HTTP doesn't throw all those errors about being insecure, it must be perfectly safe to transmit whatever you like...
Please quickly add yourself to the list of clueless people whining about Firefox because you don't actually understand secure communications.
I'm not clueless, I just don't see why everyone is so set on assuming that all CAs included in every browser are infallible, and on insisting that the only way to be "legitimate" is to join in on the (flawed, IMO) assumption.
I really wish you people would stop whining about how Firefox alerts on self signed certs. EVERY browser does, FOR A REASON.
And that reason is STUPID, because plain http is always at least as insecure.
An unvalidated self signed certificate will just require a different approach to evesdropping
[emphasis added] There are ways that self-signed certificates can be validated, do you know what "out-of-band" communication is? This can even be automated, if you're willing to reduce your security to only a little bit better than the current CA system.
No one has ever explained to me why a legitimate site that needs ssl couldn't afford a legit signed cert.
What about sites that don't need ssl, but would like to at least make the three-letter-agencies spend a bit more on their eavesdropping hardware (and risk getting caught if someone checks the fingerprints)?
Who says that CA-signed === legit? A CA is for mapping cert -> meatspace identity, but they only actually do that for the "extended validation" certs. What if I only care that I'm talking to the same site I was talking to last week, and don't care who's behind it in meatspace?
Because it tells you that there is an error and the site is broken, rather than clearly warning you that the site isn't really secure? Because it has a priority inversion, where it treats self-signed as less secure than completely unsigned?
What, the protocol spec says "thou shalt have such-and-such a user interface"? It completely forbids the application determining "the protocol can provide X and Y, but in this case we only have X and not Y", and telling the user what we actually have rather than what the protocol we're using could theoretically provide? If so... that's really very stupid, and maybe people should ignore it.
EXACTLY! With a self-signed certificate, there's no indication that a man in the middle attack is taking place.
SSL without a trusted certificate provides NO additional security over communicating in the clear. AT ALL.
Self-signed != untrusted, and CA-signed may not always = trusted. Why do people always seem to just assume that CA-signed/self-signed are equivalent to trusted/untrusted?
There are ways to verify certs other than having a site- (or attacker-) chosen CA sign them. For example, the Perspectives firefox extension relies on "you can't fool all of the people all of the time" rather than the "you can't fool any of these people ever" that the CA system relies on. And it works regardless of whether a cert is self-signed.
Seriously, investors knock 10% off the value of Apple's stock because somebody anonymously posted a rumor on the internet and this is "citizen journalism"'s fault? Bullshit.
Right, they're gamblers instead of investors. The reliance on brand-new unverified stories is so they can guess what everyone else will do, and do it first.
You might be better off with real guns. The worst damage you can do to a plane with one is to make a small hole somewhere you can't plug in flight. Whereas high voltage electricity does not tend to mix well with complex electronics.
It should be fairly simple to keep important electronics away from the passenger cabin and any high voltage it might contain, I'd be more concerned about a real gun putting holes in passengers who happened to be behind the target. The martial arts idea is good, though.
Of course *they* have *their* lawyers looking at it, but a second opinion might not hurt.
That doesn't mean anything about whether or not it's actually enforceable. They can include things they know can't possibly be enforceable just to scare people into not doing what they're allowed to do, and apparently nothing bad happens to them (or else it wouldn't be so common). That particular part of the contract gets cut out or maybe even just shrunk to the limit of what they can demand. Probably there ought to be fines or something, so regulators/activists/watchdogs can have some teeth to stop them from basically lying to people...
In a free market, mortgage banks could choose which credit agency they wanted to give them a credit ranking on their securities. If the ranking was low they could then choose another credit agency that wanted their business more and would give a higher ranking. Yep, this occurred.
I seem to recall that the government made a short list of groups that were allowed to issue those ratings. I also heard that previously it was the companies buying the securities that paid for the ratings, so there was an incentive to be accurate instead of to look good.
and upshot is that the Fed is losing control of the money supply, and that is very, very bad because controlling the money supply is the main way we have avoided having economic downturns spiral out of control ever since the Great Depression.
Depending on who you ask, we just delayed the downturns instead of really avoiding them, and now they're all stacked up and falling over on us.
Number 6, about fields of endeavor, covers restrictions on distribution with fur coats.
It looks like a weaker rule, "must not restrict [completely prevent] anyone from" vs "must not place restrictions [even small ones] on".
The OSD is related to what people had tried to do with licenses at the time. For example, there was Alladin Ghostscript, which prohibited its distribution on the same medium with software that wasn't freely distributable. And there was the Berkeley Spice License, for their electrical engineering software, which prohibited the use of the software by the Police of South Africa, and still did a decade after apartheid was over.
It just seems odd to me that it looks more like "don't do this specific thing that someone else did", rather than "don't do anything in this class, one example being this specific thing". It's more like enumerating individual badnesses, less like figuring out what makes them bad.
9. License Must Not Restrict Other Software - The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open-source software.
Would you happen to know why this point was worded to be specific to other software, instead of applying to anything that might accompany the licensed software? I can say "this sofware may not be distributed with fur coats", and as far as I can see that's be perfectly OK.
There was no "open source", capitals or not, regarding software until the Open Source Definition. If you look through past material, you can only find a few uses of the words together regarding software at all, with no consistent meaning.
There's also no term that I'm aware of for "water that is wet", simply because "water that isn't wet" hasn't really been invented yet. Maybe someone will invent the term "wet water" once we figure out how to make "dry water", and we can all credit them with the existence of wetness...
Thanks to this decision, you can't claim that free software licences are invalid and that code out there under those licences is public domain and free to take with no consequence.
The freedom to use and modify software is simply meaningless to all but a vanishingly small percentage of humans.
How do we know this? I can see people not (directly) caring whether they can modify the software they use (heck, I usually don't care directly, because switching to something else would be easier than learning the codebase to fix it), but how in the world could they not care whether they can, um, use it? It's not like people buy/download software to just set it on the shelf and forget about it.
Slashdot Mirror
No one is going to search your computer other than to make sure it is a computer and not a bomb.
You'd think that, but there have been stories recently about that not being the case.
...encrypt it. Full disk encryption is relatively cheap, easy, and unobtrusive.
And ineffective, unless your privacy is worth more than the cost to piss them off and have to replace your laptop.
You don't know of places that enforce the use of French in Canada? Is that a joke, or do you not consider Quebec to be part of Canada?
Not what he said, I think you missed the second half of that sentence... he's not unaware of them, he's unaware of their being vilified.
Plain HTTP is less secure, it also doesn't give a false sense of security
Users don't interact with HTTP, they interact with the browser. And the browser can choose when to provide the appearance of security, based on more than just what protocol it happens to be using to talk to the server.
If you think the data is secure then you are likely to transmit information that you consider confidential
And since plain HTTP doesn't throw all those errors about being insecure, it must be perfectly safe to transmit whatever you like...
Please quickly add yourself to the list of clueless people whining about Firefox because you don't actually understand secure communications.
I'm not clueless, I just don't see why everyone is so set on assuming that all CAs included in every browser are infallible, and on insisting that the only way to be "legitimate" is to join in on the (flawed, IMO) assumption.
Self signed certs can not be authenticated.
Do you know what the "fingerprint" of a cert is?
I really wish you people would stop whining about how Firefox alerts on self signed certs. EVERY browser does, FOR A REASON.
And that reason is STUPID, because plain http is always at least as insecure.
An unvalidated self signed certificate will just require a different approach to evesdropping
[emphasis added] There are ways that self-signed certificates can be validated, do you know what "out-of-band" communication is? This can even be automated, if you're willing to reduce your security to only a little bit better than the current CA system.
No one has ever explained to me why a legitimate site that needs ssl couldn't afford a legit signed cert.
Because it tells you that there is an error and the site is broken, rather than clearly warning you that the site isn't really secure? Because it has a priority inversion, where it treats self-signed as less secure than completely unsigned?
What, the protocol spec says "thou shalt have such-and-such a user interface"? It completely forbids the application determining "the protocol can provide X and Y, but in this case we only have X and not Y", and telling the user what we actually have rather than what the protocol we're using could theoretically provide? If so... that's really very stupid, and maybe people should ignore it.
EXACTLY! With a self-signed certificate, there's no indication that a man in the middle attack is taking place.
SSL without a trusted certificate provides NO additional security over communicating in the clear. AT ALL.
Self-signed != untrusted, and CA-signed may not always = trusted. Why do people always seem to just assume that CA-signed/self-signed are equivalent to trusted/untrusted?
There are ways to verify certs other than having a site- (or attacker-) chosen CA sign them. For example, the Perspectives firefox extension relies on "you can't fool all of the people all of the time" rather than the "you can't fool any of these people ever" that the CA system relies on. And it works regardless of whether a cert is self-signed.
My understanding is that HTTPS requires IP based virtuals
Partly. There's a TLS extension that makes it work, but it looks like it doesn't work for IE on WinXP.
How does anyone who didn't panic and sell during the temporary low spot actually lose any money?
Seriously, investors knock 10% off the value of Apple's stock because somebody anonymously posted a rumor on the internet and this is "citizen journalism"'s fault? Bullshit.
Right, they're gamblers instead of investors. The reliance on brand-new unverified stories is so they can guess what everyone else will do, and do it first.
You might be better off with real guns. The worst damage you can do to a plane with one is to make a small hole somewhere you can't plug in flight. Whereas high voltage electricity does not tend to mix well with complex electronics.
It should be fairly simple to keep important electronics away from the passenger cabin and any high voltage it might contain, I'd be more concerned about a real gun putting holes in passengers who happened to be behind the target. The martial arts idea is good, though.
Of course *they* have *their* lawyers looking at it, but a second opinion might not hurt.
That doesn't mean anything about whether or not it's actually enforceable. They can include things they know can't possibly be enforceable just to scare people into not doing what they're allowed to do, and apparently nothing bad happens to them (or else it wouldn't be so common). That particular part of the contract gets cut out or maybe even just shrunk to the limit of what they can demand. Probably there ought to be fines or something, so regulators/activists/watchdogs can have some teeth to stop them from basically lying to people...
In a free market, mortgage banks could choose which credit agency they wanted to give them a credit ranking on their securities. If the ranking was low they could then choose another credit agency that wanted their business more and would give a higher ranking. Yep, this occurred.
I seem to recall that the government made a short list of groups that were allowed to issue those ratings. I also heard that previously it was the companies buying the securities that paid for the ratings, so there was an incentive to be accurate instead of to look good.
and upshot is that the Fed is losing control of the money supply, and that is very, very bad because controlling the money supply is the main way we have avoided having economic downturns spiral out of control ever since the Great Depression.
Depending on who you ask, we just delayed the downturns instead of really avoiding them, and now they're all stacked up and falling over on us.
Number 6, about fields of endeavor, covers restrictions on distribution with fur coats.
It looks like a weaker rule, "must not restrict [completely prevent] anyone from" vs "must not place restrictions [even small ones] on".
The OSD is related to what people had tried to do with licenses at the time. For example, there was Alladin Ghostscript, which prohibited its distribution on the same medium with software that wasn't freely distributable. And there was the Berkeley Spice License, for their electrical engineering software, which prohibited the use of the software by the Police of South Africa, and still did a decade after apartheid was over.
It just seems odd to me that it looks more like "don't do this specific thing that someone else did", rather than "don't do anything in this class, one example being this specific thing". It's more like enumerating individual badnesses, less like figuring out what makes them bad.
Water that isn't wet is called really cold ice.
Hmm... looks like there are also kinds of ice that don't float. Weird.
I thought those only made it more wet?
9. License Must Not Restrict Other Software - The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open-source software.
Would you happen to know why this point was worded to be specific to other software, instead of applying to anything that might accompany the licensed software? I can say "this sofware may not be distributed with fur coats", and as far as I can see that's be perfectly OK.
There was no "open source", capitals or not, regarding software until the Open Source Definition. If you look through past material, you can only find a few uses of the words together regarding software at all, with no consistent meaning.
There's also no term that I'm aware of for "water that is wet", simply because "water that isn't wet" hasn't really been invented yet. Maybe someone will invent the term "wet water" once we figure out how to make "dry water", and we can all credit them with the existence of wetness...
No, "open source" means no license restrictions on what you do with the code.
FSF disagrees, see the anti-Tivo section in the new GPL.
Thanks to this decision, you can't claim that free software licences are invalid and that code out there under those licences is public domain and free to take with no consequence.
You couldn't do that before, either.
The freedom to use and modify software is simply meaningless to all but a vanishingly small percentage of humans.
How do we know this? I can see people not (directly) caring whether they can modify the software they use (heck, I usually don't care directly, because switching to something else would be easier than learning the codebase to fix it), but how in the world could they not care whether they can, um, use it? It's not like people buy/download software to just set it on the shelf and forget about it.
The case hasn't generated as many headlines as it should.
Someone patents someone else's work and violates their copyright, and we expect massive headlines instead of a quiet smackdown?