I'm sure Burma would be happy to fulfill bogus registrations for small sums of cash.
The most popular flag of convenience, at least recently, was Panama. They simply didn't care as long as you paid your registration fees (and usually a healthy bribe). Last time I looked into this was the Noriega era, its been awhile. There are/were substantial financial reasons to register even a dinky sailboat in a foreign country. US Customs usually provided quite a hassle to "get even" with a cutover point around $1M where above that they treated you with kid gloves, mostly.
2. What about a lazy CA that issues a certificate for an evil, look alike site? If the notaries are requested to fetch that certificate, it will be the same as the one I got. If you get diverted to an evil twin site and check its certificate, it will appear as valid.
Theoretically the current CA system gathers enough contact data to serve the fake guys with legal papers, maybe more. That is a hole in the "sorta like sharing SSH host keys" solution.
Whoa there. Please review the entire concept of a CA root cert. I suppose on a meta-level someone could MITM a torrent download of your OS install, to replace the real verisign cert with their own, but...
Anybody can create an SSL certificate for any domain given the right access and if you or your computer accepts a certain CA
If you own the secret key of a public root key for a CA that is installed on the victim's PC, then yeah. Or, if you can force your own CA into a victims machine. Otherwise, not so much.
Or install a root certificate on the user's machine.
I wouldn't worry about preventing that attack vector... if you own the machine to that level, its easier to just install a keylogger, grab screenshots, trojan the webbrowser itself, rather than trying to MITM the machine. Unless its some kind of govt surveillance thing. Hmm.
Multiple certificates do not work today. You don't know which one you can present to the client. You need to extend the protocol to allow multiple signatures on the same certificate or allow the client to request a specific certificate. I don't like the latter option; the client should get to see all the certificates so it can notice if a major web site suddenly has only one signature.
Yeah, I know. But it seems a protocol extension is simpler than changing an entire industry.
It would make the firefox devs absolutely scream, but I'd like to see each cert from an ACCEPTED ssl ca have a little icon pop up in the "add-on bar". I would really like to see about 10 of those little icons when I'm trading stocks or online bank bill paying. amazon.com I'd like to see a couple. corporate selfsigned webmail, just a little corporate logo would be sufficient. Remote https access to my password protected personal home mythtv recordings collection, eh, my selfsigned smiley face will do. Access to/. via https, a little selfsigned cert with a goatse icon.. Hmm.
In case of meltdown, just head it out to the middle of nowhere. Or am I missing something?
The other part you're missing is there is usually no shortage of coolant water, thus preventing the meltdown. Unless they do something idiotic with a sandbar, of course. Its pretty hard to melt something down if its below sea level. Despite the cost, I'm thinking future coastal japan reactors are probably going to be built below sea level.
The ironic thing is that they could have possibly anchored this off the coast of Japan and prevented the meltdown.
Naah the real irony was the general business model for floating plants was, we'll build a 3rd world country a plant and let them have the electricity... until they stop paying... at which point it gets towed away. This time its the builders who got towed not the 3rd world country.
The other funny part is creditors are known for doing stupid things when they seize "their" property. Imagine a repo guy hauling core assemblies thru town on the back of a stereotypical repo lift truck. I'm glad the courts seized it instead of the repo clowns.
If there is one thing we should all know is that trust cannot be inherited more than one step - your friend's friend's friend is as likely to be working for Cosa Nostra or RIAA (but, I repeat myself) as being trustworthy. Or he's a complete moron who clicks OK to everything he's presented with.
So in google+ language, you're saying use "Your Circles" instead of "Extended Circles". I'm not seeing that as being a technological blocker.
Fair enough. I like your idea. Bootstrapping is a problem.
How about this for the bootstrapping problem: A charity like the EFF could host a verifier that would connect and verify the SSH key or equiv. A simple firefox addon could alert you if a brand new website you've never visited before reports a SSH key different than the one the EFF verifier reports.
Why would the EFF bother hosting an "introducer" service like this? Simple, the new company that wants new users to visit them, would donate a modest sum to the EFF... I generally speaking trust the EFF so I would trust their ssh keylist. Would I poll the EFF keylist? Yeah. Would I poll the godaddy keylist? Uhhhhh.. not.
To some extent this is just reimplementing the ongoing trust model problems of SSL CAs into a new introducer service.
Perhaps social networks could pull their own weight for once, and you could pool a ssh keylist from all your "friends" or G+ circle members or whatever.
The DNSSEC layer only verifies no one has altered the port 53 packets. So the name to address mapping is certainly whatever the admin configured. No MITM redirection attacks. At least, none between the DNS auth server and DNS resolver server... What happens on your WIFI between your client and its resolver is its own problem.
SSL layer encrypts the whole data stream. No MITM attacks, at least not easily (need to crack an entire CA, or at least steal the secret key). As an interesting side effect, if the name of the SSL cert doesn't match the name of the domain, web browsers etc are supposed to go bonkers.
Both are actually a little more complicated than that.
I do not agree with you. DNSSEC does not make any claims about who owns/hosts a domain, it only proves that you get the information as intended by the owner of the domain. If you ask for kokakola.com, you'll get kokakola.com. SSL on the other hand is supposed to be verified.
Security depending on the weakest link of the chain, running SSL over DNSSEC means you'll only be as strong as the monopoly DNSSEC signer... You'll be much worse off than SSL. At least there is a small confuseopoly of psuedo-competitive SSL CAs, they'll just be a monopoly signer for DNSSEC.
The original post claiming you'll secure the SSL certs using DNSSEC, but using DNSSEC would lower the level of security not increase it, so...
SSL certification is just plain broken; in another decade it will have collapsed in a heap.
Agreed. Does anyone have a solution? I'm thinking VPN provider service... connect enduser device to "the mall" and as long as you trust your VPN connection to the mall, and the VPN connection from the mall to "vendor" (amazon, whatever), and you trust the mall itself, that should pretty much eliminate MITM attacks...
The puzzle is, how to convince everyone to switch at the same time, and how to convince anyone to trust "the mall"? Probably, there should be several "malls"
That would seem to be the death of anonymous access, but the whole point was to give a vendor my non-anonymous valuable financial data anyway, so...
Wouldn't it be possible to verify the certificates via the DNS? Once that is secured with DNSSEC, this should be a very good solution. Or am I missing something?
That DNSSEC is even worse of a single point of failure than SSL. Same type/class of problem, just worse.
If you thought the SSL providers were shady, you'll think them heroic princes of justice once you start dealing with DNS registrars.
The very best I could do would be to remove the offending CA's certificate from my trusted CA database, but then some large percentage of secure sites I visit would break.
Simple, almost trivial work around: Multiple SSL certs for a given host, not just the one true cert per ip addrs/host.
A bank or online stock trader is probably gonna have to cough up for ALL the majors. My current employer will probably continue to selfsign, at least for corporate webmail. Everyone else, somewhere in between.
I could see a requirement for PCI compliance you must get certs from at least 3 of this list of 40 providers, etc.
Before I deleted my FB account a year or so ago, I had:
A kid I sat next to in study hall in my sophomore year of high school in the 90s.
A kid who ate at "my" lunch table in 8th grade in the 80s.
A girl from college who supposedly lived in my dorm in the 90s, although I don't remember her at all.
A salesguy from a satellite office who I met once at HQ back in 2002, but I couldn't not friend him without offending a real local friend
A recruiter who never got me a job, but I didn't want to offend her by defriending because someday, in the distant future, she might actually get me a job. Well, probably not, but its kind of like playing the lotto for free.
And finally I believe I had my wife's lifelong dentist friended. Don't remember for sure about that one.
I'm the kind of person that makes purchasing decisions based on the actual products or services and my perception of them, along with my decision of whether to trust them.
Your mistake is missing that you only make decisions on the products you know about, or where you can burn thru the confuseopoly to get real info.
Thru aggressive narrowcasting, its possible to avoid entire swaths of not just pop culture, but even science and technology. Ye olden glory days of everyone watching the same TV broadcast and reading the same best seller are long gone.
Anybody can get a low erdos number. I have a semi-distant acquaintance with a "3" so it would not be terribly difficult for me to score a "4". Perhaps I could help her prove something on a compute cluster, to get credit on one of her papers.
The real challenge is getting a high number. You must publish or perish. To publish you'll probably have to collaborate, what comes around goes around and if you want to be listed on 10 papers that you didn't do much on them, you've gotta accept ten freeloaders on your paper... Practically everyone in academia is somewhere from an erdos of "2" to I'm guessing at most maybe a "5".
I could postulate a theorem that it is impossible to be listed as author in more than a dozen published papers and have an erdos above 6. I think it would be pretty difficult if not absolutely impossible. Of course maybe in 1000 years erdos numbers like 50 will be commonplace...
My question though, is why can't facebook just run a simple algorithm to test the max degrees of separation between any two people?
I think it would be both interesting and hilarious for FB or G+ or any of those social networking sites to offer a "penpal" service where you get to meet the dude on the social opposite/antipode of the planet from you (who none the less has a common language with you). Kind of like a grown up version of writing to pen pals when you were a schoolchild.
My "social antipode" would probably be a bilingual Pakistani Imam, or maybe a neolithic-era African tribesman (essentially, I'm thinking of their continent's version of our Amish) with a smartphone, or someone really far out like a Floridian Tea Party member. I think it would be weirdly interesting to talk with people like that, rather than the "yes man echo chamber" that is most social networking sites.
I like TED speeches, but they are just murmuring popular memes using great sophistry skills at each other. Don't confused TED talks with actual new ideas. I suppose it is possible to be ignorant enough to learn something from a TED talk, but... probably unlikely.
Real new ideas are not a rehash of "lets try world peace", "lets all feel catholic style guilt at destroying the earth", "computers make pretty pictures".
Real new ideas, historically, were the result of things like "what happens if I shine a UV light at a piece of metal in a vacuum, for no better reason than no one tried this before?" "what happens if I store a tank of double bonded fluorocarbons in a sorta catalytic environment for a long time, just because we can?" "what if we tried to simulate the orbit of an electron using discrete energy levels, just for the heck of it?"
Not, "here's a popular fuzzy idea that no one politically correct or socially acceptable could possibly dislike, now let me sharpen my sophistry skills upon it for less than 18 minutes"
Re:There are several factors at play here
on
The Post-Idea World
·
· Score: 3, Insightful
Of course in the past everyone was more 'rational' (ignoring the bigger participation in and seriousness of religion then)
You're looking at the rewriting of history and thinking the rewrite is true. "The victorians" were much less constrained by religion than we currently are today. All of that "founded by christians" and "in god we trust" is a post WWII addition to the history books, mostly on a anti-commie trip.
Your basic argument remains correct, that was just a bad example.
One important point you missed is its too expensive to F around. For example, a large part of quantum mechanics was brought about by shining a UV light on a piece of metal and being surprised at the highly unexpected characteristics of the emitted electrons. Back then, a guy could F around in the lab and pretty much do what he wants without a PERT chart. Most time spent screwing around in the lab, was, of course, wasted, but some time developed into the field of quantum mechanics. Now a days, you're not going to be allowed to do blue sky experimentation at a billion dollar national lab, therefore, no progress will be made there. Whoops. The MBA manager points at the PERT chart and says, here is where you'll invent something on schedule and as planned. Or most likely not.
While the currency IS virtual, people are still spending a LOT of time playing in order to earn this kind of money.
That said, kudos to the people pulling it off. It fits well within the game.
Isn't that kind of like declaring a loss of $X billion dollars when they cancelled Eureka because each fan burned at least an hour a week at an average hourly pay rate of...
it's surprising and novel that you can power a living organism that way.
Its also kinda a problem. "everyone knows" diesel needs a biocide or it gets eaten by bacteria and its a serious problem. Its not an issue, as far as I know, for any other gas or liquid fuel. (Dilute ethanol can ferment into acetic acid aka vinegar, but dilute ethanol isn't much of a fuel to begin with) But now it seems "stuff" could grow inside a H2 pipeline, which is interesting. Probably this will be yet another good reason for humidity control inside pipelines, yet another good reason for H2 filtration so as not to clog nozzles, etc.
Linux users might be in trouble for sure and this is a great way to kill Linux at the desktop at work
Note that until the end of time, iceweasel will be at 3.5.16 in Debian Squeeze release (currently Squeeze is aliased to stable; some day "soon" wheezy will be released and that is currently 5.0 and then may remain forever after at 5.0)
I don't know if windows is capable of this kind of rollout, where you prevent upgrading and whatever you put in the repo just works. But for "linux on the desktop" this is pretty trivial.
I'm sure Burma would be happy to fulfill bogus registrations for small sums of cash.
The most popular flag of convenience, at least recently, was Panama. They simply didn't care as long as you paid your registration fees (and usually a healthy bribe). Last time I looked into this was the Noriega era, its been awhile. There are/were substantial financial reasons to register even a dinky sailboat in a foreign country. US Customs usually provided quite a hassle to "get even" with a cutover point around $1M where above that they treated you with kid gloves, mostly.
2. What about a lazy CA that issues a certificate for an evil, look alike site? If the notaries are requested to fetch that certificate, it will be the same as the one I got. If you get diverted to an evil twin site and check its certificate, it will appear as valid.
Theoretically the current CA system gathers enough contact data to serve the fake guys with legal papers, maybe more. That is a hole in the "sorta like sharing SSH host keys" solution.
Does SSL? No? Well then.
Whoa there. Please review the entire concept of a CA root cert. I suppose on a meta-level someone could MITM a torrent download of your OS install, to replace the real verisign cert with their own, but...
Anybody can create an SSL certificate for any domain given the right access and if you or your computer accepts a certain CA
If you own the secret key of a public root key for a CA that is installed on the victim's PC, then yeah. Or, if you can force your own CA into a victims machine. Otherwise, not so much.
Or install a root certificate on the user's machine.
I wouldn't worry about preventing that attack vector... if you own the machine to that level, its easier to just install a keylogger, grab screenshots, trojan the webbrowser itself, rather than trying to MITM the machine. Unless its some kind of govt surveillance thing. Hmm.
Multiple certificates do not work today. You don't know which one you can present to the client. You need to extend the protocol to allow multiple signatures on the same certificate or allow the client to request a specific certificate. I don't like the latter option; the client should get to see all the certificates so it can notice if a major web site suddenly has only one signature.
Yeah, I know. But it seems a protocol extension is simpler than changing an entire industry.
It would make the firefox devs absolutely scream, but I'd like to see each cert from an ACCEPTED ssl ca have a little icon pop up in the "add-on bar". I would really like to see about 10 of those little icons when I'm trading stocks or online bank bill paying. amazon.com I'd like to see a couple. corporate selfsigned webmail, just a little corporate logo would be sufficient. Remote https access to my password protected personal home mythtv recordings collection, eh, my selfsigned smiley face will do. Access to /. via https, a little selfsigned cert with a goatse icon.. Hmm.
In case of meltdown, just head it out to the middle of nowhere. Or am I missing something?
The other part you're missing is there is usually no shortage of coolant water, thus preventing the meltdown. Unless they do something idiotic with a sandbar, of course. Its pretty hard to melt something down if its below sea level. Despite the cost, I'm thinking future coastal japan reactors are probably going to be built below sea level.
The ironic thing is that they could have possibly anchored this off the coast of Japan and prevented the meltdown.
Naah the real irony was the general business model for floating plants was, we'll build a 3rd world country a plant and let them have the electricity... until they stop paying... at which point it gets towed away. This time its the builders who got towed not the 3rd world country.
The other funny part is creditors are known for doing stupid things when they seize "their" property. Imagine a repo guy hauling core assemblies thru town on the back of a stereotypical repo lift truck. I'm glad the courts seized it instead of the repo clowns.
If there is one thing we should all know is that trust cannot be inherited more than one step - your friend's friend's friend is as likely to be working for Cosa Nostra or RIAA (but, I repeat myself) as being trustworthy. Or he's a complete moron who clicks OK to everything he's presented with.
So in google+ language, you're saying use "Your Circles" instead of "Extended Circles". I'm not seeing that as being a technological blocker.
Fair enough. I like your idea. Bootstrapping is a problem.
How about this for the bootstrapping problem: A charity like the EFF could host a verifier that would connect and verify the SSH key or equiv. A simple firefox addon could alert you if a brand new website you've never visited before reports a SSH key different than the one the EFF verifier reports.
Why would the EFF bother hosting an "introducer" service like this? Simple, the new company that wants new users to visit them, would donate a modest sum to the EFF... I generally speaking trust the EFF so I would trust their ssh keylist. Would I poll the EFF keylist? Yeah. Would I poll the godaddy keylist? Uhhhhh.. not.
To some extent this is just reimplementing the ongoing trust model problems of SSL CAs into a new introducer service.
Perhaps social networks could pull their own weight for once, and you could pool a ssh keylist from all your "friends" or G+ circle members or whatever.
SSL does the same as DNSSEC
SSL does a lot more, dude, trust me.
The DNSSEC layer only verifies no one has altered the port 53 packets. So the name to address mapping is certainly whatever the admin configured. No MITM redirection attacks. At least, none between the DNS auth server and DNS resolver server... What happens on your WIFI between your client and its resolver is its own problem.
SSL layer encrypts the whole data stream. No MITM attacks, at least not easily (need to crack an entire CA, or at least steal the secret key). As an interesting side effect, if the name of the SSL cert doesn't match the name of the domain, web browsers etc are supposed to go bonkers.
Both are actually a little more complicated than that.
I do not agree with you. DNSSEC does not make any claims about who owns/hosts a domain, it only proves that you get the information as intended by the owner of the domain. If you ask for kokakola.com, you'll get kokakola.com.
SSL on the other hand is supposed to be verified.
Security depending on the weakest link of the chain, running SSL over DNSSEC means you'll only be as strong as the monopoly DNSSEC signer... You'll be much worse off than SSL. At least there is a small confuseopoly of psuedo-competitive SSL CAs, they'll just be a monopoly signer for DNSSEC.
The original post claiming you'll secure the SSL certs using DNSSEC, but using DNSSEC would lower the level of security not increase it, so...
SSL certification is just plain broken; in another decade it will have collapsed in a heap.
Agreed. Does anyone have a solution? I'm thinking VPN provider service... connect enduser device to "the mall" and as long as you trust your VPN connection to the mall, and the VPN connection from the mall to "vendor" (amazon, whatever), and you trust the mall itself, that should pretty much eliminate MITM attacks...
The puzzle is, how to convince everyone to switch at the same time, and how to convince anyone to trust "the mall"? Probably, there should be several "malls"
That would seem to be the death of anonymous access, but the whole point was to give a vendor my non-anonymous valuable financial data anyway, so ...
Do you have a solution for MITM attacks? No? Well then.
Wouldn't it be possible to verify the certificates via the DNS? Once that is secured with DNSSEC, this should be a very good solution. Or am I missing something?
That DNSSEC is even worse of a single point of failure than SSL. Same type/class of problem, just worse.
If you thought the SSL providers were shady, you'll think them heroic princes of justice once you start dealing with DNS registrars.
The very best I could do would be to remove the offending CA's certificate from my trusted CA database, but then some large percentage of secure sites I visit would break.
Simple, almost trivial work around: Multiple SSL certs for a given host, not just the one true cert per ip addrs/host.
A bank or online stock trader is probably gonna have to cough up for ALL the majors. My current employer will probably continue to selfsign, at least for corporate webmail. Everyone else, somewhere in between.
I could see a requirement for PCI compliance you must get certs from at least 3 of this list of 40 providers, etc.
... any placement has to be done at the creative stage
Does this mean Citizen Kane and the sled manufacturer are OK or not OK?
ET and his Texas Instruments Speak and Spell are OK or not OK?
Jurassic Park and the kid who knows unix because it has a 3-d file browser are OK or not OK?
Before I deleted my FB account a year or so ago, I had:
A kid I sat next to in study hall in my sophomore year of high school in the 90s.
A kid who ate at "my" lunch table in 8th grade in the 80s.
A girl from college who supposedly lived in my dorm in the 90s, although I don't remember her at all.
A salesguy from a satellite office who I met once at HQ back in 2002, but I couldn't not friend him without offending a real local friend
A recruiter who never got me a job, but I didn't want to offend her by defriending because someday, in the distant future, she might actually get me a job. Well, probably not, but its kind of like playing the lotto for free.
And finally I believe I had my wife's lifelong dentist friended. Don't remember for sure about that one.
I'm the kind of person that makes purchasing decisions based on the actual products or services and my perception of them, along with my decision of whether to trust them.
Your mistake is missing that you only make decisions on the products you know about, or where you can burn thru the confuseopoly to get real info.
Thru aggressive narrowcasting, its possible to avoid entire swaths of not just pop culture, but even science and technology. Ye olden glory days of everyone watching the same TV broadcast and reading the same best seller are long gone.
Smallest. Shame on you for this!
Anybody can get a low erdos number. I have a semi-distant acquaintance with a "3" so it would not be terribly difficult for me to score a "4". Perhaps I could help her prove something on a compute cluster, to get credit on one of her papers.
The real challenge is getting a high number. You must publish or perish. To publish you'll probably have to collaborate, what comes around goes around and if you want to be listed on 10 papers that you didn't do much on them, you've gotta accept ten freeloaders on your paper... Practically everyone in academia is somewhere from an erdos of "2" to I'm guessing at most maybe a "5".
I could postulate a theorem that it is impossible to be listed as author in more than a dozen published papers and have an erdos above 6. I think it would be pretty difficult if not absolutely impossible. Of course maybe in 1000 years erdos numbers like 50 will be commonplace...
My question though, is why can't facebook just run a simple algorithm to test the max degrees of separation between any two people?
I think it would be both interesting and hilarious for FB or G+ or any of those social networking sites to offer a "penpal" service where you get to meet the dude on the social opposite/antipode of the planet from you (who none the less has a common language with you). Kind of like a grown up version of writing to pen pals when you were a schoolchild.
My "social antipode" would probably be a bilingual Pakistani Imam, or maybe a neolithic-era African tribesman (essentially, I'm thinking of their continent's version of our Amish) with a smartphone, or someone really far out like a Floridian Tea Party member. I think it would be weirdly interesting to talk with people like that, rather than the "yes man echo chamber" that is most social networking sites.
I like TED speeches, but they are just murmuring popular memes using great sophistry skills at each other. Don't confused TED talks with actual new ideas. I suppose it is possible to be ignorant enough to learn something from a TED talk, but ... probably unlikely.
Real new ideas are not a rehash of "lets try world peace", "lets all feel catholic style guilt at destroying the earth", "computers make pretty pictures".
Real new ideas, historically, were the result of things like "what happens if I shine a UV light at a piece of metal in a vacuum, for no better reason than no one tried this before?" "what happens if I store a tank of double bonded fluorocarbons in a sorta catalytic environment for a long time, just because we can?" "what if we tried to simulate the orbit of an electron using discrete energy levels, just for the heck of it?"
Not, "here's a popular fuzzy idea that no one politically correct or socially acceptable could possibly dislike, now let me sharpen my sophistry skills upon it for less than 18 minutes"
Of course in the past everyone was more 'rational' (ignoring the bigger participation in and seriousness of religion then)
You're looking at the rewriting of history and thinking the rewrite is true. "The victorians" were much less constrained by religion than we currently are today. All of that "founded by christians" and "in god we trust" is a post WWII addition to the history books, mostly on a anti-commie trip.
Your basic argument remains correct, that was just a bad example.
One important point you missed is its too expensive to F around. For example, a large part of quantum mechanics was brought about by shining a UV light on a piece of metal and being surprised at the highly unexpected characteristics of the emitted electrons. Back then, a guy could F around in the lab and pretty much do what he wants without a PERT chart. Most time spent screwing around in the lab, was, of course, wasted, but some time developed into the field of quantum mechanics. Now a days, you're not going to be allowed to do blue sky experimentation at a billion dollar national lab, therefore, no progress will be made there. Whoops. The MBA manager points at the PERT chart and says, here is where you'll invent something on schedule and as planned. Or most likely not.
Not quite.
While the currency IS virtual, people are still spending a LOT of time playing in order to earn this kind of money.
That said, kudos to the people pulling it off. It fits well within the game.
Isn't that kind of like declaring a loss of $X billion dollars when they cancelled Eureka because each fan burned at least an hour a week at an average hourly pay rate of ...
it's surprising and novel that you can power a living organism that way.
Its also kinda a problem. "everyone knows" diesel needs a biocide or it gets eaten by bacteria and its a serious problem. Its not an issue, as far as I know, for any other gas or liquid fuel. (Dilute ethanol can ferment into acetic acid aka vinegar, but dilute ethanol isn't much of a fuel to begin with) But now it seems "stuff" could grow inside a H2 pipeline, which is interesting. Probably this will be yet another good reason for humidity control inside pipelines, yet another good reason for H2 filtration so as not to clog nozzles, etc.
Linux users might be in trouble for sure and this is a great way to kill Linux at the desktop at work
Note that until the end of time, iceweasel will be at 3.5.16 in Debian Squeeze release (currently Squeeze is aliased to stable; some day "soon" wheezy will be released and that is currently 5.0 and then may remain forever after at 5.0)
http://packages.debian.org/squeeze/iceweasel
I don't know if windows is capable of this kind of rollout, where you prevent upgrading and whatever you put in the repo just works. But for "linux on the desktop" this is pretty trivial.