Slashdot Mirror


User: tepples

tepples's activity in the archive.

Stories
0
Comments
68,260
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 68,260

  1. Domain-validated vs. Extended Validation on Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) · · Score: 3, Insightful

    It's why a CA can charge hundreds of dollars to perform 50ms of compute effort.

    The "50 ms of compute effort" certificates are domain-validated, with just CRL and OCSP as ancillary services. Those typically cost $15 for three years (ssls.com) or nothing for 90 days (letsencrypt.org). The certificates that cost hundreds of dollars are Extended Validation, which ensure not only a connection between the certificate and the domain owner but also that a vandal isn't typosquatting the domain itself. These often come with greater insurance guarantees.

  2. Re:The bigger problem on Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) · · Score: 2, Interesting

    The percentage covers only the subset of users who have opted into Firefox telemetry. If you want to make your votes not count, that choice is yours. Just don't whine when Mozilla cuts your pet feature for lack of usage share justifying the maintenance cost.

  3. Re:If the signature itself is tampered with on Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) · · Score: 1

    Even if the main download is done using HTTP, the SHA-256 value can be requested over HTTPS.

    But the operator of the site hosting the SHA-256 values will still need to obtain a certificate. Is it more a matter of setting up Certbot to provision one certificate for the hash site rather than a separate certificate for each mirror site?

  4. How to use a private CA with BYOD? on Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) · · Score: 4, Insightful

    How is "make and install your own certificates" practical when users bring their own devices, such as public library patrons bringing their laptops or phones to a branch or friends or relatives bringing their laptops or phones to someone's home?

  5. The LAN FQDN problem in a previous AMA on Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) · · Score: 2

    I mentioned the same planned obsolescence concern in my question to Jacob at Let's Encrypt in an AMA on reddit a year ago.

  6. Who has 192.168.123.45 in your coffee shop? on Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) · · Score: 2

    http (IP on private network) = secure

    How so? When your laptop or phone is on restaurant or public library Wi-Fi, you don't know who has 192.168.123.45. This is why the definition of a "potentially trustworthy origin" in the W3C candidate recommendation "Secure Contexts" includes localhost but not RFC 1918 private IP addresses.

  7. Let's Encrypt is gratis on Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) · · Score: 2, Informative

    The only "certification company" to which you'd need to "pony up cash" is the domain registrar, which you need anyway for a public website. Once you have a domain, you can automate provisioning of certificates issued without charge by Let's Encrypt using an ACME client such as Certbot.

  8. If the signature itself is tampered with on Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) · · Score: 5, Insightful

    Let's say I'm downloading a file that's several GB, like a disk image. When I download it, I'll verify the signature.

    How can you be sure that the SHA-256 value against which you are verifying the disk image hasn't itself been tampered with on its way to your device?

    Encrypting the entire download is a waste of resources for both the server and client.

    No it isn't. If you fail to encrypt, your ISP, your ISP's ISP, and any snooping government can tell conclusively what you have downloaded. If you do encrypt, the eavesdropper can see only what domain you're accessing and the sizes of what you download. You can obfuscate even the sizes by using range requests to pull the 4 GB disk image a 4 MB chunk at a time.

    Plus, hosting providers often charge extra fees for https

    Then take your business elsewhere. Switch from a hosting provider that charges extra for HTTPS to a competing hosting provider that does not charge extra for HTTPS.

  9. Servers on your LAN are probably Not Secure on Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) · · Score: 5, Informative

    HTTPS requires a certificate, and a certificate that requires a fully qualified domain name. The CA/Browser Forum's Baseline Requirements forbid issuing certificates in RFC 1918 private networks (such as 10/8 and 192.168/16) or the mDNS reserved domain (.local). This means everything on the average user's local area network will end up marked "Not Secure", such as the administration interface of the user's router, printer, or network attached storage (NAS) device.

    The document "Deprecating Non-Secure HTTP" states that Mozilla is aware of this problem but fails to offer a solution:

    Q. What about my home router? Or my printer?

    The challenge here is not that these machines can’t do HTTPS, it’s that they’re not provisioned with a certificate. A lot of times, this is because the device doesn’t have a globally unique name, so it can’t be issued a certificate in the same way that a web site can. There is a legitimate need for better technology in this space, and we’re talking to some device vendors about how to improve the situation.

    It should also be noted, though, that the gradual nature of our plan means that we have some time to work on this. As noted above, everything that works today will continue to work for a while, so we have some time to solve this problem.

  10. Macs are toys after all.

    Yeah, an 18-core, Xeon-based "toy".

    That only shows that one Mac model (the iMac Pro) is not a toy. I get the impression that apart from the iMac Pro, every other model uses underpowered hardware whose most significant advantage over a PC running Windows is that Apple's own music production and iOS app development tools are exclusive to it.

  11. Too bad they use Creo and Solidworks

    Presumably in Windows in Parallels in macOS. A Mac can run macOS, Windows, and X11/Linux at the same time.

  12. Re:Mac App Store won't be helped by this on Apple Plans Combined iPhone, iPad and Mac Apps To Create One User Experience (bloomberg.com) · · Score: 1

    If you want to run applications whose publishers have a good reason to charge a fee for major upgrades greater than zero but less than the price for new users, then sell your iPhone or iPad and purchase a device based on a different platform that allows publishers to charge a fee for major upgrades greater than zero but less than the price for new users.

  13. Re:Wow. I never thought I'd see that day on Apple Plans Combined iPhone, iPad and Mac Apps To Create One User Experience (bloomberg.com) · · Score: 1

    You can't just send a 5K background image that weight 10MB and then hide it in CSS for mobile, which I've seen so many times it's not even funny.

    Compressing a 10 MB image to 5 kB? What codec is that?

  14. Re:We all knew this was coming on Apple Plans Combined iPhone, iPad and Mac Apps To Create One User Experience (bloomberg.com) · · Score: 1

    Back when they switched, AMD was competitive and keeping Intel pricing low.

    Hasn't AMD's competitiveness been Ryzen lately?

  15. Re:We all knew this was coming on Apple Plans Combined iPhone, iPad and Mac Apps To Create One User Experience (bloomberg.com) · · Score: 1

    All points to an eventual merged platform.

    I'll believe the platforms have "merged" once I can run Xcode on iPad Pro.

  16. On an iPhone sized touch screen device you need a very simple UI. On macOS you can have a much more full featured one.

    But couldn't the iPad and MacBook UIs be quite a bit more similar? Physically, the iPad's display is sized closer to that of a MacBook than that of an iPhone, but its API and ABI are the same as that of the iPhone.

  17. Linux on T101HA on Ask Slashdot: Are There Any Alternatives To Android Or iOS? · · Score: 1

    A quality laptop using any OS you like.

    That'd be fine if companies still made 10.1" laptops designed to run desktop operating systems.

    I have an Asus Transformer T100 that I bought well after December 2012.

    As of the latest update to the Debian project's compatibility page for the T100TA, suspend and Bluetooth are "Error (Couldn't get it working)", screen backlight is "Unsupported(No Driver)", and WLAN and audio are "Only works with a non-free driver and or firmware".

    Or does "any OS you like" mean "any OS you like so long as it is Windows" in the same way that the Ford Model T came in "any color that he wants so long as it is black"? Does "systems" refer to both Windows 8.1 and Windows 10?

    Here's one you can buy for $300. [ASUS Transformer Book T101HA-C4-GR]

    Is Linux more compatible with the T101HA than with the T100TA? In this forum post, a user complains about "missing sound."

  18. Chipset drivers on Ask Slashdot: Are There Any Alternatives To Android Or iOS? · · Score: 1

    the same binary works for everybody's PC.

    Not necessarily. Different GPUs, sound cards, NICs, etc. need different drivers. In order to work on everybody's PC, an operating system has to bundle drivers for every chipset ever produced.

  19. Not my fault but still my problem on Microsoft Removes Google's Chrome Installer From the Windows Store (theverge.com) · · Score: 1

    I agree with everything you wrote. But because neither end users nor web developers are in a position to fix it, they must work around it.

    End users End users can switch rendering engines by selling their iOS or Windows 10 S device and using the money to purchase a device capable of running a different rendering engine: either a desktop or laptop PC or an Android device. Web developers When only one web browser engine is allowed to run on a particular platform, and this engine has defects, I guess whether a web developer would find it worthwhile to attempt to work around these defects depends on the platform's usage share among the website's target demographic. As of fourth quarter 2017, iOS is probably worthwhile, while Windows 10 S isn't.
  20. An end user should stop visiting the site that doesn't work, notify its operator, and start visiting the competing site that does work.

  21. Re:Buy the tech not into the brand on Ask Slashdot: Are There Any Alternatives To Android Or iOS? · · Score: 1

    4. Occasional internet browsing
    A quality laptop using any OS you like.

    That'd be fine if companies still made 10.1" laptops designed to run desktop operating systems. That size ended production in December 2012, and bulkier laptops need a bigger, more visible bag.

  22. Re:Custom Android ROM on Ask Slashdot: Are There Any Alternatives To Android Or iOS? · · Score: 1

    now you have to diff it against a signed official source tree and review every line, while paying special attention to undefined behavior and "innocent" looking typos (think: underhanded C contest entries by the people I warned about in the first paragraph).

    Do you likewise do that for a PC operating system?

  23. It's a web developer's responsibility to make "the data being provided by the server" conform to the behavior of "the html renderer and javascript engine". If your web application triggers a bug or missing feature of Apple WebKit, for example, then it won't display correctly on iPhone, iPod touch, or iPad.

  24. Diagnosing failures is for web developers. I'm pretty sure Windows 10 S is intended for K-8 (primary school, kindergarten through eighth grade), not for serious developers. If it were, Microsoft would have seen to it that some substantial subset of Visual Studio be available on the Windows Store at the launch of Windows 10 S.

  25. Re:only real DUMB people use linux for linux's sak on Plexamp, Plex's Spin on the Classic Winamp Player, Is the First Project From New Incubator Plex Labs (techcrunch.com) · · Score: 1

    are you saying it is possible that there may be no risk with being tracked by ad networks ?

    You correctly understand phozz bare's claim. I was seeking a refutation thereof.