It's why a CA can charge hundreds of dollars to perform 50ms of compute effort.
The "50 ms of compute effort" certificates are domain-validated, with just CRL and OCSP as ancillary services. Those typically cost $15 for three years (ssls.com) or nothing for 90 days (letsencrypt.org). The certificates that cost hundreds of dollars are Extended Validation, which ensure not only a connection between the certificate and the domain owner but also that a vandal isn't typosquatting the domain itself. These often come with greater insurance guarantees.
The percentage covers only the subset of users who have opted into Firefox telemetry. If you want to make your votes not count, that choice is yours. Just don't whine when Mozilla cuts your pet feature for lack of usage share justifying the maintenance cost.
Even if the main download is done using HTTP, the SHA-256 value can be requested over HTTPS.
But the operator of the site hosting the SHA-256 values will still need to obtain a certificate. Is it more a matter of setting up Certbot to provision one certificate for the hash site rather than a separate certificate for each mirror site?
How is "make and install your own certificates" practical when users bring their own devices, such as public library patrons bringing their laptops or phones to a branch or friends or relatives bringing their laptops or phones to someone's home?
How so? When your laptop or phone is on restaurant or public library Wi-Fi, you don't know who has 192.168.123.45. This is why the definition of a "potentially trustworthy origin" in the W3C candidate recommendation "Secure Contexts" includes localhost but not RFC 1918 private IP addresses.
The only "certification company" to which you'd need to "pony up cash" is the domain registrar, which you need anyway for a public website. Once you have a domain, you can automate provisioning of certificates issued without charge by Let's Encrypt using an ACME client such as Certbot.
Let's say I'm downloading a file that's several GB, like a disk image. When I download it, I'll verify the signature.
How can you be sure that the SHA-256 value against which you are verifying the disk image hasn't itself been tampered with on its way to your device?
Encrypting the entire download is a waste of resources for both the server and client.
No it isn't. If you fail to encrypt, your ISP, your ISP's ISP, and any snooping government can tell conclusively what you have downloaded. If you do encrypt, the eavesdropper can see only what domain you're accessing and the sizes of what you download. You can obfuscate even the sizes by using range requests to pull the 4 GB disk image a 4 MB chunk at a time.
Plus, hosting providers often charge extra fees for https
Then take your business elsewhere. Switch from a hosting provider that charges extra for HTTPS to a competing hosting provider that does not charge extra for HTTPS.
HTTPS requires a certificate, and a certificate that requires a fully qualified domain name. The CA/Browser Forum's Baseline Requirements forbid issuing certificates in RFC 1918 private networks (such as 10/8 and 192.168/16) or the mDNS reserved domain (.local). This means everything on the average user's local area network will end up marked "Not Secure", such as the administration interface of the user's router, printer, or network attached storage (NAS) device.
The document "Deprecating Non-Secure HTTP" states that Mozilla is aware of this problem but fails to offer a solution:
Q. What about my home router? Or my printer?
The challenge here is not that these machines can’t do HTTPS, it’s that they’re not provisioned with a certificate. A lot of times, this is because the device doesn’t have a globally unique name, so it can’t be issued a certificate in the same way that a web site can. There is a legitimate need for better technology in this space, and we’re talking to some device vendors about how to improve the situation.
It should also be noted, though, that the gradual nature of our plan means that we have some time to work on this. As noted above, everything that works today will continue to work for a while, so we have some time to solve this problem.
That only shows that one Mac model (the iMac Pro) is not a toy. I get the impression that apart from the iMac Pro, every other model uses underpowered hardware whose most significant advantage over a PC running Windows is that Apple's own music production and iOS app development tools are exclusive to it.
If you want to run applications whose publishers have a good reason to charge a fee for major upgrades greater than zero but less than the price for new users, then sell your iPhone or iPad and purchase a device based on a different platform that allows publishers to charge a fee for major upgrades greater than zero but less than the price for new users.
On an iPhone sized touch screen device you need a very simple UI. On macOS you can have a much more full featured one.
But couldn't the iPad and MacBook UIs be quite a bit more similar? Physically, the iPad's display is sized closer to that of a MacBook than that of an iPhone, but its API and ABI are the same as that of the iPhone.
That'd be fine if companies still made 10.1" laptops designed to run desktop operating systems.
I have an Asus Transformer T100 that I bought well after December 2012.
As of the latest update to the Debian project's compatibility page for the T100TA, suspend and Bluetooth are "Error (Couldn't get it working)", screen backlight is "Unsupported(No Driver)", and WLAN and audio are "Only works with a non-free driver and or firmware".
Or does "any OS you like" mean "any OS you like so long as it is Windows" in the same way that the Ford Model T came in "any color that he wants so long as it is black"? Does "systems" refer to both Windows 8.1 and Windows 10?
Here's one you can buy for $300. [ASUS Transformer Book T101HA-C4-GR]
Is Linux more compatible with the T101HA than with the T100TA? In this forum post, a user complains about "missing sound."
Not necessarily. Different GPUs, sound cards, NICs, etc. need different drivers. In order to work on everybody's PC, an operating system has to bundle drivers for every chipset ever produced.
I agree with everything you wrote. But because neither end users nor web developers are in a position to fix it, they must work around it.
End users
End users can switch rendering engines by selling their iOS or Windows 10 S device and using the money to purchase a device capable of running a different rendering engine: either a desktop or laptop PC or an Android device.
Web developers
When only one web browser engine is allowed to run on a particular platform, and this engine has defects, I guess whether a web developer would find it worthwhile to attempt to work around these defects depends on the platform's usage share among the website's target demographic. As of fourth quarter 2017, iOS is probably worthwhile, while Windows 10 S isn't.
4. Occasional internet browsing A quality laptop using any OS you like.
That'd be fine if companies still made 10.1" laptops designed to run desktop operating systems. That size ended production in December 2012, and bulkier laptops need a bigger, more visible bag.
now you have to diff it against a signed official source tree and review every line, while paying special attention to undefined behavior and "innocent" looking typos (think: underhanded C contest entries by the people I warned about in the first paragraph).
Do you likewise do that for a PC operating system?
It's a web developer's responsibility to make "the data being provided by the server" conform to the behavior of "the html renderer and javascript engine". If your web application triggers a bug or missing feature of Apple WebKit, for example, then it won't display correctly on iPhone, iPod touch, or iPad.
Diagnosing failures is for web developers. I'm pretty sure Windows 10 S is intended for K-8 (primary school, kindergarten through eighth grade), not for serious developers. If it were, Microsoft would have seen to it that some substantial subset of Visual Studio be available on the Windows Store at the launch of Windows 10 S.
Slashdot Mirror
It's why a CA can charge hundreds of dollars to perform 50ms of compute effort.
The "50 ms of compute effort" certificates are domain-validated, with just CRL and OCSP as ancillary services. Those typically cost $15 for three years (ssls.com) or nothing for 90 days (letsencrypt.org). The certificates that cost hundreds of dollars are Extended Validation, which ensure not only a connection between the certificate and the domain owner but also that a vandal isn't typosquatting the domain itself. These often come with greater insurance guarantees.
The percentage covers only the subset of users who have opted into Firefox telemetry. If you want to make your votes not count, that choice is yours. Just don't whine when Mozilla cuts your pet feature for lack of usage share justifying the maintenance cost.
Even if the main download is done using HTTP, the SHA-256 value can be requested over HTTPS.
But the operator of the site hosting the SHA-256 values will still need to obtain a certificate. Is it more a matter of setting up Certbot to provision one certificate for the hash site rather than a separate certificate for each mirror site?
How is "make and install your own certificates" practical when users bring their own devices, such as public library patrons bringing their laptops or phones to a branch or friends or relatives bringing their laptops or phones to someone's home?
I mentioned the same planned obsolescence concern in my question to Jacob at Let's Encrypt in an AMA on reddit a year ago.
http (IP on private network) = secure
How so? When your laptop or phone is on restaurant or public library Wi-Fi, you don't know who has 192.168.123.45. This is why the definition of a "potentially trustworthy origin" in the W3C candidate recommendation "Secure Contexts" includes localhost but not RFC 1918 private IP addresses.
The only "certification company" to which you'd need to "pony up cash" is the domain registrar, which you need anyway for a public website. Once you have a domain, you can automate provisioning of certificates issued without charge by Let's Encrypt using an ACME client such as Certbot.
Let's say I'm downloading a file that's several GB, like a disk image. When I download it, I'll verify the signature.
How can you be sure that the SHA-256 value against which you are verifying the disk image hasn't itself been tampered with on its way to your device?
Encrypting the entire download is a waste of resources for both the server and client.
No it isn't. If you fail to encrypt, your ISP, your ISP's ISP, and any snooping government can tell conclusively what you have downloaded. If you do encrypt, the eavesdropper can see only what domain you're accessing and the sizes of what you download. You can obfuscate even the sizes by using range requests to pull the 4 GB disk image a 4 MB chunk at a time.
Plus, hosting providers often charge extra fees for https
Then take your business elsewhere. Switch from a hosting provider that charges extra for HTTPS to a competing hosting provider that does not charge extra for HTTPS.
HTTPS requires a certificate, and a certificate that requires a fully qualified domain name. The CA/Browser Forum's Baseline Requirements forbid issuing certificates in RFC 1918 private networks (such as 10/8 and 192.168/16) or the mDNS reserved domain (.local). This means everything on the average user's local area network will end up marked "Not Secure", such as the administration interface of the user's router, printer, or network attached storage (NAS) device.
The document "Deprecating Non-Secure HTTP" states that Mozilla is aware of this problem but fails to offer a solution:
Macs are toys after all.
Yeah, an 18-core, Xeon-based "toy".
That only shows that one Mac model (the iMac Pro) is not a toy. I get the impression that apart from the iMac Pro, every other model uses underpowered hardware whose most significant advantage over a PC running Windows is that Apple's own music production and iOS app development tools are exclusive to it.
Too bad they use Creo and Solidworks
Presumably in Windows in Parallels in macOS. A Mac can run macOS, Windows, and X11/Linux at the same time.
If you want to run applications whose publishers have a good reason to charge a fee for major upgrades greater than zero but less than the price for new users, then sell your iPhone or iPad and purchase a device based on a different platform that allows publishers to charge a fee for major upgrades greater than zero but less than the price for new users.
You can't just send a 5K background image that weight 10MB and then hide it in CSS for mobile, which I've seen so many times it's not even funny.
Compressing a 10 MB image to 5 kB? What codec is that?
Back when they switched, AMD was competitive and keeping Intel pricing low.
Hasn't AMD's competitiveness been Ryzen lately?
All points to an eventual merged platform.
I'll believe the platforms have "merged" once I can run Xcode on iPad Pro.
On an iPhone sized touch screen device you need a very simple UI. On macOS you can have a much more full featured one.
But couldn't the iPad and MacBook UIs be quite a bit more similar? Physically, the iPad's display is sized closer to that of a MacBook than that of an iPhone, but its API and ABI are the same as that of the iPhone.
A quality laptop using any OS you like.
That'd be fine if companies still made 10.1" laptops designed to run desktop operating systems.
I have an Asus Transformer T100 that I bought well after December 2012.
As of the latest update to the Debian project's compatibility page for the T100TA, suspend and Bluetooth are "Error (Couldn't get it working)", screen backlight is "Unsupported(No Driver)", and WLAN and audio are "Only works with a non-free driver and or firmware".
Or does "any OS you like" mean "any OS you like so long as it is Windows" in the same way that the Ford Model T came in "any color that he wants so long as it is black"? Does "systems" refer to both Windows 8.1 and Windows 10?
Here's one you can buy for $300. [ASUS Transformer Book T101HA-C4-GR]
Is Linux more compatible with the T101HA than with the T100TA? In this forum post, a user complains about "missing sound."
the same binary works for everybody's PC.
Not necessarily. Different GPUs, sound cards, NICs, etc. need different drivers. In order to work on everybody's PC, an operating system has to bundle drivers for every chipset ever produced.
I agree with everything you wrote. But because neither end users nor web developers are in a position to fix it, they must work around it.
End users End users can switch rendering engines by selling their iOS or Windows 10 S device and using the money to purchase a device capable of running a different rendering engine: either a desktop or laptop PC or an Android device. Web developers When only one web browser engine is allowed to run on a particular platform, and this engine has defects, I guess whether a web developer would find it worthwhile to attempt to work around these defects depends on the platform's usage share among the website's target demographic. As of fourth quarter 2017, iOS is probably worthwhile, while Windows 10 S isn't.An end user should stop visiting the site that doesn't work, notify its operator, and start visiting the competing site that does work.
4. Occasional internet browsing
A quality laptop using any OS you like.
That'd be fine if companies still made 10.1" laptops designed to run desktop operating systems. That size ended production in December 2012, and bulkier laptops need a bigger, more visible bag.
now you have to diff it against a signed official source tree and review every line, while paying special attention to undefined behavior and "innocent" looking typos (think: underhanded C contest entries by the people I warned about in the first paragraph).
Do you likewise do that for a PC operating system?
It's a web developer's responsibility to make "the data being provided by the server" conform to the behavior of "the html renderer and javascript engine". If your web application triggers a bug or missing feature of Apple WebKit, for example, then it won't display correctly on iPhone, iPod touch, or iPad.
Diagnosing failures is for web developers. I'm pretty sure Windows 10 S is intended for K-8 (primary school, kindergarten through eighth grade), not for serious developers. If it were, Microsoft would have seen to it that some substantial subset of Visual Studio be available on the Windows Store at the launch of Windows 10 S.
are you saying it is possible that there may be no risk with being tracked by ad networks ?
You correctly understand phozz bare's claim. I was seeking a refutation thereof.