Slashdot Mirror


User: tepples

tepples's activity in the archive.

Stories
0
Comments
68,260
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 68,260

  1. Re: The requirement to own and renew a domain on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 2

    Some specialized peripherals manufactured by hobbyists for hobbyists, such as tools to read and write cartridge storage media for retro 8- and 16-bit computers, are made in volumes is so low that the cost per year of obtaining and renewing an EV code signing certificate as well as the documents that the EV code signing CA requires would make up a substantial portion of the selling price. Is there a practical way to make low-volume peripherals compatible with 64-bit Windows? Would it be advisable for the manufacturer of such a low-volume peripheral to require users of the device in production to enable test mode? Or would it be more advisable to bundle a USB flash drive containing a GNU/Linux live distribution into which users are expected to reboot?

  2. LE rate-limits afraid.org because not in PSL on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 1

    You don't need to own a domain for Let's encrypt; controlling a subdomain is enough.

    Only if the subdomain is a subdomain of a domain in the Public Suffix List. Let's Encrypt limits how many certificates may be issued per domain per 7 days:

    The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

    Because afraid.org is not in the Public Suffix List, no more than 20 certificates for subdomains of afraid.org will be issued in one week.

  3. In addition to the user allowing that, the app developer also has to allow that.

  4. java.io.AutoCloseable on IBM Open Sources Their Own JVM/JDK As Eclipse OpenJ9 (eclipse.org) · · Score: 1

    As a language, Java has the huge advantage of automatic garbage collection.

    Except for objects that represent a resource other than memory, which the owner must close() explicitly.

    This is an issue in C, because it must be agreed on who will destroy the returned object.

    Likewise in Java for instances of classes that implement java.io.AutoCloseable.

  5. There were some pretty bad cassette games on 8-bit home computers in Europe.

  6. Nothing is stopping you from self-signing a cert and then telling your browsers to trust it

    Not even a change to how Android handles certificates?

  7. Also, why are you doing web development without HTTPS

    I am developing software that runs on a PC on a home LAN, and I've never seen anyone get HTTPS working with multicast DNS and DNS-SD.

  8. Re:The requirement to own and renew a domain on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 1

    The only reason you'd ever have to have a cert signed by a third party CA is if you want strangers to use your services

    By "strangers" did you intend to include non-technical friends and family visiting your home?

  9. Re:Both the "problem" and the solution have been k on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 1

    So what should a hobbyist who needs modern browser features do? Or especially a non-technical PC owner who has installed web server software on his home PC and set it up for internal access only, so that visiting friends and family can view videos stored on the home PC that the PC owner has chosen to share?

  10. Android apps distrust user-installed certs on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 1

    As of Android 7 "Nougat", Android apps distrust Android's counterpart to /etc/ssl/certs by default. In addition, I haven't tested all major models of media player appliance that stream from a web server running on one's home NAS, but I imagine some have no user-editable counterpart to /etc/ssl/certs.

  11. Re:I just don't understand the hatred for devs... on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 1

    you realize you can just have a cron job auto renew your certs right...

    How so? Let's Encrypt rejects hostnames in reserved domains, such as .local, .internal, and .test. It works only with actual registered domains. This means you'd need to make another cron job renew the domain, and another cron job pay the credit card bill for the domain renewal, etc. I must be missing something; what is it?

  12. Re:Curious about .local on local network... on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 1

    .localhost is for 127.0.0.1 only. What would you use to test, say, the client side of a web application on an Android phone, iPhone, Android tablet, or iPad?

  13. What cert for .test? on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 1

    Then how does one obtain a certificate for a domain in .test and use it on all devices on a home LAN? I thought Android 7 "Nougat" and later didn't trust user-installed root certificates unless a particular app opts into trusting user-installed root certificates through the network security config file in the application's package. Chrome for Android appears to opt in, but Firefox for Android is untested. Using cleartext HTTP is not an option because more sensitive APIs are unavailable outside secure contexts.

  14. Chrome-for-iOS is Chrome in name only on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 2

    Chrome doesn't run on iOS either. Instead of Chrome, Google publishes Chrome-for-iOS. The difference between Chrome and Chrome-for-iOS is that while Chrome uses the Blink engine, Chrome-for-iOS uses the same Apple WebKit engine as Safari, as required by the App Store Review Guidelines. This means that if Apple declines to support a particular web API in Safari, it'll be unsupported in Chrome-for-iOS as well.

  15. To promote domain sales on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 1

    1) Buy a domain name for a few dollars

    And then do what after it has expired?

  16. So what should a developer who doesn't already own a counterpart to mydomain.net do for his internal test servers, such as someone whose web presence is through a github.io subdomain? Or why is it fair to impose a $15/year recurring fee on every household with a home LAN?

  17. The requirement to own and renew a domain on Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) · · Score: 3, Informative

    Web browsers require HTTPS server operators to obtain a fully-qualified domain name and a certificate from a certificate authority trusted by the browser publisher. Though Let's Encrypt makes certificates available without charge to domain owners, the domain itself still requires a recurring payment to a third party. The requirement to own a domain and keep it renewed imposes an extra $15 per year (source: Gandi.net) tax on running a server inside a home LAN.

  18. How did the first Debian Maintainer in each country travel to get his key signed? DebConf hasn't been around long enough to have held one in each country. And even for those countries in which DebConf has been held, how did the first Debian Maintainer in each state or province travel to get his key signed?

    Is there a way to verify identity that doesn't involve spending months' minimum wage to travel hundreds of kilometers?

  19. Re:User Controlled Technology vs. Company. on Can An Individual Still Resist The Spread of Technology? (chicagotribune.com) · · Score: 1

    I can either install Skype, make an account and chat about that job I want, or I can tell them I don't have Skype and the reasons why I don't want to install it or make an account

    If you have used Outlook.com or Hotmail that preceded it, you have a Microsoft account. If you have set up Windows 8 or 10 and accepted the defaults, you created a Microsoft account. And if you have a Microsoft account, a web browser, and the Pidgin IM client, you can log in to Skype for Web once with your Microsoft account credentials and then build and install Skype for Pidgin.

  20. Secure Contexts on Can An Individual Still Resist The Spread of Technology? (chicagotribune.com) · · Score: 1

    One reason is that in order to run a web server on a Raspberry Pi computer on your LAN, you have to buy a domain and keep it renewed. Otherwise, several JavaScript APIs will throw security exceptions because they work only in secure contexts. No domain name, no certificate. No certificate, no HTTPS. No HTTPS, no secure context. No secure context, no sensitive JavaScript APIs.

  21. Re: No mobile != resisting technology on Can An Individual Still Resist The Spread of Technology? (chicagotribune.com) · · Score: 1

    Anonymous Coward wrote:

    I'm pretty sure my smartphone saves me more than an hour of time per month. That's easily worth $40 to me.

    This assumes that you would be paid $40 for working one additional hour. I can think of a few reasons why this may not be the case for others reading your comment:

    • Many employees are paid less than $40 per hour.
    • The marginal hourly rate of an employee on salary is zero.
    • The marginal hourly rate of an employee whose employer refuses to give him or her additional work to do is also zero.
  22. Re:No mobile != resisting technology on Can An Individual Still Resist The Spread of Technology? (chicagotribune.com) · · Score: 1

    if you want your bank account to be equally insecure, then you can't blame the bank when your online bank account gets taken over by someone else.

    Instead, you blame your mobile carrier when intruders exploit SS7 flaws?

  23. Re:No mobile != resisting technology on Can An Individual Still Resist The Spread of Technology? (chicagotribune.com) · · Score: 1

    One of the steps to link a Google Account with Google Authenticator is "turn on 2-Step Verification for your account using your phone number." This cannot be done on a laptop or tablet computer without a subscription to phone service.

  24. Re:No mobile != resisting technology on Can An Individual Still Resist The Spread of Technology? (chicagotribune.com) · · Score: 1

    I don't have a phone or laptop that I carry with me everywhere

    With the removal of payphones, how do you contact someone in an urgent situation?

    I'm also unlikely to carry around a piece of paper

    How do you pay for things without carrying currency?

  25. Google Authenticator requires a phone number on Can An Individual Still Resist The Spread of Technology? (chicagotribune.com) · · Score: 1

    And/or you can install an app on a phone/tablet that will generate that different code every minute (without the need of internet access)

    You still need to receive SMS in order to add your Google Account's key to a TOTP app because Google considers SMS to be the primary second factor and TOTP apps as a backup to SMS. From the article "Google Account Help: Install Google Authenticator":

    To set this up, first you need to complete SMS/Voice setup.
    [...]
    Setting up the app
    1. If you haven’t already, turn on 2-Step Verification for your account using your phone number.
    2. On your computer, go to the 2-Step Verification settings page.
    3. Scroll to "Alternative second step."

    Twitter also appears to require SMS in order to set up TOTP.