You enable javascript for paypal.com and then anytime you visit paypall.com, your browser sits there not running any javascript.
Then phishers are going to make their sites compatible with NoScript, such as by computing the final DOM, serializing it to HTML, and sending that to the mark instead of the script that generates the DOM.
What you're complaining about is trust beyond the machines and into the organisation and people behind the servers. This is something outside of the scope of DVs
WaffleMonster's point as I understand it is that DV should never have existed, that the choice should have been between OV and cleartext passwords.
The best incremental refinement is short-lived certificates auto-issued by intermediate CAs. [...] The refinement being pushed instead of the obvious one is "OSCP stapling"
An OCSP response is a short-term statement issued by the CA that a TLS server's certificate is still valid. It can be thought of as exactly the sort of "short-lived certificate" that you describe. Stapling allows a TLS server to cache this response and present it alongside the main certificate. If only the TLS server contacts the CA to get OCSP responses, the CA can't see clients.
Sovereign Keys
From a footnote in the proposal: "In the current draft, there are additional requirements, including that an OCSP check for the CA certificate is successful".
A domain-validated certificate is for ensuring the authenticity of communications between your machine and a machine operated by the owner of a particular hostname. It isn't for ensuring that the owner of a particular hostname has any right under other applicable law, such as typosquatting provisions of trademark law, to use that hostname.
Well, Let's Encrypt certificates are now going to be treated like self-signed certificates. Don't believe me? Just wait and see.
With both Mozilla and Google as "major sponsors" of Let's Encrypt listed on the front page, I don't see how this will happen any time soon. If Microsoft and Apple distrust Let's Encrypt for following the same CA/Browser Forum Baseline Requirements as every other certificate authority issuing domain-validated (DV) certificates, the only way to avoid a double standard would be to distrust all DV certificates. And as of today, the service formerly known as Hotmail appears to be using a DV certificate.
An unencypted connection is fast, cacheable, and secure enough when you're just transfering photos and cat videos.
As far as I know, my browser does cache content served over https exactly the same as served over http.
But your ISP cannot cache said content. Say you have a classroom full of children all reading the same article on Wikipedia, and it's in a remote area with the only available Internet connection being a 0.13 Mbps ISDN or satellite link. With cleartext HTTP, a Squid or Polipo proxy can pull every . But with HTTPS, the proxy has to fall back to a separate CONNECT tunnel and transfer the same article 20 times unless the proxy is configured to intercept TLS, with its own root certificate in all browsers configured to use the proxy. Failure to cache in such a situation is inefficient, slow, and possibly costly if it causes the school to exceed a monthly Internet data transfer quota. (Source)
[First-visit validation of a self-signed certificate is] where key fingerprints in DNS can help
Not until the root domain and major TLDs are signed with a key stronger than 1024-bit RSA. Short keys are why browsers haven't added support for DANE.
Even unauthenticated encryption is better than no encryption, because it prevents passive attacks.
It also gives the user a false sense of security that an active attack is not in progress. A self-signed certificate places the bar between "passive attack" and "active attack", but browser publishers have defined the https scheme to prefer a bar between "active attack" and "typosquatting".
The process might in fact be to block all domain-validated (DV) certificates and allow organization-validated (OV) and Extended Validation (EV) certificates. This would parallel the policy implemented by the Comodo Dragon browser, which displays a warning for DV certificates:
The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.
Informational websites with no credentials do NOT need TLS, typically
Without TLS, how do you ensure that a man in the middle isn't altering the information that you retrieve from said "Informational websites with no credentials"?
Literally never seen another stuck signal, and that was a temporary kit pulled from the trailer of a work vehicles. What makes you think this is a big problem?
Having seen several stuck signals in my home town. But then I guess a lot more signals are stuck for bikes than for cars.
They don't need me to tell them it's a bad intersection
They do if the city uses citizen reports as a metric to prioritize allocating budget for improvements to its intersections.
Another thing... are you suggesting that my lack of reporting this makes my analysis of the issue less valid?
No. But in my opinion, one analyzes an issue in order to find a solution.
Or are you simply trying to gently redirect the conversation
Yes. The conversation went in one direction, namely clarification of the problem with this particular approach. Once I realized the problem was an underprovisioned LTYOG, that direction concluded, and I redirected it toward what can be done about the problem.
from pointing out that your counterpoint isn't very good to a conversation about my poor citizenship?
I'm trying to be helpful, suggesting measures that have a chance of getting a problem solved.
How is a motorist stopped at such an unresponsive signal expected to recover the use of his or her vehicle?
Technically, you don't.
So in other words, all motorists using British roads are subject to having their vehicles seized at any time for any reason through deployment of a red traffic signal. Or what am I missing?
We turned around
That would work in theory except for a one-way street or an intersection with a no U-turn sign.
rang the police
Using what? Are all motorists using British roads required to keep a valid subscription to mobile phone service?
In addition, I tried ringing city services in my own (U.S.) city when facing a red light that would not respond to my bicycle stopped making a chord of the induction loop's sensor, and representatives blew off the report repeatedly. Or is government attitude toward reports of stuck traffic signals a difference between Britain and the U.S.?
Or unless the intersection is so large that a cyclist can enter on green and the signal can go from green to yellow to red before the cyclist has cleared it.
[In Britain,] If you cross the line on red, you've broke the law, whether it was red for 0.1 seconds or 10 years (note: you can't even cross it if an emergency vehicle appears behind and you need to cross it to let them pass... it's AGAINST THE LAW to cross the line once the light is red).
How is a motorist stopped at such an unresponsive signal expected to recover the use of his or her vehicle?
I feel that cell phones are like "open containers" in a car. If one is visible, go to jail. It goes in the trunk, and to use the damn thing, get out of the damn car.
Then what should children in the back seat use instead for entertainment on a road trip exceeding an hour?
Often blatant red light violations come from intersections with no left turn arrow. Frustrated drivers wait an entire light cycle (or four), and then finally just go when the opposite lane clears as the light turns red.
If you're referring to intersections that show the left* lane a green disc instead of a green arrow, the proper maneuver is a "LEFT TURN YIELD ON GREEN" as described in the driver's manual. First enter the intersection while the signal is green. Then by the time it turns red, you're already legally in the intersection and have the right and duty to clear it once oncoming traffic to your left ceases.
Or are you referring to left turn lanes whose signal doesn't turn green because its buried induction loop is failing to pick up your vehicle?
* Assuming USA and other countries that drive on the right.
please keep in mind that a lot of us watch youtube on our "smart-tv" devices, Nintendos, Xbox's Youtube app etc.
Or use a HOSTS file ad blocker.
Editing the hosts file requires root access. Root access is difficult to come by other than on personal computers. You'd need to run your own DNS to cover devices where only the manufacturer, not the owner, has root.
If it were entirely a carrier issue, than unbranded GSM/UMTS/LTE phones would have been patched more often and longer, as would have Wi-Fi-only tablets.
Probably the fact that far more traffic over a modern cellular network is Internet than voice. Therefore, by volume, a cellular carrier is an ISP more than it is a phone company.
Until 3rd world food-producing countries become hostile to the US, such as if they join the 2nd world by becoming more closely allied with Russia and China than with North America and Western Europe. Domestic production must be prepared to cover for sudden interruptions in the flow of imports.
You enable javascript for paypal.com and then anytime you visit paypall.com, your browser sits there not running any javascript.
Then phishers are going to make their sites compatible with NoScript, such as by computing the final DOM, serializing it to HTML, and sending that to the mark instead of the script that generates the DOM.
What you're complaining about is trust beyond the machines and into the organisation and people behind the servers. This is something outside of the scope of DVs
WaffleMonster's point as I understand it is that DV should never have existed, that the choice should have been between OV and cleartext passwords.
The best incremental refinement is short-lived certificates auto-issued by intermediate CAs. [...] The refinement being pushed instead of the obvious one is "OSCP stapling"
An OCSP response is a short-term statement issued by the CA that a TLS server's certificate is still valid. It can be thought of as exactly the sort of "short-lived certificate" that you describe. Stapling allows a TLS server to cache this response and present it alongside the main certificate. If only the TLS server contacts the CA to get OCSP responses, the CA can't see clients.
Sovereign Keys
From a footnote in the proposal: "In the current draft, there are additional requirements, including that an OCSP check for the CA certificate is successful".
A domain-validated certificate is for ensuring the authenticity of communications between your machine and a machine operated by the owner of a particular hostname. It isn't for ensuring that the owner of a particular hostname has any right under other applicable law, such as typosquatting provisions of trademark law, to use that hostname.
Well, Let's Encrypt certificates are now going to be treated like self-signed certificates. Don't believe me? Just wait and see.
With both Mozilla and Google as "major sponsors" of Let's Encrypt listed on the front page, I don't see how this will happen any time soon. If Microsoft and Apple distrust Let's Encrypt for following the same CA/Browser Forum Baseline Requirements as every other certificate authority issuing domain-validated (DV) certificates, the only way to avoid a double standard would be to distrust all DV certificates. And as of today, the service formerly known as Hotmail appears to be using a DV certificate.
An unencypted connection is fast, cacheable, and secure enough when you're just transfering photos and cat videos.
As far as I know, my browser does cache content served over https exactly the same as served over http.
But your ISP cannot cache said content. Say you have a classroom full of children all reading the same article on Wikipedia, and it's in a remote area with the only available Internet connection being a 0.13 Mbps ISDN or satellite link. With cleartext HTTP, a Squid or Polipo proxy can pull every . But with HTTPS, the proxy has to fall back to a separate CONNECT tunnel and transfer the same article 20 times unless the proxy is configured to intercept TLS, with its own root certificate in all browsers configured to use the proxy. Failure to cache in such a situation is inefficient, slow, and possibly costly if it causes the school to exceed a monthly Internet data transfer quota. (Source)
[First-visit validation of a self-signed certificate is] where key fingerprints in DNS can help
Not until the root domain and major TLDs are signed with a key stronger than 1024-bit RSA. Short keys are why browsers haven't added support for DANE.
Even unauthenticated encryption is better than no encryption, because it prevents passive attacks.
It also gives the user a false sense of security that an active attack is not in progress. A self-signed certificate places the bar between "passive attack" and "active attack", but browser publishers have defined the https scheme to prefer a bar between "active attack" and "typosquatting".
The process might in fact be to block all domain-validated (DV) certificates and allow organization-validated (OV) and Extended Validation (EV) certificates. This would parallel the policy implemented by the Comodo Dragon browser, which displays a warning for DV certificates:
Informational websites with no credentials do NOT need TLS, typically
Without TLS, how do you ensure that a man in the middle isn't altering the information that you retrieve from said "Informational websites with no credentials"?
Literally never seen another stuck signal, and that was a temporary kit pulled from the trailer of a work vehicles. What makes you think this is a big problem?
Having seen several stuck signals in my home town. But then I guess a lot more signals are stuck for bikes than for cars.
They don't need me to tell them it's a bad intersection
They do if the city uses citizen reports as a metric to prioritize allocating budget for improvements to its intersections.
Another thing... are you suggesting that my lack of reporting this makes my analysis of the issue less valid?
No. But in my opinion, one analyzes an issue in order to find a solution.
Or are you simply trying to gently redirect the conversation
Yes. The conversation went in one direction, namely clarification of the problem with this particular approach. Once I realized the problem was an underprovisioned LTYOG, that direction concluded, and I redirected it toward what can be done about the problem.
from pointing out that your counterpoint isn't very good to a conversation about my poor citizenship?
I'm trying to be helpful, suggesting measures that have a chance of getting a problem solved.
Have you reported this underprovisioned intersection to the city? How often have you done so? If it affects you daily, complain daily.
Yes, the correct answer is to modify the traffic lights.
And if you have to wait 3-4 light cycles to proceed through an underprovisioned intersection daily, report said intersection to the city daily.
How is a motorist stopped at such an unresponsive signal expected to recover the use of his or her vehicle?
Technically, you don't.
So in other words, all motorists using British roads are subject to having their vehicles seized at any time for any reason through deployment of a red traffic signal. Or what am I missing?
We turned around
That would work in theory except for a one-way street or an intersection with a no U-turn sign.
rang the police
Using what? Are all motorists using British roads required to keep a valid subscription to mobile phone service?
In addition, I tried ringing city services in my own (U.S.) city when facing a red light that would not respond to my bicycle stopped making a chord of the induction loop's sensor, and representatives blew off the report repeatedly. Or is government attitude toward reports of stuck traffic signals a difference between Britain and the U.S.?
Or unless the intersection is so large that a cyclist can enter on green and the signal can go from green to yellow to red before the cyclist has cleared it.
[In Britain,] If you cross the line on red, you've broke the law, whether it was red for 0.1 seconds or 10 years (note: you can't even cross it if an emergency vehicle appears behind and you need to cross it to let them pass... it's AGAINST THE LAW to cross the line once the light is red).
How is a motorist stopped at such an unresponsive signal expected to recover the use of his or her vehicle?
Basically, their lights flash green 5 times before they go to yellow, giving you ample time to know that the green period ends.
A pre-yellow warning phase also causes motorists to increase speed inappropriately, which is why the United States has not adopted a pre-yellow vehicular phase.
I feel that cell phones are like "open containers" in a car. If one is visible, go to jail. It goes in the trunk, and to use the damn thing, get out of the damn car.
Then what should children in the back seat use instead for entertainment on a road trip exceeding an hour?
Often blatant red light violations come from intersections with no left turn arrow. Frustrated drivers wait an entire light cycle (or four), and then finally just go when the opposite lane clears as the light turns red.
If you're referring to intersections that show the left* lane a green disc instead of a green arrow, the proper maneuver is a "LEFT TURN YIELD ON GREEN" as described in the driver's manual. First enter the intersection while the signal is green. Then by the time it turns red, you're already legally in the intersection and have the right and duty to clear it once oncoming traffic to your left ceases.
Or are you referring to left turn lanes whose signal doesn't turn green because its buried induction loop is failing to pick up your vehicle?
* Assuming USA and other countries that drive on the right.
I think that has something to do with browser publishers deprecating the Fullscreen API on cleartext HTTP sites to make it harder for a man in the middle to impersonate your device's operating system. (Search keyword "secure contexts".). Do the pages an where embedded YouTube video falls to go full screen use HTTPS or cleartext HTTP?
please keep in mind that a lot of us watch youtube on our "smart-tv" devices, Nintendos, Xbox's Youtube app etc.
Or use a HOSTS file ad blocker.
Editing the hosts file requires root access. Root access is difficult to come by other than on personal computers. You'd need to run your own DNS to cover devices where only the manufacturer, not the owner, has root.
If it were entirely a carrier issue, than unbranded GSM/UMTS/LTE phones would have been patched more often and longer, as would have Wi-Fi-only tablets.
Probably the fact that far more traffic over a modern cellular network is Internet than voice. Therefore, by volume, a cellular carrier is an ISP more than it is a phone company.
Until 3rd world food-producing countries become hostile to the US, such as if they join the 2nd world by becoming more closely allied with Russia and China than with North America and Western Europe. Domestic production must be prepared to cover for sudden interruptions in the flow of imports.
It'd be no different from Switzerland, Israel, or any other country that makes every man part of the military reserve.