One key difference as far as I'm aware is that the several states of the United States ceded their power to make treaties with other countries or to lay punitive import duties. (U.S. Const., article I, section 10) I was under the impression that the countries in the European Union retained this power.
Isn't there a "mixed binary" problem when some processes are using new libc and other processes are using old, vulnerable libc, and the protocol has changed to make their internal communications incompatible? In either case, everything is still using the old, vulnerable kernel.
"Women's health" is often a euphemism for "reproductive health", which in turn offends those who want to restrict sex education, abortion access, and the like. "You don't need to learn about contraceptives because you can't get pregnant if you abstain from sexual contact, and you don't need to learn about sexually transmitted infections because you can't catch one if you abstain from sexual contact. Only a whore would visit those sites without a valid marriage license."
there's got to be at least half a dozen laws and regulations that would prohibit ISPs from [charging extra not to run all HTTPS connections through a proxy], if not German then at least EU-wide
But definitely not worldwide. Where does that leave those residing in Slashdot's home country, the United States of America? Here the cable company serving a given city tends to have a monopoly on broadband in that city, except for subscribers who can settle for 1.5 Mbps (DSL) or 10 GB/mo (satellite or fixed cellular).
Agreed. But there are purists who think "strictly better" is still not good enough.
Watch ISPs offer subscribers a discount on their monthly data plans for configuring their devices to run HTTPS traffic through the ISP's MITM proxy.
Yes, I'll watch. As opposed to participate.
Once your ISP starts doing this, you can either participate, pay overages, move to an area served by a different ISP (and make plans to move again once the ISP serving that area changes its policy as well), or disconnect from the Internet. You have already ruled out participating; which of the remaining three is most attractive to you?
[Billing for uncacheable use of a connection] is unrelated to the privacy issue, though.
It's related if the majority of home Internet subscribers prove themselves willing to give up their privacy for a discount on Internet access. It's like ISPs that zero-rate Facebook under the "Free Basics" program: users expose everything to Facebook because their ISP has made it cheaper than using other sites that respect the user's privacy.
even though the data is non-sensitive, people might still prefer a little privacy.
In some cases, even the hostname is sensitive, such as "transgender.example" or "womenshealth.example". HTTPS won't save you there because the browser sends the hostname in cleartext in the Server Name Indication field of the ClientHello packet.
You'll understand when you're behind a proxy that has multiple people constantly tail -F'ing the access log.
Watch ISPs offer subscribers a discount on their monthly data plans for configuring their devices to run HTTPS traffic through the ISP's MITM proxy.
I'd take a 'CONNECT slashdot.org:443' in the access log over GET and especially POST showing up there, telling the reading vs posting rate.
Until you start getting billed for each CONNECT that shows up in the access log because the requested resource can't be served from a Squid or Polipo cache upstream of you.
I think johanw's point is that restricting the universe of discourse to "end users in the United States" and "priced above 200 USD" creates an overly narrow superlative.
Although a special annoyance goes out to any web app that can't deal with being put behind an SSL appliance.
The web app software can deal with it just fine. But as I understand KingMotley's complaint, the organization operating it can't necessarily afford to purchase said SSL appliance and lease additional units of rack space in the colo facility.
The HTTPS negotiation was slower than HTTP, but the actual encryption took valuable server compute resources
True, TLS increases CPU overhead for a site that just serves static documents. But web applications have also become more dynamic since the late 1990s when SSL (now called TLS) was invented. With more server-side processing for each page view, the fraction of server CPU time devoted to actually sending the resource to the PC has diminished. I grant that the cost is greater than zero, but the benefit is also greater than zero.
There are solutions today, but none are free
I thought NGINX as the frontend reverse proxy in front of your application server was free software under the 2-clause BSD license.
It depends on what you mean by "Flash". I thought the rise of Safari for iOS adequately encouraged use of HTML5 instead of Flash Player to play H.264 video on the web.
That leaves vector animations, which are traditionally made in Flash and displayed in Flash Player. If they're displayed in HTML5, they still have to be made somehow. Last time I asked about tools to create HTML5 vector animation, someone recommended Hippani. How easily can an animator make the transition from Flash to Hippani?
In a discussion on Coding Horror Discourse, bigjosh brought up the example of a whole school in sub-Saharan Africa sharing a slow, capped connection to the Internet. If everybody in the class reads the same article, and this article is served over cleartext HTTP, the proxy could download the article once and serve it to all students. With HTTPS, the proxy would instead have to create a separate tunnel for each user through which to send a separately encrypted copy of the article, causing views of the same document after the first to be far slower and causing the school to hit its daily or monthly data transfer quota sooner.
For publicly cacheable documents, why isn't there a middle ground between cleartext HTTP and HTTPS that uses a signing-only cipher suite? Then at least an intermediate caching proxy near the client could still work.
So I guess the next thing to do is find a way to make HTTPS practical for a web server on a home LAN, particularly with DNS Service Discovery instead of a purchased domain. A lot of routers, NAS boxes, etc. still use cleartext HTTP because the browser publishers' Baseline Requirements forbid certificate authorities trusted by the web browser from issuing certificates for hostnames in the.local TLD. And with browser publishers threatening to make the Fullscreen API HTTPS-only, this would impair video streaming from a NAS.
I thought Amazon's A-to-z Guarantee had a limit on how many times an individual could invoke it in one lifetime. Now that I reread it, it appears that no longer applies, but only clothing, shoes, and goods shipped from outside the country qualified for return postage, not laptops shipped from within the buyer's country. How many laptops do you typically return before finding one with which you're happy?
What did the public at large gain from what Congress gave in the first place by extending the term?
What I explained to Scarletdown, as well as the services that the government can afford to continue to provide only if entertainment companies don't move production to other countries with longer copyright terms and take income tax revenue with them.
Presence of hair, breasts, and other evidence points to merpeople being mammals. Their privates (including anus) resemble those of a dolphin, seal, manatee, or other marine mammal, once you get a mermaid to unfasten her scaled swimsuit.
In return for a copyright term extension, the entertainment industry gave the right to have the TV not muted in a small establishment open to the public without infringing copyright in music that the TV station might play.
Both Netflix and Bittorrent allow you to download the movie on an unmetered network
What unmetered network? In many areas, even home Internet is metered. This includes home satellite Internet, home terrestrial microwave Internet (which uses cell towers), and reportedly even home DSL in parts of Iowa. I imagine many find it easier to order DVDs from a web shop than to drive into town to make a multi-gigabyte download over restaurant Wi-Fi.
Netflix because they graciously allow you to do so
I was told this was available only on select devices and only for select titles in its dwindling selection of third-party feature films and TV series.
bittorrent because that's just how it works when you have a drm free file.
Which publishers of notable motion pictures routinely make them lawfully available through BitTorrent?
That's fine, the main crafted experience games offer are still fun, and indies have a place on consoles so amateur productions are still possible.
The difference is that on PC, many game publishers offer tools to let amateurs build on top of an existing game. Several games are known for having fan-made expansion packs dramatically increase their replay value, such as Half-Life, Neverwinter Nights, and Skyrim. Without Half-Life, there'd be no Counter-Strike, and without Warcraft III, there'd be no DotA. But with the self-contained nature of iOS and game consoles, each indie game has to be created completely from scratch. There's no (legitimate) concept of "game as platform", no stepping stone from modding an existing game to a start-to-finish original production.
And I'm aware that startups have recently become welcome on consoles after years of being turned away. But that still doesn't mean a devkit or a set of objectionability classifications from ESRB, PEGI, and CERO is affordable to true amateurs, those who aren't (at least yet) seeking to make a profit.
Define an "exclusive right" over something as the tradable right to exclude others from its use, and "property" as the subject of an exclusive right. (If you object to this definition, let me know, and we can refine it. I just like to get definitions out of the way to separate debate over terms from debate over substance.)
Under the legal theory that a term rollback is a taking, each year of the term of a subsisting exclusive right that the Congress has granted is a thing of value. Then by cutting back the "limited Times" for which the Congress has granted an exclusive right in a particular work or invention, the Congress takes "private property for public use". This would obligate the Congress to provide "just compensation", which courts have interpreted as the fair market value of the property, for each year of the remaining term. Public-to-private wealth transfers are constitutionally acceptable windfalls, but private-to-public wealth transfers are takings.
One key difference as far as I'm aware is that the several states of the United States ceded their power to make treaties with other countries or to lay punitive import duties. (U.S. Const., article I, section 10) I was under the impression that the countries in the European Union retained this power.
Isn't there a "mixed binary" problem when some processes are using new libc and other processes are using old, vulnerable libc, and the protocol has changed to make their internal communications incompatible? In either case, everything is still using the old, vulnerable kernel.
"Women's health" is often a euphemism for "reproductive health", which in turn offends those who want to restrict sex education, abortion access, and the like. "You don't need to learn about contraceptives because you can't get pregnant if you abstain from sexual contact, and you don't need to learn about sexually transmitted infections because you can't catch one if you abstain from sexual contact. Only a whore would visit those sites without a valid marriage license."
Where does Notepad show a view of the timeline? And how easy is it for animators to adapt from Adobe Flash to Notepad?
there's got to be at least half a dozen laws and regulations that would prohibit ISPs from [charging extra not to run all HTTPS connections through a proxy], if not German then at least EU-wide
But definitely not worldwide. Where does that leave those residing in Slashdot's home country, the United States of America? Here the cable company serving a given city tends to have a monopoly on broadband in that city, except for subscribers who can settle for 1.5 Mbps (DSL) or 10 GB/mo (satellite or fixed cellular).
Hostname is strictly better than full URL
Agreed. But there are purists who think "strictly better" is still not good enough.
Watch ISPs offer subscribers a discount on their monthly data plans for configuring their devices to run HTTPS traffic through the ISP's MITM proxy.
Yes, I'll watch. As opposed to participate.
Once your ISP starts doing this, you can either participate, pay overages, move to an area served by a different ISP (and make plans to move again once the ISP serving that area changes its policy as well), or disconnect from the Internet. You have already ruled out participating; which of the remaining three is most attractive to you?
[Billing for uncacheable use of a connection] is unrelated to the privacy issue, though.
It's related if the majority of home Internet subscribers prove themselves willing to give up their privacy for a discount on Internet access. It's like ISPs that zero-rate Facebook under the "Free Basics" program: users expose everything to Facebook because their ISP has made it cheaper than using other sites that respect the user's privacy.
even though the data is non-sensitive, people might still prefer a little privacy.
In some cases, even the hostname is sensitive, such as "transgender.example" or "womenshealth.example". HTTPS won't save you there because the browser sends the hostname in cleartext in the Server Name Indication field of the ClientHello packet.
You'll understand when you're behind a proxy that has multiple people constantly tail -F'ing the access log.
Watch ISPs offer subscribers a discount on their monthly data plans for configuring their devices to run HTTPS traffic through the ISP's MITM proxy.
I'd take a 'CONNECT slashdot.org:443' in the access log over GET and especially POST showing up there, telling the reading vs posting rate.
Until you start getting billed for each CONNECT that shows up in the access log because the requested resource can't be served from a Squid or Polipo cache upstream of you.
I think johanw's point is that restricting the universe of discourse to "end users in the United States" and "priced above 200 USD" creates an overly narrow superlative.
Although a special annoyance goes out to any web app that can't deal with being put behind an SSL appliance.
The web app software can deal with it just fine. But as I understand KingMotley's complaint, the organization operating it can't necessarily afford to purchase said SSL appliance and lease additional units of rack space in the colo facility.
The HTTPS negotiation was slower than HTTP, but the actual encryption took valuable server compute resources
True, TLS increases CPU overhead for a site that just serves static documents. But web applications have also become more dynamic since the late 1990s when SSL (now called TLS) was invented. With more server-side processing for each page view, the fraction of server CPU time devoted to actually sending the resource to the PC has diminished. I grant that the cost is greater than zero, but the benefit is also greater than zero.
There are solutions today, but none are free
I thought NGINX as the frontend reverse proxy in front of your application server was free software under the 2-clause BSD license.
A MITM can still serve with HTTPS just fine.
Only if the browser is configured to trust the MITM's certificate.
It depends on what you mean by "Flash". I thought the rise of Safari for iOS adequately encouraged use of HTML5 instead of Flash Player to play H.264 video on the web.
That leaves vector animations, which are traditionally made in Flash and displayed in Flash Player. If they're displayed in HTML5, they still have to be made somehow. Last time I asked about tools to create HTML5 vector animation, someone recommended Hippani. How easily can an animator make the transition from Flash to Hippani?
Which timeline-based animation editors
Notepad!
I don't know which "Notepad" you're talking about, but Windows Notepad is a text editor, not a timeline-based animation editor.
In a discussion on Coding Horror Discourse, bigjosh brought up the example of a whole school in sub-Saharan Africa sharing a slow, capped connection to the Internet. If everybody in the class reads the same article, and this article is served over cleartext HTTP, the proxy could download the article once and serve it to all students. With HTTPS, the proxy would instead have to create a separate tunnel for each user through which to send a separately encrypted copy of the article, causing views of the same document after the first to be far slower and causing the school to hit its daily or monthly data transfer quota sooner.
For publicly cacheable documents, why isn't there a middle ground between cleartext HTTP and HTTPS that uses a signing-only cipher suite? Then at least an intermediate caching proxy near the client could still work.
So I guess the next thing to do is find a way to make HTTPS practical for a web server on a home LAN, particularly with DNS Service Discovery instead of a purchased domain. A lot of routers, NAS boxes, etc. still use cleartext HTTP because the browser publishers' Baseline Requirements forbid certificate authorities trusted by the web browser from issuing certificates for hostnames in the .local TLD. And with browser publishers threatening to make the Fullscreen API HTTPS-only, this would impair video streaming from a NAS.
Sources for threat to drop Fullscreen API: Secure Contexts: Risks associated with non-secure contexts; Secure Contexts: Restricting Legacy Features; Deprecating Non-Secure HTTP; Deprecating Powerful Features on Insecure Origins /r/IAmA
Source for impracticality of HTTPS on home LAN: Question to Let's Encrypt rep in
Instead Apple is like a Turtle, a very determined Turtle [...] the Turtle Moves.
Does this turtle move with FD 50 RT 90? It used to.
System76's laptop page doesn't offer anything smaller than the 14 inch Lemur.
I thought Amazon's A-to-z Guarantee had a limit on how many times an individual could invoke it in one lifetime. Now that I reread it, it appears that no longer applies, but only clothing, shoes, and goods shipped from outside the country qualified for return postage, not laptops shipped from within the buyer's country. How many laptops do you typically return before finding one with which you're happy?
What did the public at large gain from what Congress gave in the first place by extending the term?
What I explained to Scarletdown, as well as the services that the government can afford to continue to provide only if entertainment companies don't move production to other countries with longer copyright terms and take income tax revenue with them.
Presence of hair, breasts, and other evidence points to merpeople being mammals. Their privates (including anus) resemble those of a dolphin, seal, manatee, or other marine mammal, once you get a mermaid to unfasten her scaled swimsuit.
In return for a copyright term extension, the entertainment industry gave the right to have the TV not muted in a small establishment open to the public without infringing copyright in music that the TV station might play.
Both Netflix and Bittorrent allow you to download the movie on an unmetered network
What unmetered network? In many areas, even home Internet is metered. This includes home satellite Internet, home terrestrial microwave Internet (which uses cell towers), and reportedly even home DSL in parts of Iowa. I imagine many find it easier to order DVDs from a web shop than to drive into town to make a multi-gigabyte download over restaurant Wi-Fi.
Netflix because they graciously allow you to do so
I was told this was available only on select devices and only for select titles in its dwindling selection of third-party feature films and TV series.
bittorrent because that's just how it works when you have a drm free file.
Which publishers of notable motion pictures routinely make them lawfully available through BitTorrent?
Why stream it when you can just store it locally?
Because a motion picture's copyright owner prohibits long-term local storage other than through purchase of DVD or BD.
That's fine, the main crafted experience games offer are still fun, and indies have a place on consoles so amateur productions are still possible.
The difference is that on PC, many game publishers offer tools to let amateurs build on top of an existing game. Several games are known for having fan-made expansion packs dramatically increase their replay value, such as Half-Life, Neverwinter Nights, and Skyrim. Without Half-Life, there'd be no Counter-Strike, and without Warcraft III, there'd be no DotA. But with the self-contained nature of iOS and game consoles, each indie game has to be created completely from scratch. There's no (legitimate) concept of "game as platform", no stepping stone from modding an existing game to a start-to-finish original production.
And I'm aware that startups have recently become welcome on consoles after years of being turned away. But that still doesn't mean a devkit or a set of objectionability classifications from ESRB, PEGI, and CERO is affordable to true amateurs, those who aren't (at least yet) seeking to make a profit.
Define an "exclusive right" over something as the tradable right to exclude others from its use, and "property" as the subject of an exclusive right. (If you object to this definition, let me know, and we can refine it. I just like to get definitions out of the way to separate debate over terms from debate over substance.)
Under the legal theory that a term rollback is a taking, each year of the term of a subsisting exclusive right that the Congress has granted is a thing of value. Then by cutting back the "limited Times" for which the Congress has granted an exclusive right in a particular work or invention, the Congress takes "private property for public use". This would obligate the Congress to provide "just compensation", which courts have interpreted as the fair market value of the property, for each year of the remaining term. Public-to-private wealth transfers are constitutionally acceptable windfalls, but private-to-public wealth transfers are takings.
A Harvard Law Review analysis of takings case law concludes that the reality probably lies somewhere in the middle.