[Appliances on a home network with a web-based administration interface] are not servers and don't need to serve https
The article "Deprecating Non-Secure HTTP" by Richard Barnes begins: "Today we are announcing our intent to phase out non-secure HTTP." Not only Firefox but also Chrome has announced plans to deprecate HTTP. This includes making new web APIs, such as Service Worker, available only to a "secure context". The list of such APIs includes Service Worker, Geolocation, Notification, Fullscreen, Pointer Lock, and Media Stream (camera and microphone).
A secure context is available only if all documents holding references to objects in that context come from a "potentially trustworthy origin", as defined in the W3C's "Secure Contexts" spec. As of right now, web browsers are treating only the 127/8 netblock (that is, localhost) and origins using the https or wss scheme as potentially trustworthy origins. The spec allows a web browser to allow the user to mark other origins as potentially trustworthy, but the present draft doesn't suggest how the web browser might expose this functionality to the user.
as you'll connect on a trusted network - your own, and your own only. Wired or encrypted WiFi.
A web browser cannot tell the difference between my encrypted Wi-Fi network at home and the encrypted Wi-Fi network of the coin laundry near me. For this reason, the RFC 1918 private netblocks 10/8, 172.16/12, and 192.168/16 are by default not treated as potentially trustworthy without the https scheme, unlike 127/8.
By the time someone feels the need for a private server at home (and even knows what to do with it and how to use it - including things like setting up a domain and getting fixed IP or DynDNS to actually be able to access it remotely)
I wasn't referring to remote access. I was referring to access only within the private home LAN. they should be able to handle that part as well. If they can't figure out such a task, no hopes for the security of the rest of the server so whether it's https or not doesn't matter any more.
Let me repeat it in my own words to make sure I understand what you wrote:
Nobody should buy a networked printer or networked backup appliance until he or she has already learned how to trust a CA.
establishing trust between the proxy and your LAN clients simply requires installing your intermediary internal CA certificate on client devices.
Are instructions to install an internal CA's root certificate easy for a home user to find and follow on Windows (home, not Pro therefore not on a domain, and definitely not Enterprise), macOS, Android, and iOS? I thought certain operating systems intentionally made root certificate installation hard to do in order to deter social engineering attacks on the PKI underlying TLS.
By the time you're running your own private hosts on your own private network, it's for sure a no-brainer for your IT staff to run their own CA and register it as trusted CA in all internal computer systems.
Say someone goes to Best Buy and buys a home server for use on a home LAN, and its web-based administration interface uses a private CA for HTTPS. Is the owner of that home server likely to know how to make the server's internal CA trusted on all Windows, macOS, Android, and iOS devices on the home network?
For example, Amazon owns the amazonaws.com, but it allows Simple Storage Service (S3) subscribers to register subdomains (called "buckets"). This makes the buckets' root domain (s3.amazonaws.com) a public suffix, though Amazon uses its own wildcard certificate for *.s3.amazonaws.com to serve files in S3 buckets to HTTPS clients.
The only time this could lead to confusion would be if you own a domain for which you have multiple subdomains with certificates signed by different authorities, which probably doesn't (or shouldn't) happen.
And if it does happen, your domain probably is a public suffix.
then you should not need any certificate form any CA but yourself.
Let's assume that an appliance on a home LAN needs an X.509 certificate for HTTPS on its web-based administration interface. Let's further assume that the device acts as its own CA to issue this certificate. What would be the easiest way to get this device's CA trusted by the Windows, macOS, Android, and iOS devices on the LAN?
The real point, however, is that if the machine should not be routable from outside of your network, then you should not make it routable from off your network.
If a machine is not routable, how will Let's Encrypt or any other DV CA know that you have enough control over a machine to be entitled to a certificate for its hostname?
I acknowledge not having rigorously defined 'supports'. Without one of these USB OTG or Lightning NICs that you linked, a device does not support Ethernet. So let me ask a second question:
What fraction of smartphone and tablet users own a compatible NIC?
What does the test to get a "TV License" look like?
It presumably looks like the form mailed to you when you respond to a PBS pledge drive. BBC is their counterpart to PBS, and it has made a deal with Ofcom (their counterpart to the FCC) to ban watching any broadcast TV (whether BBC or not) without a valid BBC subscription.
On another forum, I have noticed a sharp rise in the number of users who claim to have no ready access to a PC. What major smartphones and tablets support Ethernet?
I've never read it but I'm led to believe there is an assertion within it, "Thou shalt not kill", but the interpreters of the book don't object to extremely well funded military research.
You refer to a passage in Exodus 20. A more accurate translation, given the context of other uses of the Hebrew word translated "kill" in the King James Version, is "You must not commit murder." That makes more sense alongside the capital punishment for the most serious sins set forth in Leviticus.
A complete repeal of the DMCA would include a repeal of 17 USC 512, the Online Copyright Infringement Liability Limitation Act. This would take away the defense that allows sites that display user-uploaded-works, such as YouTube and Slashdot, to continue to operate without requiring editorial review of each post. Instead of forcing one comment off Slashdot, Scientology would have been able to close Slashdot entirely.
A complete repeal of the DMCA would also include a repeal of 17 USC 117(c). This would restore the dangerous precedent set in MAI v. Peak, which forbids independent repair shops to turn on a device that contains copyrighted firmware.
Or did you refer only to 17 USC 1201, the circumvention ban, and not its riders?
I think we've pretty much decided that the only thing we'll ever produce here is crappy super hero movies.
And even that bubble is due to burst by the end of this decade. Luis Prada explains.
For one thing, DNA is a material present in uncooked food, making it arguably part of an ingredient. (I admit to not having read your definition of "ingredient". If you wish, I can discuss this issue in the context of on a cited definition.) For another, the nutritional value of each ingredient depends on the plant's phenotype, which is affected by changes to its genotype.
How do you square [patent infringement lawsuits] with your belief that GM seeds aren't replantable?
I mentally resolved this cognitive dissonance into alternative pleading to the following effect: "Some GMO plants introduce a terminator gene, whose intentionally failing pollination could cause defects in neighboring farmers' crops. And even those that don't have a terminator gene are a patent hazard for neighboring farmers."
The Janrain one I'm pretty sure is related to Slashdot's role as a relying party for login with OAuth-based identity providers, such as Google, Facebook, and Twitter. I've written elsewhere about how the switch from OpenID 2 to OpenID Connect transformed an O(n) problem into an O(n^2) one. Slashdot can sign up for a separate client key and secret with every single identity provider out there, or it can sign up for a single client key and secret with Janrain.
my program [turns hosts customization on and off] for you via its rightclick tooltray icon popup menu
Analogously to "disable antivirus" controls in the notification area, I assume. That's fine provided you close all other tabs and all other programs that use the Internet before opening the bill payment form. If you have other tabs running in the background, even on a separate browser profile, the setting affects them as well.
it's a rarity when a site hosts their own ads - advertisers don't trust webmasters alleged clickview counts
How do advertisers and webmasters trust ad networks' alleged click/view counts any better? And what stops webmasters from adopting the same means of earning trust as ad networks?
all I see is unjustifiable downmods on my posts
The downmods, as I see them, are on your habit of formatting them in a spammy manner.
If you've got javascript you need me to run to make your website work (why?)
I agree that for sites presenting only static information, JavaScript ought to be unnecessary. But for browser-based video games, it's the lesser of two evils. Games like Cookie Clicker and Pirates Love Daisies could instead have been written in Flash; would that have been a better choice?
Copyright infringement is not theft in the sense that, say, money laundering is not assault and battery. They're not the same thing, but they're both illegal.
[Appliances on a home network with a web-based administration interface] are not servers and don't need to serve https
The article "Deprecating Non-Secure HTTP" by Richard Barnes begins: "Today we are announcing our intent to phase out non-secure HTTP." Not only Firefox but also Chrome has announced plans to deprecate HTTP. This includes making new web APIs, such as Service Worker, available only to a "secure context". The list of such APIs includes Service Worker, Geolocation, Notification, Fullscreen, Pointer Lock, and Media Stream (camera and microphone).
A secure context is available only if all documents holding references to objects in that context come from a "potentially trustworthy origin", as defined in the W3C's "Secure Contexts" spec. As of right now, web browsers are treating only the 127/8 netblock (that is, localhost) and origins using the https or wss scheme as potentially trustworthy origins. The spec allows a web browser to allow the user to mark other origins as potentially trustworthy, but the present draft doesn't suggest how the web browser might expose this functionality to the user.
as you'll connect on a trusted network - your own, and your own only. Wired or encrypted WiFi.
A web browser cannot tell the difference between my encrypted Wi-Fi network at home and the encrypted Wi-Fi network of the coin laundry near me. For this reason, the RFC 1918 private netblocks 10/8, 172.16/12, and 192.168/16 are by default not treated as potentially trustworthy without the https scheme, unlike 127/8.
By the time someone feels the need for a private server at home (and even knows what to do with it and how to use it - including things like setting up a domain and getting fixed IP or DynDNS to actually be able to access it remotely)
I wasn't referring to remote access. I was referring to access only within the private home LAN.
they should be able to handle that part as well. If they can't figure out such a task, no hopes for the security of the rest of the server so whether it's https or not doesn't matter any more.
Let me repeat it in my own words to make sure I understand what you wrote:
Nobody should buy a networked printer or networked backup appliance until he or she has already learned how to trust a CA.
What if anything did I misunderstand?
establishing trust between the proxy and your LAN clients simply requires installing your intermediary internal CA certificate on client devices.
Are instructions to install an internal CA's root certificate easy for a home user to find and follow on Windows (home, not Pro therefore not on a domain, and definitely not Enterprise), macOS, Android, and iOS? I thought certain operating systems intentionally made root certificate installation hard to do in order to deter social engineering attacks on the PKI underlying TLS.
By the time you're running your own private hosts on your own private network, it's for sure a no-brainer for your IT staff to run their own CA and register it as trusted CA in all internal computer systems.
Say someone goes to Best Buy and buys a home server for use on a home LAN, and its web-based administration interface uses a private CA for HTTPS. Is the owner of that home server likely to know how to make the server's internal CA trusted on all Windows, macOS, Android, and iOS devices on the home network?
For example, Amazon owns the amazonaws.com, but it allows Simple Storage Service (S3) subscribers to register subdomains (called "buckets"). This makes the buckets' root domain (s3.amazonaws.com) a public suffix, though Amazon uses its own wildcard certificate for *.s3.amazonaws.com to serve files in S3 buckets to HTTPS clients.
The only time this could lead to confusion would be if you own a domain for which you have multiple subdomains with certificates signed by different authorities, which probably doesn't (or shouldn't) happen.
And if it does happen, your domain probably is a public suffix.
then you should not need any certificate form any CA but yourself.
Let's assume that an appliance on a home LAN needs an X.509 certificate for HTTPS on its web-based administration interface. Let's further assume that the device acts as its own CA to issue this certificate. What would be the easiest way to get this device's CA trusted by the Windows, macOS, Android, and iOS devices on the LAN?
blockchain-base SSL?
Does that make any sense at all?
It makes about as much sense as layering DANE (RFCs 6698 and 7671-7673) on top of Namecoin.
The real point, however, is that if the machine should not be routable from outside of your network, then you should not make it routable from off your network.
If a machine is not routable, how will Let's Encrypt or any other DV CA know that you have enough control over a machine to be entitled to a certificate for its hostname?
I acknowledge not having rigorously defined 'supports'. Without one of these USB OTG or Lightning NICs that you linked, a device does not support Ethernet. So let me ask a second question:
What fraction of smartphone and tablet users own a compatible NIC?
What does the test to get a "TV License" look like?
It presumably looks like the form mailed to you when you respond to a PBS pledge drive. BBC is their counterpart to PBS, and it has made a deal with Ofcom (their counterpart to the FCC) to ban watching any broadcast TV (whether BBC or not) without a valid BBC subscription.
On another forum, I have noticed a sharp rise in the number of users who claim to have no ready access to a PC. What major smartphones and tablets support Ethernet?
I've never read it but I'm led to believe there is an assertion within it, "Thou shalt not kill", but the interpreters of the book don't object to extremely well funded military research.
You refer to a passage in Exodus 20. A more accurate translation, given the context of other uses of the Hebrew word translated "kill" in the King James Version, is "You must not commit murder." That makes more sense alongside the capital punishment for the most serious sins set forth in Leviticus.
we'd repeal the DMCA
A complete repeal of the DMCA would include a repeal of 17 USC 512, the Online Copyright Infringement Liability Limitation Act. This would take away the defense that allows sites that display user-uploaded-works, such as YouTube and Slashdot, to continue to operate without requiring editorial review of each post. Instead of forcing one comment off Slashdot, Scientology would have been able to close Slashdot entirely.
A complete repeal of the DMCA would also include a repeal of 17 USC 117(c). This would restore the dangerous precedent set in MAI v. Peak, which forbids independent repair shops to turn on a device that contains copyrighted firmware.
Or did you refer only to 17 USC 1201, the circumvention ban, and not its riders?
I think we've pretty much decided that the only thing we'll ever produce here is crappy super hero movies.
And even that bubble is due to burst by the end of this decade. Luis Prada explains.
We label for ingredients, not for processes.
For one thing, DNA is a material present in uncooked food, making it arguably part of an ingredient. (I admit to not having read your definition of "ingredient". If you wish, I can discuss this issue in the context of on a cited definition.) For another, the nutritional value of each ingredient depends on the plant's phenotype, which is affected by changes to its genotype.
How do you square [patent infringement lawsuits] with your belief that GM seeds aren't replantable?
I mentally resolved this cognitive dissonance into alternative pleading to the following effect: "Some GMO plants introduce a terminator gene, whose intentionally failing pollination could cause defects in neighboring farmers' crops. And even those that don't have a terminator gene are a patent hazard for neighboring farmers."
And when AWS first opened, Amazon.com was by far its biggest customer. In fact, AWS was created to sell off Amazon.com's excess capacity.
I'm seeing the leak as well. Has this leak been reported on Bugzilla?
Firefox 53 removes plug-in support, with the exception of Adobe Flash Player.
https://bugzilla.mozilla.org/s...
The Janrain one I'm pretty sure is related to Slashdot's role as a relying party for login with OAuth-based identity providers, such as Google, Facebook, and Twitter. I've written elsewhere about how the switch from OpenID 2 to OpenID Connect transformed an O(n) problem into an O(n^2) one. Slashdot can sign up for a separate client key and secret with every single identity provider out there, or it can sign up for a single client key and secret with Janrain.
my program [turns hosts customization on and off] for you via its rightclick tooltray icon popup menu
Analogously to "disable antivirus" controls in the notification area, I assume. That's fine provided you close all other tabs and all other programs that use the Internet before opening the bill payment form. If you have other tabs running in the background, even on a separate browser profile, the setting affects them as well.
it's a rarity when a site hosts their own ads - advertisers don't trust webmasters alleged clickview counts
How do advertisers and webmasters trust ad networks' alleged click/view counts any better? And what stops webmasters from adopting the same means of earning trust as ad networks?
all I see is unjustifiable downmods on my posts
The downmods, as I see them, are on your habit of formatting them in a spammy manner.
A mitigation: Don't put the sensitive data in the same resource as the non-sensitive data
A mitigation separating the template from the data is feasible if JavaScript is enabled, but not for users who block JavaScript by default.
If you've got javascript you need me to run to make your website work (why?)
I agree that for sites presenting only static information, JavaScript ought to be unnecessary. But for browser-based video games, it's the lesser of two evils. Games like Cookie Clicker and Pirates Love Daisies could instead have been written in Flash; would that have been a better choice?
Censorship only applies when it's done by the Government.
Civil and criminal penalties for copyright infringement are enforced, well, by the Government.
Copyright infringement is not theft in the sense that, say, money laundering is not assault and battery. They're not the same thing, but they're both illegal.