Slashdot Mirror


User: tepples

tepples's activity in the archive.

Stories
0
Comments
68,260
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 68,260

  1. "GNU/Linux" avoids moving goalposts on The US Government and Open Standards: a Tale of Personal Woe (thevarguy.com) · · Score: 1

    Considering that many distros ship with multiple window managers, trying to identify a distro by its' windows manager doesn't work.

    Which is why I mentioned X11, the one thing that all Desktop/Linux/That/Isn't/Android window managers and toolkits have in common. The X Window System allows use of any of several window managers, the vast majority of which allow overlapping windows, tiled windows, or both. Desktop/Linux/That/Isn't/Android uses X11; Android doesn't.

    Just use linux or android - everyone will understand the difference.

    It turns out that not "everyone will understand the difference". Some Slashdot users tell me that Linux has already "arrived" (in the "year of the Linux desktop" sense) because it is the kernel of Android. And when I clarify in a reply that Android doesn't count because an all-maximized workflow is impractical for many desktop use cases, I get called out for the fallacy of "moving the goalposts". Because I've been harassed so often in the past for "moving the goalposts", I have been trying to find a term that is correct the first time. Historically, there has been a very strong correlation between GUI Linux distros that use Bash and GNU Coreutils and GUI Linux distros that use X11, which has allowed "GNU/Linux" to be understood as clearly excluding Android. And it sounds less paraphyletic than saying "Desktop/Linux/That/Isn't/Android".

    Do I need to try using only "Linux" for a while and collecting evidence of actual confusion?

  2. Non-Adobe Reader web form for FBAR on The US Government and Open Standards: a Tale of Personal Woe (thevarguy.com) · · Score: 1

    Regarding the individual FBAR (FinCEN Report 114), the link you gave me confirmed that it "is only available online through the BSA E-Filing System website." But I clicked through "BSA E-Filing System" and saw this:

    Online Form: Adobe Reader NOT required

  3. Not all suggestions apply to all situations:

    read a newspaper

    Newspapers have moved to the Internet.

    talk to your co-workers

    Depends on whether they're on break at the same time.

    get your employer to install a TV in the break room

    It has become increasingly common to deliver TV over the Internet.

    go for a walk

    Practicality depends on weather.

  4. A hacked site's hostname is sent in the clear on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    The firewall can detect the hostname through the Server Name Indication field of the ClientHello packet, which is sent in the clear. If the hostname is known to have been infected, it can block the connection. It cannot detect the URL with path granularity, but if a site has been compromised, all paths on that site are probably shot as well.

    So while https on a content site, a site that doesn't handle secure transactions

    The Firesheep extension demonstrated that any site into which a user can enter a name and password, such as to post to the site's comment section or to read private messages or paywalled documents, is a site that "handle[s] secure transactions".

  5. A person 'keying in' (most just click) a URL expects to get to the site.

    A person either keying in or clicking a URL that specifically uses the https: scheme also expects the site not to be modified between the server and the browser. This means a person expects a man in the middle attack to be detectable. I know of three means of detecting MITM: CAs, DANE, and Perspectives.

    A browser actively trying to prevent a user from getting to that site based on the fact that the certificate for the site is not what the browser company decides is in the best interest of the company (AFAIC) is not an indicator of the site being secure or insecure.

    There's no financial interest in the sale of certificates, as both Mozilla and Google sponsor the no-charge CA Let's Encrypt. This means "the best interest of the company" lies in building a reputation for producing a browser that ensures prompt detection of MITM. The browser ships with one means of detecting MITM, namely CAs, and provides an extension mechanism to add others.

    It is better to be on an https site with a self signed certificate, when a government is listening to all communications to filter it by keywords than to be on http and not be warned by the browser about anything.

    True, HTTPS is better than HTTP at a passive attack. But immunity to passive attacks will drive at least one attacker to cease passive attacks in favor of active attacks, even if said attacker happens to be an attacker other than the NSA. This is why Perspectives exists: to verify lack of an active attacker between the server using a self-signed cert and the user. It retrieves the cert through the Internet over several routes, and if they all match, then either no active attack is in progress (most likely) or the same active attacker has compromised all routes (highly unlikely).

    I am saying that a browser treating a site with a self signed certificate as if it is a virus while happily letting people navigate the rest of the http web is not for the benefit of a user.

    And I am saying that a browser with Perspectives doesn't treat self-signed certs this way.

  6. Re:Google sponsors Let's Encrypt on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    I can remove the word "trusted" without loss of meaning.

    Let's Encrypt is a certificate authority whose root certificate is included in the default root certificate set used by Google Chrome. And I don't see that going away any time soon, as the division of Google responsible for Chrome is a platinum sponsor of Let's Encrypt.

  7. Wage equivalent of not having to tether on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    An upgrade from my present cellular plan to one allowing tethering would cost roughly $50 per month, or $600 per year. At 2000 hours per year (full-time) and 25 percent income tax, this would reduce my effective hourly wage by 40 cents per hour. At 1000 hours per year (part-time) and 25 percent income tax, this would reduce my effective hourly wage by 80 cents per hour. But if an employer provides unrestricted break-time Internet, I don't have to pay $600 per year to a cellular company, and the employer can keep me as an employee without having to give me such a raise.

  8. Re:Man in the middle on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    Imagine a corporate network with an internet proxy server - everything you do, SSL or not, is readable by the proxy. If you accept the self signed certificate, you have no indication that securelogon.personalbank.com is really proxy.companyname.local siting in the middle. The self signed certificate might have been accepted on your behalf thanks to GPO.

    The company's root certificate would have to have been deployed through GPO.

    No consider that ISPs are very similar to a corporate proxy server regarding the man in the middle attack. They control the connection, they control DNS, they control everything.

    But not the root certificate. (Yet.) This is the key difference between a home ISP and a corporate LAN: the former is less likely to try to install a proxy's root certificate on customer-provided equipment.

  9. IPv4 address exhaustion on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    Most secure sites should run on a dedicated server, not be shared with other domains websites on the same server, since it is a security issue.

    Because of IPv4 address exhaustion, multiple dedicated servers would have to sit behind a load balancer with one IPv4 address that terminates the TLS connection.

    But you could also use a unique IP address for each site hosted on the same server..... IP virtual hosting

    This became impractical as of IPv4 address exhaustion.

    Internet Explorer on Windows XP does not

    ...receive security updates anymore. It hasn't for 21 months. Therefore, it should be assumed subject to compromise by things such as keyloggers and therefore insecure.

  10. Buck feta. Buck FIZX. on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    Especially because SlashdotMedia just got bought out by BIZX, and some people think this is dangerous.

    You can always come to SoylentNews. It has HTTPS, and we won't bite.

  11. I am talking about every user that gets these errors

    Every user that gets these errors can install the Perspectives extension to make self-signed certificates not dangerous.

    and decides that the site is somehow dangerous in a way that the user doesn't understand, more dangerous than a http site, while in reality it is not more dangerous.

    It's not about whether a site is dangerous per se as much as whether a site is as dangerous as a reasonable person would expect when keying in the URL.

    and it will also put a big red 'birdy' near an http site.

    I've already got a big blue 'birdy' on an HTTPS site.

  12. Re:Man in the middle on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    If you do not encrypt, a third party can insert malware downloads into your site. Do "most websites just [not] need" a lack of malware?

  13. Re:Dept of Treasury requires Acrobat to submit for on The US Government and Open Standards: a Tale of Personal Woe (thevarguy.com) · · Score: 1

    Where is the public notice from the U.S. Government that it does not make this particular form available through paper?

  14. Firefox defines typing in s as indicating that the user desires protection from a man in the middle (MITM). Install the Perspectives extension, which adds a second method of detecting MITM that works with self-signed certificates, and self-signed certificate errors will go away.

  15. Whois already identifies you on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    So they are forcing identification of all website owners.

    Whois already does that, thank you very much. And Let's Encrypt doesn't need any more information than what's already on your domain's Whois record before issuing a domain-validated certificate.

  16. because ad networks used to be SSL free on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    Slashdot used to offer subscriptions. When it offered subscriptions, subscribers used HTTPS to view ad-free pages. HTTPS was treated as a subscriber perk because until September 2013, there were no major ad networks that worked over HTTPS.

  17. MITM breaks self-signed HTTPS on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    Easy solution. Allow self-signed certificates.

    Then let me rephrase Anonymous Coward's post:

    Use of a CA means your "list of local historical sites" remains exactly as you wrote it, and doesn't mysteriously lose mention of that awful thing which happened in 1846 that a local politician feels "school children just don't need to be taught" when it is viewed through a man-in-the-middle proxy on school WiFi. It also won't suddenly gain a banner advertisement for Amazon when viewed through the man-in-the-middle proxy of a certain US ISP. You presumably care about the "simple information" on your sites and want it presented as you wrote it, so that seems valuable, but without some means of detecting a man-in-the-middle proxy, there just isn't any guarantee at all.

  18. If I only want to encrypt connection so it remained unmodified

    A man in the middle can decrypt on one end and encrypt on the other end in order to modify the data. A self-signed certificate protects against only passive attacks, not active (man in the middle) attacks, unless you find some way to communicate the certificate's fingerprint out of band.

  19. It does take extra effort on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    Other than that. I guess the other side of the argument to "why not use just use unencrypted HTTP?" is "if there is no cost involved and doesn't a lot of extra effort to set up, why NOT use encrypted HTTP?"

    And the answer is that it does "a lot of extra effort to set up", at least according to Bomarc's comment.

  20. Let's Encrypt automatically renews on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    And even if you had money, you would have to renew certificate each year

    Let's Encrypt automatically renews your certificate every couple months.

    (for some reason these things expire)

    They expire as a means of pruning the revocation list.

  21. You already have to pay your domain registrar and hosting provider.

    I actually tried to avoid an itemized list. (Hosting provider: My basement)

    You already have to pay your domain registrar and your home ISP. Many home ISPs' acceptable use policies prohibit running a publicly accessible server from your basement, and they enforce it either through a firewall (blocking inbound connections on 80/443 or on all ports), through carrier-grade network address translation (CGNAT) which doesn't give your computer a public IPv4 address in the first place, or simply through threat of having your home disconnected from the Internet for twelve months. To avoid this threat of disconnection, many customers upgrade to a business-class plan that includes an IPv4 address with inbound and no server ban in the AUP.

    After three days of working on just this problem; I was not able to implement SSL.

    How long ago were these three days spent? If it was years ago, perhaps the installer has improved since then.

  22. Re:True sense of insecurity on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    In the version of FF I am on right now 41.0.1 on Linux Mint 17 I don't see http or https in the address bar. I see a green padlock for https

    I haven't seen this behavior. I've seen shown for HTTPS and hidden for HTTP. To help me confirm the behavior you are seeing, please visit some HTTPS site, take a screenshot, post it to Imgur or wherever, and link it here.

  23. Of-course it does, it is trying to prevent people from using self signed certificates and pushing them towards CAs.

    Is there a problem with that? StartSSL has been issuing DV certs without charge for years, and now there are also WoSign and Let's Encrypt.

    FF today doesn't even display the protocol in the address bar by default

    Firefox 44 shows the scheme for HTTPS and hides it for HTTP.

    it shows either a grey globe or a green padlock, clicking on these you get 'connection secure' or 'connection is not secure' message. It's that easy to simply check if the certificate is self signed

    Most users are unwilling to learn to check that pop-up every time.

    treat the site as if it was an HTTP site by the browser

    Because it's possible for http://example.com/ and https://example.com/ to return entirely unrelated documents, treating them the same in every respect is incorrect behavior. This means you have to define to what extent a browser ought to treat them the same.

  24. Re:Not Sure What the HTTPS Hooplah is all about on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    In the past ten years, I've seen exactly two sites that use a client certificate: Kount (e-commerce risk assessment) and StartSSL (a CA). It isn't very common.

  25. What do I #include to write that field? on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) · · Score: 1

    Files need a type (assuming out of bandwidth necessity, a stretch itself given many modern types encode what they are in the beginning of the data itself e.g. jpg) but that should be in another data field of the OS rather than repurposing part of the name.

    How would a portable program specify the content type of its output? The standard library of ISO C provides no way to manipulate "another data field of the OS". Nor does the standard library of ISO C++. Which well-known multi-platform programming language's standard library does?