Oh, and to do the work they also have to receive an encrypted email too, so they basically have to have a key exchange with the instructor, unless they know someone who has already done that and instead, use a trusted introducer.
In the case of face-to-face instruction, a key signing party at freshman orientation is practical. But in the case of an online university, how would trusted introduction be accomplished?
So, it really would be a good test for whether or not someone is ready to graduate middle school.
Now you mention that you meant middle school, not college. In the case of middle school, how would a student with underprivileged parents afford a computer and Internet access in the first place with which to complete and submit homework? I don't see how it would be practical to expect every student to work to afford his or her own computer, as the child labor laws of the several U.S. states tend to prohibit any sort of non-farm employment until age 14, and most entry-level employers include in the job description at least one duty that states prohibit until 16.
[Early notices about navigating to an HTTPS site] implied that it's secure in that you aren't going to get phished, have content tampered, etc.
I seem to remember the notices being phrased to the effect "Information you submit cannot be seen or changed by others while in transit". That covers the case of tampering and MITM phishing but not typosquat phishing.
The difference is that the warning for a site with a certificate from an unknown issuer is displayed as an interstitial, whereas the warning for a cleartext site is not. This makes it less practical for someone who doesn't own a domain to run HTTPS on a server on the home LAN, such as a router, printer, or NAS.
Under your proposal, how would it be practical for an individual writer to sell subscriptions to read her writing on her website? Or would you prefer that all subscriptions go through a single point of failure such as Patreon?
I guess it depends on how you define "the site it claims to be". If you write "snadze" in Cyrillic,* it'll resemble "chase" except that the "h" will be a small capital. The Punycode form of this name part is xn--80akwp6h. If you then go register xn--80akwp6h.com, you then prove to a domain-validating certificate authority that you own xn--80akwp6h.com, which a browser will display as "{snadze}.com" except with the actual Cyrillic letters. At this point, you can fool people who don't check the URL bar very closely into thinking they're on JPMorgan Chase N.A.'s website when they're not.
Or even staying inside Latin script: "bankofarnerica" isn't Bank of America.
A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business
I see three different levels of assurance.
1. A self-signed certificate assures to a repeat visitor that the operator of this server now is the same as the operator of this server on the previous visit. It says nothing to a first-time visitor unless the site provides a means to verify the key fingerprint out of band. 2. A domain-validated certificate assures the above plus that the operator of this server controls its domain name. It says nothing about the identity of the owner of the domain name. 3. An organization-validated certificate assures the above plus the identity of the owner of the domain name for tax purposes. It says nothing about the business practices of this owner, other than that it happens not to be organized as a sole proprietorship.
If issuer is obviously not doing their job properly prior to issuing the certificate, then their certificates should not be trusted by the OS and the browser
I think it has something to do with a misconception of what "their job" means. Let's Encrypt, SSLS.com, and other CAs specializing in "domain validation" think the job of a TLS certificate authority is to ensure that only the entity that controls a hostname can act as that hostname. The "organization validation" camp, which includes the "Extended Validation" camp, thinks a certificate also ought to identify the real-world business behind a particular hostname. They use as an example bankofarnerica.com belonging to someone other than Bank of America Corporation.
I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.
In the case of a static website, the primary reason for HTTPS is to ensure that your viewers' ISPs cannot falsify the "100% publicly available information" on its way from your server to the browser. Xfinity by Comcast has been caught inserting ads into HTML documents transmitted through cleartext HTTP on multiple occasions.
Sincerely boycotting Comcast may require tough choices:
- Changing your purpose to match what DSL is suitable for - Changing your location to another city where the incumbent high-speed high-volume home Internet provider happens to be a company other than Comcast
"For a particular subscriber's monthly data transfer volume, the LTE providers are even more expensive than Comcast." Would this phrasing be more honest?
if Sony charged a high licensing fee, that'd be reflected in the price of their games, which would drive people to buy Xbox Ones.
Sony can get away with it for current PS4 owners by setting its fee just high enough that the difference in fees over the course of owning a PlayStation 4 is less than the cost of the Xbox One hardware.
When grocery stores take higher cuts, that's reflected in the prices of the items sold in their store, which drives people to competing grocery stores.
In John Steinbeck's The Grapes of Wrath, suggestions to shop at other than the company's convenience store are routinely shot down with "Gallon a gas."
Likewise, if Apple is taking too large of a cut with iOS apps, there's really nothing substantiative stopping consumers from jumping ship to its thriving competitor: Android.
There's a bit of a difference here. It's common to own and regularly use more than one competing console but not more than one competing smartphone. Switching means you lose access to movies purchased from iTunes Store, books purchased from iTunes Store, and applications purchased from the App Store.
the vast majority of productivity apps either require no data migration or have a documented process for easily doing so
Iphone app store (obviously!) cannot be a monopoly, because Iphone is not the only smartphone brand/device!
Apple's App Store is the only store that sells apps that play on the same device as movies and books purchased before Google Play Store existed. Or is it better to have to carry two devices: one for your old purchased movies, books, and apps, and one for your new purchased apps?
Apple (as a private company)
Since when? What sort of equity firms would even be capable of taking AAPL off Nasdaq?
Only Sony can manufacture discs for PlayStation consoles. Only Microsoft can manufacture discs for Xbox consoles. Only Nintendo can manufacture cartridges for Nintendo Switch consoles and Nintendo 3DS handhelds. The console maker can choose to approve each title for a physical release or not and for a paid download release or not. And based on console makers' behavior over the past two and a half console generations, I'm under the impression that console makers are more likely to approve a lower-budget game for a paid download release than for a physical release.
Precedent is only binding in the circuit court in which the precedent was set.
Even so, the line of reasoning underlying a particular decision can prove persuasive in other circuits, if only because a court of appeals doesn't want to have egg on face from its decisions getting overturned.
Only the larger games get a physical release. Any console game whose scope is not big enough for a physical release is stuck on the console maker's paid download store.
It's not a monopoly. It's a duopoly. And it's fairly simple for customers to switch.
When Android came out, the iTunes Store was still using single-vendor digital restrictions management (DRM) on purchased music. It didn't stop that practice until sometime in 2009, meaning users would lose their music when switching to early Android phones. Even in 2018, the iTunes Store and App Store uses single-vendor DRM on purchased movies, purchased books, and purchased apps. Switching would require purchasing access to the same works all over again, provided each work's publisher offers that work on Google Play Store at all.
But calling Apple a monopoly simply for providing the protected app store and mandating that for warranty service is like calling GM a monopoly because they put tires on the cars at the factory and recommend safe sizes.
First, "safe sizes" still allow buying third-party tires meeting GM's spec. Second, in the case of cars, the Magnuson-Moss Warranty Act applies.
Slashdot Mirror
Oh, and to do the work they also have to receive an encrypted email too, so they basically have to have a key exchange with the instructor, unless they know someone who has already done that and instead, use a trusted introducer.
In the case of face-to-face instruction, a key signing party at freshman orientation is practical. But in the case of an online university, how would trusted introduction be accomplished?
So, it really would be a good test for whether or not someone is ready to graduate middle school.
Now you mention that you meant middle school, not college. In the case of middle school, how would a student with underprivileged parents afford a computer and Internet access in the first place with which to complete and submit homework? I don't see how it would be practical to expect every student to work to afford his or her own computer, as the child labor laws of the several U.S. states tend to prohibit any sort of non-farm employment until age 14, and most entry-level employers include in the job description at least one duty that states prohibit until 16.
Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.
Several JavaScript APIs are restricted to secure contexts only, even if they do not submit data back to the site. One is Service Workers, needed for offline use. Others include Bluetooth, MIDI, and Presentation.
[Early notices about navigating to an HTTPS site] implied that it's secure in that you aren't going to get phished, have content tampered, etc.
I seem to remember the notices being phrased to the effect "Information you submit cannot be seen or changed by others while in transit". That covers the case of tampering and MITM phishing but not typosquat phishing.
The difference is that the warning for a site with a certificate from an unknown issuer is displayed as an interstitial, whereas the warning for a cleartext site is not. This makes it less practical for someone who doesn't own a domain to run HTTPS on a server on the home LAN, such as a router, printer, or NAS.
to another city where the incumbent high-speed high-volume home Internet provider happens to be a company other than Comcast
Moving? Really?
Yes really, according to these users. But not everyone feels moving for better Internet is practical, such as these users.
Under your proposal, how would it be practical for an individual writer to sell subscriptions to read her writing on her website? Or would you prefer that all subscriptions go through a single point of failure such as Patreon?
The site REALLY IS the site it claims to be
I guess it depends on how you define "the site it claims to be". If you write "snadze" in Cyrillic,* it'll resemble "chase" except that the "h" will be a small capital. The Punycode form of this name part is xn--80akwp6h. If you then go register xn--80akwp6h.com , you then prove to a domain-validating certificate authority that you own xn--80akwp6h.com, which a browser will display as "{snadze}.com" except with the actual Cyrillic letters. At this point, you can fool people who don't check the URL bar very closely into thinking they're on JPMorgan Chase N.A.'s website when they're not.
Or even staying inside Latin script: "bankofarnerica" isn't Bank of America.
* The letter dze comes from Macedonian Cyrillic. I can't show the real name because anti-vandalism measures implemented on Slashdot after the "(5:erocS)" incident disabled Cyrillic.
Some of these CAs have been caught giving out certs to non-owners of websites and when those CAs are big enough they won't get removed from the list.
You mean like WoSign and Symantec, whose roots browser publishers have phased out?
A self Signed Cert will offer the same level of encryption (sometimes more, because the Cert Authorities may pay more for automatically generating more bits). The original value of these Cert Authorities was so we would be sure that the site we went to was an authentic business
I see three different levels of assurance.
1. A self-signed certificate assures to a repeat visitor that the operator of this server now is the same as the operator of this server on the previous visit. It says nothing to a first-time visitor unless the site provides a means to verify the key fingerprint out of band.
2. A domain-validated certificate assures the above plus that the operator of this server controls its domain name. It says nothing about the identity of the owner of the domain name.
3. An organization-validated certificate assures the above plus the identity of the owner of the domain name for tax purposes. It says nothing about the business practices of this owner, other than that it happens not to be organized as a sole proprietorship.
It is easy to tell a site that may have problems. Just hit the refresh button over and over and you maybe get a 500 error.
That might be on purpose, as a means of conserving resources for legitimate visitors in the face of a denial of service attack.
Using something other than .NET or Java indicates something may not be right.
Yet you're posting on a site that "may not be right". Slashdot is written in Perl, and Wikipedia is written in PHP.
If issuer is obviously not doing their job properly prior to issuing the certificate, then their certificates should not be trusted by the OS and the browser
I think it has something to do with a misconception of what "their job" means. Let's Encrypt, SSLS.com, and other CAs specializing in "domain validation" think the job of a TLS certificate authority is to ensure that only the entity that controls a hostname can act as that hostname. The "organization validation" camp, which includes the "Extended Validation" camp, thinks a certificate also ought to identify the real-world business behind a particular hostname. They use as an example bankofarnerica.com belonging to someone other than Bank of America Corporation.
I run a site that provides 100% publicly available information in a totally read-only / user agnostic manner. There are no accounts, no sessions, etc. Just the display of information. I had to switch to HTTPS because of uninformed users thinking something was wrong with my site because of browser warnings.
In the case of a static website, the primary reason for HTTPS is to ensure that your viewers' ISPs cannot falsify the "100% publicly available information" on its way from your server to the browser. Xfinity by Comcast has been caught inserting ads into HTML documents transmitted through cleartext HTTP on multiple occasions.
Sincerely boycotting Comcast may require tough choices:
- Changing your purpose to match what DSL is suitable for
- Changing your location to another city where the incumbent high-speed high-volume home Internet provider happens to be a company other than Comcast
"For a particular subscriber's monthly data transfer volume, the LTE providers are even more expensive than Comcast." Would this phrasing be more honest?
If vendors don't want to sell to bots, they can use CAPTCHAs
And get sued by advocacy organizations for the blind and hard of sight.
The annual developer fee is very very very low
Except for developers who happen to have been born in a country whose currency won't buy a lot of United States dollars.
if Sony charged a high licensing fee, that'd be reflected in the price of their games, which would drive people to buy Xbox Ones.
Sony can get away with it for current PS4 owners by setting its fee just high enough that the difference in fees over the course of owning a PlayStation 4 is less than the cost of the Xbox One hardware.
When grocery stores take higher cuts, that's reflected in the prices of the items sold in their store, which drives people to competing grocery stores.
In John Steinbeck's The Grapes of Wrath, suggestions to shop at other than the company's convenience store are routinely shot down with "Gallon a gas."
Likewise, if Apple is taking too large of a cut with iOS apps, there's really nothing substantiative stopping consumers from jumping ship to its thriving competitor: Android.
There's a bit of a difference here. It's common to own and regularly use more than one competing console but not more than one competing smartphone. Switching means you lose access to movies purchased from iTunes Store, books purchased from iTunes Store, and applications purchased from the App Store.
the vast majority of productivity apps either require no data migration or have a documented process for easily doing so
Productivity apps.
Iphone app store (obviously!) cannot be a monopoly, because Iphone is not the only smartphone brand/device!
Apple's App Store is the only store that sells apps that play on the same device as movies and books purchased before Google Play Store existed. Or is it better to have to carry two devices: one for your old purchased movies, books, and apps, and one for your new purchased apps?
Apple (as a private company)
Since when? What sort of equity firms would even be capable of taking AAPL off Nasdaq?
Only Sony can manufacture discs for PlayStation consoles. Only Microsoft can manufacture discs for Xbox consoles. Only Nintendo can manufacture cartridges for Nintendo Switch consoles and Nintendo 3DS handhelds. The console maker can choose to approve each title for a physical release or not and for a paid download release or not. And based on console makers' behavior over the past two and a half console generations, I'm under the impression that console makers are more likely to approve a lower-budget game for a paid download release than for a physical release.
Precedent is only binding in the circuit court in which the precedent was set.
Even so, the line of reasoning underlying a particular decision can prove persuasive in other circuits, if only because a court of appeals doesn't want to have egg on face from its decisions getting overturned.
How does one manufacture a working PlayStation 4 game disc to sell "at Walmart, on Amazon, GameStop" without going through Sony?
Video games can still be purchased from retailers
Only the larger games get a physical release. Any console game whose scope is not big enough for a physical release is stuck on the console maker's paid download store.
Yes. Nintendo in fact got sued by American Video Entertainment over Nintendo's use of lockout on the Nintendo Entertainment System.
It's not a monopoly. It's a duopoly. And it's fairly simple for customers to switch.
When Android came out, the iTunes Store was still using single-vendor digital restrictions management (DRM) on purchased music. It didn't stop that practice until sometime in 2009, meaning users would lose their music when switching to early Android phones. Even in 2018, the iTunes Store and App Store uses single-vendor DRM on purchased movies, purchased books, and purchased apps. Switching would require purchasing access to the same works all over again, provided each work's publisher offers that work on Google Play Store at all.
But calling Apple a monopoly simply for providing the protected app store and mandating that for warranty service is like calling GM a monopoly because they put tires on the cars at the factory and recommend safe sizes.
First, "safe sizes" still allow buying third-party tires meeting GM's spec. Second, in the case of cars, the Magnuson-Moss Warranty Act applies.