Adding to the other replies, the copyright statement at the beginning of the source files refers to the 2006-2008 period so Google have been developing it for about two years. They didn't start coding it this summer.
The inspect element tool is awesome, lets you see the tree and go to any element you can right click on.
You're probably not familiar with the Firebug add on for Firefox. Firebug has been doing exactly the same thing for about the past two years and it's the reason why so many web developers switched to Firefox.
However I agree with the rest of your analysis with the exception of the awesome bar which combines the traditional search and url input boxes. It saves space and mouse travel and it works fine.
There are some bugs being discovered that Google and the developers of JavaScript libraries will fix and it will be ready for prime time after that. Said so, I won't use it as my primary browser until an Adblock plugin will be available.
Actually Cassini is a joint project between NASA, ESA and ASI, the Italian space agency which contributed the high gain antenna (the big parabolic one you see in Cassini pictures).
Obviously Italy partecipates to ESA but keeps funding its own agency. The other major European countries do the same.
I think you're right. An attacker would just keep downloading music and video files from torrents to update a database of common hash values and use it for dictionary based attacks.
If one wants to create a really secure hash he should just use a file containing random data. But isn't easier to create a random password instead?
So this proposal looked good but it shouldn't have passed the brainstorming phase.
Multicore processing, SOA, and Web 2.0 all contribute to rising software development costs
My experience is that new technologies are letting me produce more complex stuff in a fraction of the time I used to create simpler programs. Maybe I'm just getting better at coding, but my take is that development costs are going down.
Maybe they just want so many new features that technology advances can't keep up with all those requirements.
Agreed, every extra step makes things more difficult for the casual attacker, but the big bad boys will run away with the money before getting caught.
UNLESS you want to do things in-house and take responsibility for distributing the trusted root certificate for your own CA to those that need it. That there is the best option, but most folks don't want to do that and for yourbank.com it would be a big expense to make sure all the customers received this cert in an offline/secure way.
My bank mailed me a SecureId key months ago. They could have also added their own CA certificate, which any attacker could get anyway by simply opening an account with them.
And yes, it's not meant to be flamebait, I just need more coffee this morning and to stop throwing the invectives around...
Nice to see that your score has been upped to 2 and the post changed to Insightful:-)
You're right from a technical point of view (I've read this discussion about SSL and MITM attacks) but my point is that we can't trust CAs in the real world.
The one I'm using had no idea of who I was when I bought a certificate from them for my server. They only knew that I was responding to an email address that matches the name of my company, which they never heard about and probably never will.
Certificates are something we have to buy to let our customers think we're caring about them but they have very little value for ensuring the identity of our servers.
Does it guarantee the identity and trustworthiness of the entity? Not absolutely
So again, what's the point with CAs?
As you said, it doesn't guarantee the identity of the remote site. An attacker can buy a certificate for www.yourbank.com (easier if he's an insider and has a mail @yourbank.com), poison your ISP's DNS cache and redirect your SSL traffic to his site.
I'll trust CAs a bit more when they'll come to my office to deliver my servers certificates. They're pretty useless until then.
To the modders: IMHO this thread is't mean to be a flamebait.
HTTP only: "The communication with this site is insecure because it doesn't ecrypt the data you're sending to it. Furthermore there is no guarantee that it's owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore.
Self signed HTTPS: "The communication with this site is secure because it encrypts the data you're sending to it. However there is no guarantee that it's owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore."
CA's signed HTTPS: "The communication with this site is secure because it encrypts the data you're sending to it. Furthermore [the name of the CA] guarantees that the site is really owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore."
However one has to be really naive to believe the guarantee part of the last statement or that CAs are willing to have any legal responsibility for the claims they're issuing with any certificate. Actually that third alert box might be harmful as it perpetuates the delusion that certificates do anything about authentication.
Eventually it's not a problem of GUIs but a problem of understanding what certificates are really for.
CAs do very little to ensure that the site you're connecting to is really the one it claims to be. So SSL is almost useless for authentication and trust. It's worth using it only for encryption and self signed certificates are as good for that as the ones you buy with money.
As a webmaster and owner of a site that uses SSL I second the author's proposal and more: let's stop pretending CAs can ensure the identity of the communicating parties, shut them down, save money and use SSL only for encrypting data.
The FOSS guys say "release early release often" and maybe Google just did it so. I add: if you make a lot of mistakes you learn a lot, but it helps if you're big enough to survive them.
Everybody is going to have to buy a.themselves domain:.apple.microsoft.sun.hp.ibm.facebook.myspace.twitter, just to name a few. The old.com domains will look so old and/or poor men's urls.
Extortion indeed, how do I buy shares of ICANN?;-)
Actually, Sun's own codebase and a 4-5% of rewritten code passes Sun's compatibility suite.
TFA is about that 4-5% which was encumbered by patents (? the article doesn't go into details) and has been rewritten to make all the JDK free. That should be enough to finally get Debian include Java in their distributions.
A few weeks ago I saw a tag for an image like http://img.msgtag.com/[path omitted].gif in a message I received. My Thunderbird is configured not to display images anyway, but to be sure that I'm not giving away when and if I read mail I promptly added this line into my c:\windows\system32\drivers\etc\hosts
Exactly, expecially because many people don't like voice chat, for example when they can't speak in their native language. In my case I can read English well and write a pretty understandable one (well, hopefully - you judge it) but sometimes I miss words on TV and things get worse when I have to speak and understand quickly lots of different people.
Finally, even native speakers may find the tone of their voice inadequate or do not want to give away their age or gender by speaking. I heard stories about charismatic MMOGs team leaders that lost all their credibility when somebody discovered them to be 12 year old boys or so. Actually, this proves that the adult team members were some fools caring more about their pride than about the skills of the leader, but also that the pre-teen leader had good reasons to hide himself behind a textual chat.
The engineers started with a truck and made it lighter and marginally better at handling so I can't understand how SUVs aren't a step in the right direction. Oh, do you mean SUVs are cars?
If someone has physical access to my pc... all my data are belong to her/him anyway. These companies should scrap all these kind of biometric software development and invest in hard disk encryption. The fingerprint reader in my notebook is great to impress my friends but it's one of its weakest points. Another one used to be the firewire port but I disabled it.
I have no uses for a phone without a contract with a carrier, but I've a lot of things to do with a subnotebook with no add-on services attached. Basically everything I've been doing with a PC in the last 20 years or so.
A subnotebook is not a notebook but it's not a phone too. Businesses will try to attach services to them, but I don't think that it will be impossible to find a bare subnotebook. Well, if a subnotebook with a two-year HSDPA contract will cost as much one without I'll get it, but I won't if I have to pay f more.
Actually I like Perl and keep using it for small to medium size text processing scripts. I'm using Ruby and Rails for web apps since I discovered that I can create one in 4-5 times less time that in Java (and no, I don't dare writing anything big in Perl).
I'm still concerned about RoR's performance and scalability but things are slowly getting better and my Rails apps in production are not subject to big workloads. The faster development cycle means more projects per year and more money in the pockets.
So, if it's good for about everybody in Java, why should it be poor for Ruby? Granted, what's good for everybody might be a poor-but-well-marketed product, but I developed many MVC web applications and always liked it.
What other design patterns do you use for web applications?
Slashdot Mirror
Adding to the other replies, the copyright statement at the beginning of the source files refers to the 2006-2008 period so Google have been developing it for about two years. They didn't start coding it this summer.
ACID 3: 78/100
The inspect element tool is awesome, lets you see the tree and go to any element you can right click on.
You're probably not familiar with the Firebug add on for Firefox. Firebug has been doing exactly the same thing for about the past two years and it's the reason why so many web developers switched to Firefox.
However I agree with the rest of your analysis with the exception of the awesome bar which combines the traditional search and url input boxes. It saves space and mouse travel and it works fine.
There are some bugs being discovered that Google and the developers of JavaScript libraries will fix and it will be ready for prime time after that. Said so, I won't use it as my primary browser until an Adblock plugin will be available.
Is it an application of Ruby on Rails or is it coded in Assembly to be that fast?
Actually Cassini is a joint project between NASA, ESA and ASI, the Italian space agency which contributed the high gain antenna (the big parabolic one you see in Cassini pictures).
Obviously Italy partecipates to ESA but keeps funding its own agency. The other major European countries do the same.
I think you're right. An attacker would just keep downloading music and video files from torrents to update a database of common hash values and use it for dictionary based attacks.
If one wants to create a really secure hash he should just use a file containing random data. But isn't easier to create a random password instead?
So this proposal looked good but it shouldn't have passed the brainstorming phase.
Maybe they're running because SearchSecurity's lawyers are after them. They accused Neowin to have copied their article at http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html See comment #26 at TFA for details.
I don't know where he lives, but everybody knows that he rests in Bari, Italy and had a Turkish passport http://en.wikipedia.org/wiki/Saint_Nicholas
Oh well, Turkey wasn't Turkey at the time and we didn't invent passports yet. That's probably why we can't agree on his nationality :-)
Multicore processing, SOA, and Web 2.0 all contribute to rising software development costs
My experience is that new technologies are letting me produce more complex stuff in a fraction of the time I used to create simpler programs. Maybe I'm just getting better at coding, but my take is that development costs are going down.
Maybe they just want so many new features that technology advances can't keep up with all those requirements.
Agreed, every extra step makes things more difficult for the casual attacker, but the big bad boys will run away with the money before getting caught.
UNLESS you want to do things in-house and take responsibility for distributing the trusted root certificate for your own CA to those that need it. That there is the best option, but most folks don't want to do that and for yourbank.com it would be a big expense to make sure all the customers received this cert in an offline/secure way.
My bank mailed me a SecureId key months ago. They could have also added their own CA certificate, which any attacker could get anyway by simply opening an account with them.
And yes, it's not meant to be flamebait, I just need more coffee this morning and to stop throwing the invectives around...
Nice to see that your score has been upped to 2 and the post changed to Insightful :-)
You're right from a technical point of view (I've read this discussion about SSL and MITM attacks) but my point is that we can't trust CAs in the real world.
The one I'm using had no idea of who I was when I bought a certificate from them for my server. They only knew that I was responding to an email address that matches the name of my company, which they never heard about and probably never will.
Certificates are something we have to buy to let our customers think we're caring about them but they have very little value for ensuring the identity of our servers.
Does it guarantee the identity and trustworthiness of the entity? Not absolutely
So again, what's the point with CAs?
As you said, it doesn't guarantee the identity of the remote site. An attacker can buy a certificate for www.yourbank.com (easier if he's an insider and has a mail @yourbank.com), poison your ISP's DNS cache and redirect your SSL traffic to his site.
I'll trust CAs a bit more when they'll come to my office to deliver my servers certificates. They're pretty useless until then.
To the modders: IMHO this thread is't mean to be a flamebait.
Let's do it with alert boxes.
HTTP only: "The communication with this site is insecure because it doesn't ecrypt the data you're sending to it. Furthermore there is no guarantee that it's owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore.
Self signed HTTPS: "The communication with this site is secure because it encrypts the data you're sending to it. However there is no guarantee that it's owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore."
CA's signed HTTPS: "The communication with this site is secure because it encrypts the data you're sending to it. Furthermore [the name of the CA] guarantees that the site is really owned by the organization that it claims to belong to. [checkbox] Don't tell this to me anymore."
However one has to be really naive to believe the guarantee part of the last statement or that CAs are willing to have any legal responsibility for the claims they're issuing with any certificate. Actually that third alert box might be harmful as it perpetuates the delusion that certificates do anything about authentication.
Eventually it's not a problem of GUIs but a problem of understanding what certificates are really for.
CAs do very little to ensure that the site you're connecting to is really the one it claims to be. So SSL is almost useless for authentication and trust. It's worth using it only for encryption and self signed certificates are as good for that as the ones you buy with money.
As a webmaster and owner of a site that uses SSL I second the author's proposal and more: let's stop pretending CAs can ensure the identity of the communicating parties, shut them down, save money and use SSL only for encrypting data.
I agree, this is the "if you're big enough" part of my post.
This also answers the reply of iznogud below.
The FOSS guys say "release early release often" and maybe Google just did it so. I add: if you make a lot of mistakes you learn a lot, but it helps if you're big enough to survive them.
Don't forget .disney
Everybody is going to have to buy a .themselves domain: .apple .microsoft .sun .hp .ibm .facebook .myspace .twitter, just to name a few. The old .com domains will look so old and/or poor men's urls.
Extortion indeed, how do I buy shares of ICANN? ;-)
This http://www.sciam.com/article.cfm?id=the-color-of-plants-on-other-worlds recent article on Scientific American gives more details.
Actually, Sun's own codebase and a 4-5% of rewritten code passes Sun's compatibility suite.
TFA is about that 4-5% which was encumbered by patents (? the article doesn't go into details) and has been rewritten to make all the JDK free. That should be enough to finally get Debian include Java in their distributions.
A few weeks ago I saw a tag for an image like http://img.msgtag.com/[path omitted].gif in a message I received. My Thunderbird is configured not to display images anyway, but to be sure that I'm not giving away when and if I read mail I promptly added this line into my c:\windows\system32\drivers\etc\hosts
127.0.0.1 img.msgtag.com
Bye bye MsgTag, get out of business soon!
...and its hard to chat with no keyboard.Exactly, expecially because many people don't like voice chat, for example when they can't speak in their native language. In my case I can read English well and write a pretty understandable one (well, hopefully - you judge it) but sometimes I miss words on TV and things get worse when I have to speak and understand quickly lots of different people.
Finally, even native speakers may find the tone of their voice inadequate or do not want to give away their age or gender by speaking. I heard stories about charismatic MMOGs team leaders that lost all their credibility when somebody discovered them to be 12 year old boys or so. Actually, this proves that the adult team members were some fools caring more about their pride than about the skills of the leader, but also that the pre-teen leader had good reasons to hide himself behind a textual chat.
The engineers started with a truck and made it lighter and marginally better at handling so I can't understand how SUVs aren't a step in the right direction.
Please, moderate as funnyOh, do you mean SUVs are cars?
If someone has physical access to my pc... all my data are belong to her/him anyway. These companies should scrap all these kind of biometric software development and invest in hard disk encryption. The fingerprint reader in my notebook is great to impress my friends but it's one of its weakest points. Another one used to be the firewire port but I disabled it.
I have no uses for a phone without a contract with a carrier, but I've a lot of things to do with a subnotebook with no add-on services attached. Basically everything I've been doing with a PC in the last 20 years or so.
A subnotebook is not a notebook but it's not a phone too. Businesses will try to attach services to them, but I don't think that it will be impossible to find a bare subnotebook. Well, if a subnotebook with a two-year HSDPA contract will cost as much one without I'll get it, but I won't if I have to pay f more.
Actually I like Perl and keep using it for small to medium size text processing scripts. I'm using Ruby and Rails for web apps since I discovered that I can create one in 4-5 times less time that in Java (and no, I don't dare writing anything big in Perl).
I'm still concerned about RoR's performance and scalability but things are slowly getting better and my Rails apps in production are not subject to big workloads. The faster development cycle means more projects per year and more money in the pockets.
The Java world has plenty of MVC frameworks. Struts and Spring are the first two that come to my mind. Sun itself recommends MVC as a design pattern for J2EE applications. http://java.sun.com/blueprints/guidelines/designing_enterprise_applications_2e/web-tier/web-tier5.html
So, if it's good for about everybody in Java, why should it be poor for Ruby? Granted, what's good for everybody might be a poor-but-well-marketed product, but I developed many MVC web applications and always liked it.
What other design patterns do you use for web applications?