What you say is true, there are certainly sites out there that really want to get round any measures a user puts in place to block certain behaviour, but if a site is doing stuff like that, would you really trust them to conform with legislation anyway?
If legislation is in place, and a site blatantly misbehaves in such a way, this is actionable. At least the bigger sites (such as facebook) would have to comply.
From my personal experience, the types of sites that exhibit this kind of behaviour are typically not high on my trust list.
But sometimes, it may be a site whose service you absolutely need, such as directory look up... we have the case here in Luxembourg where one directory lookup service pulls such a shenanigan. Fortunately, theyre is a competitor. But what if the competitor starts behaving in the same way?
And ironically enough, luxtrust.lu, the national Luxembourgish certification agency, pulls the opacity: 0 stunt... an entity that we have to trust...
Very often though, such things happen due to contractors. Organization contracts out webdesign to a third party firm, which cares more about looks and their own ego than about functionality or their customer's mission, and then such mishaps happen. And when the customer's users bring this to their attention, the contract and warranty period with web design company has run out, and their is no budget planned to fix the mess, so it stays like that for ages...
Javascript and Flash can easily be disabled via your browser's settings, just as cookies can, which makes this law kind of pointless.
... and some sites are actually quite good at annoying people who do just that. One trick is to set up a meta http-equiv redirect to a nag page which kicks in if there is no javascript. Or the main content block's display property to none in CSS, and set to something sensible by javascript. Or same idea but with opacity: 0. Or links that point back to page itself (<a href="#"> ) rather than to the subpage they are supposed to point to. Fortunately, sites doing such nonsense are a minority, but they do exist.
Back when Flash was the rage, one popular annoyance was flash intros which couldn't be skipped. So, if you had flash disabled, you were stuck on an empty page without a link to move on
Having a law against needless javascript or flash would also stop such shenanigans.
All this legislation does is force EU organisations (so no effect on anything outside of EU) to replicate the aforementioned browser cookie blocking functionality but using a method of trust instead of an explicit user setting tightly under a user's control.
No, it also forces organizations not to put any shenanigans into their pages which are meant to annoy users who prefer to surf without cookies, javascript or flash.
If users have privacy concerns regarding use of cookies, the only sane way to handle that is for users to take control themselves by disabling use of cookies in their browser settings and then whitelisting sites on a per site basis. We've had that capability since the introduction of cookies.
Then you have problems with sites that detect the absence of cookies, and redirect you to a nag page if you don't have any.
The most important difference is that said cop probably would not (unless he was especially unwitting) give you actionable intelligence as a result of your inquiry.
Could be on a tour of the police facilities, and some of the visitors asking the question. And the policeman who plays guide just wanting to be pleasant to his group...
Some dodgy questions also come up when visiting nuclear power stations, and in general the guide doesn't make a fuss over it. A terrorist is not going to participate in a tour to find out what size of plane he needs to smash the containment of the reactor building, there are more discrete ways to find out. But a lot of concerned citizens might ask that kind of question.
Conspiracy to commit is difficult when there's no crime either
And moreoever, conspiracy takes at least two willing conspirators. I doubt that google could be considered to be a co-conspirator...: It's not a person, and even if it was, it didn't intentionally help in planing the crime.
Usually a site either has a horizontal scrollbar (if the web designer thought everybody had a screen as large as his), or horse blinkers (if the web designer thought everybody had a screen as small as his, or was just envious of those people who enjoy a larger screen).
This guy here somehow has managed the feat to have both... and then has the gall to pontificate about usability!
Oh how about this political attack - I predict the key used for all Chinese military cyberwarfare will be the Lenovo key.
Another "fun" thing to think about - what happens during bankruptcy, purchasing, downsizing, etc? Who owns Gateway now, or rephrased, who owns Gateway's key? If you want a legit key, the best way might be to legit buy it.
Just a small note: they key belongs to the OS, not the hardware. The hardware just checks the OS key, but isn't signed itself.
So, you couldn't usurp the key of a failed (or nationalized) PC maker. You'd have to use the key of a failed OS instead.
There are attacks other than mathematical or algorithmic. What do you want to bet that Microsoft's key management infrastructure is lacking, and is accessible to temps and students who only stay there for 6 months. Somebody is going to sneak away the key on an USB stick, and release it into the wild after they have long left Microsoft. And on which one of the thousands of students who passed by during that time will they pin the blame?
Though when you need closer to a full system, there are other options at the $200 price range, mini/micro-itx etc. Though larger than a Pi or BeagleBoard, you'll get more power, flexibility and compatibility.
If you're prepared to spend $200, you can have a gumstick or some cotton candy, both of which are not bigger than a USB stick, much smaller than a raspberry pie.
The company proxy wouldn't know the difference between a high-end verified cert and a cheap anonymously purchased cert.
This is not the subject here. The subject is making sure that there isn't another entity also spying on the communication.
A certificate doesn't certify that you are a good person, it merely certifies that you are who you claim you are (just like an id card, really...)
Just like the company itself: even if they paid good money for their high-end security product which allows them to intercept SSL, what they're doing is still spying...
No... the shitstorm would be epic. Even better, they could claim they're using RIAA and MPAA IP addresses and get those guys to block themselves. Reminds me of the first Hackers movie...
Except the MAFIAA don't really care about their own websites. That's not how they make money or wield their influence.
My https://www.google.com/ [google.com] seems to be signed by Thawte Consulting (Pty) Ltd.
Is that who it should be signed by?
Check the fingerprint instead... If your employer has installed rogue root keys on your PC, he could theoretically create fake CA certificates as well. It would say Thawte, but not be the real Thawte...
One question: if some employers are actually doing this, how does their system react if there is another man in the middle in the chain:
Employee ----> EmployerMITM ---> internet router ---> AnotherMITM ---> bank
Would the EmployerMITM at least notice that the bank's certificate is off, and block the connection, or would it just seamlessly let it true?
If the former, expect trouble when connecting to your hobbyist site whose key you usually check by fingerprint (you can no longer access it...)
If the latter, expect undetected wiretapping by third parties other than your employer when communicating with banks or e-commerce sites.
How do such proxies usually handle this situation?
More like a bizarre joke/parody, trying to mock this MyCleanPC product...
It's actually funny, in a sick and twisted way. But indeed it doesn't need to be reposted hundreds of times. Now it's just like all the other bizaar Slashdot trollls and memes...
People have on occasion driven down ferry access roads, and plunged into the water because the ferry was mislabeled as a bridge... (I remember such an incident occured in Germany years ago. Darkness and poor signage helped, obviously...)
Slashdot Mirror
What you say is true, there are certainly sites out there that really want to get round any measures a user puts in place to block certain behaviour, but if a site is doing stuff like that, would you really trust them to conform with legislation anyway?
If legislation is in place, and a site blatantly misbehaves in such a way, this is actionable. At least the bigger sites (such as facebook) would have to comply.
From my personal experience, the types of sites that exhibit this kind of behaviour are typically not high on my trust list.
But sometimes, it may be a site whose service you absolutely need, such as directory look up... we have the case here in Luxembourg where one directory lookup service pulls such a shenanigan. Fortunately, theyre is a competitor. But what if the competitor starts behaving in the same way?
And ironically enough, luxtrust.lu, the national Luxembourgish certification agency, pulls the opacity: 0 stunt... an entity that we have to trust...
Very often though, such things happen due to contractors. Organization contracts out webdesign to a third party firm, which cares more about looks and their own ego than about functionality or their customer's mission, and then such mishaps happen. And when the customer's users bring this to their attention, the contract and warranty period with web design company has run out, and their is no budget planned to fix the mess, so it stays like that for ages...
Javascript and Flash can easily be disabled via your browser's settings, just as cookies can, which makes this law kind of pointless.
... and some sites are actually quite good at annoying people who do just that. One trick is to set up a meta http-equiv redirect to a nag page which kicks in if there is no javascript. Or the main content block's display property to none in CSS, and set to something sensible by javascript. Or same idea but with opacity: 0. Or links that point back to page itself (<a href="#"> ) rather than to the subpage they are supposed to point to. Fortunately, sites doing such nonsense are a minority, but they do exist.
Back when Flash was the rage, one popular annoyance was flash intros which couldn't be skipped. So, if you had flash disabled, you were stuck on an empty page without a link to move on
Having a law against needless javascript or flash would also stop such shenanigans.
All this legislation does is force EU organisations (so no effect on anything outside of EU) to replicate the aforementioned browser cookie blocking functionality but using a method of trust instead of an explicit user setting tightly under a user's control.
No, it also forces organizations not to put any shenanigans into their pages which are meant to annoy users who prefer to surf without cookies, javascript or flash.
If users have privacy concerns regarding use of cookies, the only sane way to handle that is for users to take control themselves by disabling use of cookies in their browser settings and then whitelisting sites on a per site basis. We've had that capability since the introduction of cookies.
Then you have problems with sites that detect the absence of cookies, and redirect you to a nag page if you don't have any.
I saw that one coming... that's why I added "even if it was, it didn't intentionally help in planing the crime"...
Let's be real, once implemented, only retards would use google without tor or whatever to do searches.
or just use bing instead...
The most important difference is that said cop probably would not (unless he was especially unwitting) give you actionable intelligence as a result of your inquiry.
Could be on a tour of the police facilities, and some of the visitors asking the question. And the policeman who plays guide just wanting to be pleasant to his group...
Some dodgy questions also come up when visiting nuclear power stations, and in general the guide doesn't make a fuss over it. A terrorist is not going to participate in a tour to find out what size of plane he needs to smash the containment of the reactor building, there are more discrete ways to find out. But a lot of concerned citizens might ask that kind of question.
To put things in perspective, the law mandates that video rental records be private.
And they only reason for this is because once upon a time, a video rental store leaked the rental history of some influential judge...
Conspiracy to commit is difficult when there's no crime either
And moreoever, conspiracy takes at least two willing conspirators. I doubt that google could be considered to be a co-conspirator...: It's not a person, and even if it was, it didn't intentionally help in planing the crime.
I wish I had modpoints...
This guy here somehow has managed the feat to have both... and then has the gall to pontificate about usability!
Congratulations!
Oh how about this political attack - I predict the key used for all Chinese military cyberwarfare will be the Lenovo key.
Another "fun" thing to think about - what happens during bankruptcy, purchasing, downsizing, etc? Who owns Gateway now, or rephrased, who owns Gateway's key? If you want a legit key, the best way might be to legit buy it.
Just a small note: they key belongs to the OS, not the hardware. The hardware just checks the OS key, but isn't signed itself.
So, you couldn't usurp the key of a failed (or nationalized) PC maker. You'd have to use the key of a failed OS instead.
There are attacks other than mathematical or algorithmic. What do you want to bet that Microsoft's key management infrastructure is lacking, and is accessible to temps and students who only stay there for 6 months. Somebody is going to sneak away the key on an USB stick, and release it into the wild after they have long left Microsoft. And on which one of the thousands of students who passed by during that time will they pin the blame?
by doing 'stupid' things while flying, but ...
Humans due stupid stuff while flying too, it's called "the mile high club"... or do you really believe that only passengers join "the club"?
In 773 at the start of the Islamic Golden Age, ...
So it was obviously the first ever dirty bomb... Damn terrorists!
Then they started using custom packers and obfuscaters, making them as hard to reverse engineer as Skype.
But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...
So, now they went back to using generic tools and libraries. Full circle!
Though when you need closer to a full system, there are other options at the $200 price range, mini/micro-itx etc. Though larger than a Pi or BeagleBoard, you'll get more power, flexibility and compatibility.
If you're prepared to spend $200, you can have a gumstick or some cotton candy, both of which are not bigger than a USB stick, much smaller than a raspberry pie.
The company proxy wouldn't know the difference between a high-end verified cert and a cheap anonymously purchased cert.
This is not the subject here. The subject is making sure that there isn't another entity also spying on the communication.
A certificate doesn't certify that you are a good person, it merely certifies that you are who you claim you are (just like an id card, really...)
Just like the company itself: even if they paid good money for their high-end security product which allows them to intercept SSL, what they're doing is still spying...
But wouldn't that depend on the bitcoin exchange rate... which varied quite a bit during the last couple of months...
No... the shitstorm would be epic. Even better, they could claim they're using RIAA and MPAA IP addresses and get those guys to block themselves. Reminds me of the first Hackers movie...
Except the MAFIAA don't really care about their own websites. That's not how they make money or wield their influence.
My https://www.google.com/ [google.com] seems to be signed by Thawte Consulting (Pty) Ltd. Is that who it should be signed by?
Check the fingerprint instead... If your employer has installed rogue root keys on your PC, he could theoretically create fake CA certificates as well. It would say Thawte, but not be the real Thawte...
One question: if some employers are actually doing this, how does their system react if there is another man in the middle in the chain:
Employee ----> EmployerMITM ---> internet router ---> AnotherMITM ---> bank
Would the EmployerMITM at least notice that the bank's certificate is off, and block the connection, or would it just seamlessly let it true?
If the former, expect trouble when connecting to your hobbyist site whose key you usually check by fingerprint (you can no longer access it...)
If the latter, expect undetected wiretapping by third parties other than your employer when communicating with banks or e-commerce sites.
How do such proxies usually handle this situation?
More like a bizarre joke/parody, trying to mock this MyCleanPC product...
It's actually funny, in a sick and twisted way. But indeed it doesn't need to be reposted hundreds of times. Now it's just like all the other bizaar Slashdot trollls and memes...
That's German, not Klingon.
How does one opt out of cookies without using a cookie to remember it?
Using Etags...
When can we have the same for needless javascript? And for flash?
People have on occasion driven down ferry access roads, and plunged into the water because the ferry was mislabeled as a bridge... (I remember such an incident occured in Germany years ago. Darkness and poor signage helped, obviously...)
A quick google showed that that this is indeed the chip, but the claims are "slightly" overblown