I.E. the CA, using its public key, which the browser already has.
The CA is one way, but not the best way. You are introducing a whole set of other entities everyone has to trust. Why?
Occam's razor: one must not multiply entities unnecessarily.
To falsify a certificate without the browser telling you, either the CA, the web site, or your machine would have to be compromised.
Who cares about the cert? That's not a major attack vector. Why focus on the attack vectors which aren't a problem in practice? Phishing and spoofing are the low-hanging fruit, and CAs and certs don't help you with this at all. The solution I described above solves all of these problems. All we need is a method of secure introduction to further automate it. Fortunately, that exists too.
but they do not get valid certs for for paypal.com. they can only get them for their own domain
Sure, which might be for paypa1.com. Did you spot the difference on the first read?
just like anything other security mechanism, a cert wont help you if you're not paying attention.
It has nothing to do with 'paying attention'. The interface for verifying certs is absolutely meaningless to anyone without a strong technical background. Users can't verify a cert even if they wanted to. That's a fatal flaw.
Displaying all the identity info, the CA, etc. is useless to most people. In order to verify that they are talking to the site they intended to talk to, the user has to verify the cert's signature via an out of band channel. The signature is the only part of the cert the user actually cares about.
Once it is verified, you can use the petname toolbar for Firefox and assign a label for that cert. Then, whenever Firefox sees that cert, it display that label, and you know who you're talking to.
That's a properly designed identification system. The current CA-based system is laughably bad by comparison.
At this point it should be obvious what the SSL certificate system provides you with, which is a clear chain of responsibility for breaches in security.
So, who is responsible for a phishing attack using a legitimate cert?
You can say 'the user' all you want, but certs themselves are to blame. They are not a usable authentication tool, despite the claims.
Certs are very poor authentication tokens. Phishing sites get certs all the time. All they need to do is create a similar looking page, with a valid cert, and you're hosed. How does the cert help you authenticate here?
And while you are on your soapbox, what is the alternative? By what other method do you suggest that I prove to my satisfaction that when I go to www.mybank.com.au that I am actually at mybank's website, and that a dns record somewhere hasn't been subverted and I am instead entering my login details to a phishing site made up to look exactly like my bank?
The first connection to a site must always verify the signature using an out-of-band channel. CAs are one type of out-of-band channel, but not the only type. After the initial verification, the petname toolbar saves the signature with a user-specified label, and displays that label everytime you connect to a site with the same signature so you know who you're dealing with. Simple and effective.
I find it amusing that you consider a language used on an increasingly more popular desktop platform, and on the most popular mobile device of the past year, effectively "dead". What could possibly be a more relevant criteria for liveness?
I would say that scripture implies the exact opposite in fact: that God does not and will not touch his creation at all until judgment day. Free will would be fairly meaningless otherwise, as we would no longer be "responsible" for our sins. God made us do it!
You have concept of authority simply by being born as the mammals we are. It's a small step to "authority over wind and rain", and "authority over sun", or even "ultimate authority", from there.
Hmm, knowledge is based on evidence. You can't claim to know God exists without clear evidence of his existence. You can however, strongly believe he exists, which is a very different thing. Of course, if you do have evidence, I'd sure love to see it!
As it happens, Pneumonia has a significantly lower mortality when treated than untreated.
Which you would think people would interpret as God favouring those who get themselves treated. Somehow this reasoning just doesn't occur to people. Odd.
If a scientific discovery comes along that challenges my understanding of the Bible, then I need to figure out how what I understood the Bible to say is different than what God really intended to say.
How do you reconcile the Bible being some version of the truth, with it having been mistranslated and edited many times throughout history, often for political reasons? Do you truly believe "men of the cloth" are or were without bias when they made these edits? That these changes were made in good faith, or that they were divinely inspired somehow?
That is, unless I'm missing something fundamental.
Your description of entanglement is known as a "hidden variable theory" of QM, and exactly what this experiment is trying to refute once and for all. QM really imply that the cat is both alive and dead.
A stateful protocol wouldn't help at all. Who's maintaining that state? Server-side: hello DoS. Client-side: well that's just a stateless protocol.
HTTP is perfectly fine the way it is. Seamless stateful interaction is a problem for server-side languages/frameworks to handle. Don't blame HTTP for a framework deficiency. There are frameworks that don't have this problem.
What an odd conclusion. To my reading, my comment merely critiqued the poor argumentation in your comment, and made a statement of fact that you are not an authority in these circles given I've never heard of you, with the implication that your lack of fame, given you are trying to achieve such, is related to the quality of your arguments. After all, there is a reason that authorities become so respected. Did I miss the part where I insulted your personal hygiene?
That implies that you should be programming in APL.
You can program in point-free style in OCaml and Haskell, which buys you much of the same succinctness as APL if you really wanted. However, the ultimate point is to have a language that is as expressive as possible while remaining understandable. Java is too verbose on this metric. Ruby is much less verbose, yet still understandable.
You are under the mistaken impression that C is an application language. It is not.
What type of language C is is irrelevant. Fact is, people use C and C++ to develop applications all the time. The majority of free software is written in C.
As for systems languages, Ada is also a system language, and yet is much safer than C in every way. I would not have a problem with writing an application in Ada, despite it being more verbose than C, because it has other redeeming safety qualities, and programs written in Ada are very understandable.
And yet, his arguments are clearly thought out, and have empirical data to back them. Unlike yours. One then wonders why you're not an authority like him. It's truly a mystery.
Slashdot Mirror
I.E. the CA, using its public key, which the browser already has.
The CA is one way, but not the best way. You are introducing a whole set of other entities everyone has to trust. Why?
Occam's razor: one must not multiply entities unnecessarily.
To falsify a certificate without the browser telling you, either the CA, the web site, or your machine would have to be compromised.
Who cares about the cert? That's not a major attack vector. Why focus on the attack vectors which aren't a problem in practice? Phishing and spoofing are the low-hanging fruit, and CAs and certs don't help you with this at all. The solution I described above solves all of these problems. All we need is a method of secure introduction to further automate it. Fortunately, that exists too.
but they do not get valid certs for for paypal.com. they can only get them for their own domain
Sure, which might be for paypa1.com. Did you spot the difference on the first read?
just like anything other security mechanism, a cert wont help you if you're not paying attention.
It has nothing to do with 'paying attention'. The interface for verifying certs is absolutely meaningless to anyone without a strong technical background. Users can't verify a cert even if they wanted to. That's a fatal flaw.
Displaying all the identity info, the CA, etc. is useless to most people. In order to verify that they are talking to the site they intended to talk to, the user has to verify the cert's signature via an out of band channel. The signature is the only part of the cert the user actually cares about.
Once it is verified, you can use the petname toolbar for Firefox and assign a label for that cert. Then, whenever Firefox sees that cert, it display that label, and you know who you're talking to.
That's a properly designed identification system. The current CA-based system is laughably bad by comparison.
At some point you have to trust someone, but with that trust comes liability as well on the part of the trusted party.
Yes, you trust your bank, which is the only entity in this whole scenario with whom you actually have a trust relationship.
At this point it should be obvious what the SSL certificate system provides you with, which is a clear chain of responsibility for breaches in security.
So, who is responsible for a phishing attack using a legitimate cert?
You can say 'the user' all you want, but certs themselves are to blame. They are not a usable authentication tool, despite the claims.
Certs are very poor authentication tokens. Phishing sites get certs all the time. All they need to do is create a similar looking page, with a valid cert, and you're hosed. How does the cert help you authenticate here?
And while you are on your soapbox, what is the alternative? By what other method do you suggest that I prove to my satisfaction that when I go to www.mybank.com.au that I am actually at mybank's website, and that a dns record somewhere hasn't been subverted and I am instead entering my login details to a phishing site made up to look exactly like my bank?
Petname Toolbar.
The first connection to a site must always verify the signature using an out-of-band channel. CAs are one type of out-of-band channel, but not the only type. After the initial verification, the petname toolbar saves the signature with a user-specified label, and displays that label everytime you connect to a site with the same signature so you know who you're dealing with. Simple and effective.
General relativity can be derived much more succinctly assuming supporting lemmas. Those lemmas can also be derived in less than 4 pages each.
I've asked "conservatives" about why they think it's OK to imprison people indefinitely without charging or trying them
That's not the mark of a conservative, it's the mark of an idiot.
The only reason to use a language is to benefit from its features. This whole 'marketshare' obsession is simply nonsense.
I find it amusing that you consider a language used on an increasingly more popular desktop platform, and on the most popular mobile device of the past year, effectively "dead". What could possibly be a more relevant criteria for liveness?
Better than C++.
And how do you know this was not a seizure of some sort?
I would say that scripture implies the exact opposite in fact: that God does not and will not touch his creation at all until judgment day. Free will would be fairly meaningless otherwise, as we would no longer be "responsible" for our sins. God made us do it!
You have concept of authority simply by being born as the mammals we are. It's a small step to "authority over wind and rain", and "authority over sun", or even "ultimate authority", from there.
Hmm, knowledge is based on evidence. You can't claim to know God exists without clear evidence of his existence. You can however, strongly believe he exists, which is a very different thing. Of course, if you do have evidence, I'd sure love to see it!
As it happens, Pneumonia has a significantly lower mortality when treated than untreated.
Which you would think people would interpret as God favouring those who get themselves treated. Somehow this reasoning just doesn't occur to people. Odd.
If a scientific discovery comes along that challenges my understanding of the Bible, then I need to figure out how what I understood the Bible to say is different than what God really intended to say.
How do you reconcile the Bible being some version of the truth, with it having been mistranslated and edited many times throughout history, often for political reasons? Do you truly believe "men of the cloth" are or were without bias when they made these edits? That these changes were made in good faith, or that they were divinely inspired somehow?
That is, unless I'm missing something fundamental.
Your description of entanglement is known as a "hidden variable theory" of QM, and exactly what this experiment is trying to refute once and for all. QM really imply that the cat is both alive and dead.
thus enabling the chicken's ancestor to produce the first chicken egg
The chicken's progenitor did not produce a 'chicken egg', by any meaningful definition of 'chicken egg'. So the chicken came first!
First was egg.
Bzzt, wrong.
A stateful protocol wouldn't help at all. Who's maintaining that state? Server-side: hello DoS. Client-side: well that's just a stateless protocol.
HTTP is perfectly fine the way it is. Seamless stateful interaction is a problem for server-side languages/frameworks to handle. Don't blame HTTP for a framework deficiency. There are frameworks that don't have this problem.
Which is perfectly reasonable when there isn't a viable, (read: largely compatible) alternative.
What an odd conclusion. To my reading, my comment merely critiqued the poor argumentation in your comment, and made a statement of fact that you are not an authority in these circles given I've never heard of you, with the implication that your lack of fame, given you are trying to achieve such, is related to the quality of your arguments. After all, there is a reason that authorities become so respected. Did I miss the part where I insulted your personal hygiene?
That implies that you should be programming in APL.
You can program in point-free style in OCaml and Haskell, which buys you much of the same succinctness as APL if you really wanted. However, the ultimate point is to have a language that is as expressive as possible while remaining understandable. Java is too verbose on this metric. Ruby is much less verbose, yet still understandable.
You are under the mistaken impression that C is an application language. It is not.
What type of language C is is irrelevant. Fact is, people use C and C++ to develop applications all the time. The majority of free software is written in C.
As for systems languages, Ada is also a system language, and yet is much safer than C in every way. I would not have a problem with writing an application in Ada, despite it being more verbose than C, because it has other redeeming safety qualities, and programs written in Ada are very understandable.
And yet, his arguments are clearly thought out, and have empirical data to back them. Unlike yours. One then wonders why you're not an authority like him. It's truly a mystery.