my first, and only advice to you, a graduate student, is this :
learn to speak in proper, civil manner before you rant about ANYthing, if you want to be taken seriously and get your opinion respected on the face of this planet.
there. if i should put in a manner you would be able to understand : now you can shove your flaming and ranting wherever you see fit.
in order to put ssl certificates to a small farm of servers or some number of vpsesyou are using, you need to buy a wildcard ssl. do you know the wildcard ssl prices ?
nothing in the world on, or off the net is guaranteed.
its all about making it HARDER to be put in the place of a victim.
and its not only about government either. one rather eavesdrop a website's connection and get the personal details of thousands of users, than try to hijack 1-2 self signed ssl connections. personal data would fetch much more higher price on the black market.
no. im not delusional. you are careless and uninformed.
Secondly, if a person don't understand this is just a warning and he can bypass it if he trust the site to be safe, I wouldn't let him go without warnings. It may restrain his access for one or two site, but he would be safer until he know better.
'one or two site' per billion makes millions of websites.
and there is no 'until they know better' for majority on the web. their knowledge of technical matters related to web will stay the same regardless of what is shoved, pushed in their faces.
what kind of thing are you smoking ? or what kind of reasoning is this ?
its too long a talk to 'demonstrate' these to you, who is someone apparently very uninformed about web communities, shared hosting, privacy issues, and what pricing do the ssl certificate providers ask, for wildcard ssls that many small businesses may need. the web is not only about security, its also about privacy, as it is much more than single standing websites.
you NEED encryption to provide better security (through encryption), and most importantly, PRIVACY, to your community users, clients, vpn users, whatnot.
especially in an age that almost every government has started snooping and eavesdropping internet connections.
Find five. There's nothing disastrous in that message. The icon doesn't even have a red exclamation point. It states quite clearly what's gone wrong and offers the option to get past that. If a small business needs to self-sign their certs then a little education of their users prior to switching over to the SSL channel would quickly remove any reservations they might have about proceeding.
that is to you. a registered slashdot user, who is probably working in an i.t. related field, or geeky enough.
i hate to break it to you pal, but we dont constitute the majority on the web. we are at best a noticeable minority. web is comprised of billions of internet users that cant tell firefox from ie, leave aside recognizing that 'there is nothing wrong' with that message.
to average web user, that warning would mean 'youre being screwed, run away from this website asap', REGARDLESS of what technicalities the contents of the warning says. they wont understand a zit about those technicalities anyway.
letting go HALF of privacy and security, just to ensure that the other half, the verifying identity part is stronger ?
what kind of logic is this ?
1. create your own CA and tell your customers to import the CA by clicking here (before putting them in ssl mode). It's really not much trouble to set up your own CA.
first, you are not in communication with potential customers, and they will never communicate with you and become a customer after they see that horrible ff3 warning. you wont even get a chance to tell them what is going on.
second, same goes for many potential website users that are signing up for a community.
additionally godaddy is one of the shittiest service providers on the web. so if the solution you are offering is godaddy, please, keep it to yourself, and even firefox3 too.
precisely so. and i think that is our biggest problem as of now, since many countries from turkey to and even sweden, leave aside usa, has started monitoring everything that passes their countries' networks.
also do not forget that increasing privacy violation, deep packet inspections, surveillance and snooping is a MAJOR problem in every part of the world as of now.
ssl encryption provides the people with increased privacy, and makes it a tad harder for governments trying to peep on people.
yet, with this self righteous ssl cert move, firefox 3 is actually going to DETER the usage of self signed certs, and make it easier for governments or any interested party to snoop on many web users.
It's not like Firefox makes it impossible to access a web site with a self signed certificate. It just makes it very obvious that something is wrong with the certificate, and tells the user that he shouldn't trust it to much.
there close to a billion people on the net that wouldnt tell what to do when faced with such a disastrous looking warning as ff 3 prints out when met with a self signed ca.
also there are equally many people that would rather skip visiting/subscribing to a site when they see the hassle ff3 puts out.
therefore many small service providers, businesses, communities that would not afford a decent certificate will be hurt in all respects, not to mention many users.
excuse me, but this is a very stupid, self righteous and jacobin move.
that is the EXACT kind of thing slashdot criticizes almost EVERY government, country, organization, corporation for, yet, you people are actually applauding it in this case.
EVERYthing on the web is susceptible to various attacks. yet, we are not mandating anyone to pay to some 3rd party source for a 'fix' in any of them. yet, it is the case of ff3 and the self signed certs. how come ?
so you people are basically arguing that because there can be man in the middle attacks, we should be forcing EVERYONE into the lap of verisign ?
This article seems like an attempt to insert drama where recognized security professionals already have agreed that this is best practice. Wait until CAcert is in Mozilla, and if it gets special treatment by not being treated the same as all of the other CAs, then you'll have something.
'security professionals' do not build the web, or do they constitute the market, or the people.
there are a LOT of community websites (that cater to thousands of people, the smallest one), small businesses, their customers, vpn users, a lot of people that are going to be hurt by this overly self righteous move.
it is easy to be indignant and force stuff upon people, saying 'it is the right thing', while working on an open source project part time, from a secure, corporate level information technology job.
one thinks it seems right for you, and therefore it is probably right for others. of course, all the while clueless about how many people, businesses, organizations and communities use self signed certs throughout the web, just because their isolated position.
its basically letting go of half of the security for improving the other half.
lets see, what are proponents of this are saying ? they are arguing "ssl is not just about encryption, its also about knowing that you can trust the source"
well, thats basically an entirely stupid approach, when you consider that a LOT of websites who are now using self signed certificates will be just removing ssl encryption rather than pay yearly fees to a 'certified' vendor or annoy their users with the HORRIBLE 'youre being hacked !' style ssl warning in ff3.
what happens ? basically you will have let half of the security go while improving the other half. net gain ? zero.
"we are programmers and developers, and as a community we think this is the right thing to do" - this does NOT fly. public accepts what they like, they refuse what they dont. this is as simple as that, REGARDLESS OF what they accept or refuse may be good, or bad.
it is utterly stupid to go overly jacobin and enforce something on people 'for improving the security on the web', in an open source project that is made by people FOR the people.
a lot of websites, service owners, businesses using vpn and their clients and their users are going to experience hell lot of problems due to this extreme self righteousness forced upon them, if they go for firefox 3.
to be honest, despite im fighting for free and open internet, linux, open source by the means available to me as much as i can, i will be advising friends and clients to stay away from ff3 because of that certificate issue.
if you think free software has usability, you have problems identifying and finding good software. you need to fix yourself.
i use a lot of free software that has very good usability. there is nothing different in selecting free software than selecting paid software - buyer beware.
thats the very thing im trying to tell a lot of 'invisible hand strokes all' fairy tale conservatives here all along. this guy just put it in a VERY short and neat form.
i would like to remind you that hillary clinton has remained as poisonous as any poison ivy can be, until 2008, and probably still remains as such. so your argument is invalid. just because someone is getting out of office, does not mean that they wont be able to influence things.
verly-obedient populace resulting from excessive media control and from everyone being too in-debt and thus too over-worked to invest time in their own government. Secondly, violation of the "design and philosophy" of the system by governing parties that has gone unpunished.
all leads to corporationism and what corporations do to united states.
a total bastardization of capitalism, corporations control the daily lives of citizens in indirect ways. because much of profit is garnered by the corporation, the citizens are paid minimum that is possible for every level. distribution of wealth therefore is horribly bad. 'competitive free market' cant fix it either, because, inevitably, after a certain treshold, corporations become SO big that the country cant risk going against those corporations for fear of economic instability and crisis. and reinforcing the cycle, corporations can also buy laws from 'sponsored' lawmakers for their own benefit. add the media that is under control of the few big corporations to this equaation, and you have your problem.
excuse me, but all these point to the fact that u.s. system of government is broken. stuff seemed to be working 1776-1950, because globalization had not arrived by then yet, and there werent many huge megacorporations that had economies greater than many countries. (as of now around 20 corporations are in the list of world's biggest 100 economic powers, leaving many countries behind). the world have not seen so big economic power resting in chunks concentrated in private sector, and did not have anything to mitigate the damage they would cause.
and here we are today. lawmakers are putting out laws that benefit a few corporations without any fear of reprisal from their constituents. they are just shelling out the ages old "it will provide jobs" excuse, and everyone falls for it.
little they realize that, in its current form, 'job' basically means indentured servitude of the 21st century kind. long hours of work, diminishing benefits, decreasing pay and job security. all the while reinforcing the cycle.
lobbyists are not petitioning the government as 'citizens'. they are petitioning as representatives of holders of big cash. and they are sponsoring representatives to sponsor laws for their own benefit.
if the country prioritizes its corporations' profits more than it prioritizes its citizens, its citizens prioritize their selfish agendas more than they value their education.
musicians dont get ZIT out of the records they sell. the amount per cd/song they get is SO pathetic that it is negligible. the record companies force them to go on concert tours to earn the millions they are earning. this is a self reinforcing slavery cycle. even if you're a top band, your record earns the record co countless millions, but you are forced to go over lengthy concerts in which you will at most accrue $1-2 m after going through countless countries and 5 to 10 concerts.
excuse me, but musicians arent getting shit out of this deal, and im not going to pay a record company $20 bucks an album, whereas the musician gets only a few cents out of it.
it doesnt make sense.
previously it was hard to distribute a creative material. you had to record it to tapes distribute to stores, advertise it, sell it. now there is internet. now there are cds that cost 0.01 per. storage and distribution is much easier. (compare the space that is required by a casette tape to a cd and how much you can squeeze into a transport). the cost of distribution have taken a dive, and profit margins rose. but we are STILL paying same bucks per album like 20 years ago. WHAT is the deal here ?
let me tell you the deal. record companies are making huge profit margins now distribution costs are down, and they are enjoying it TOO much that they are resorting to malpractice, racketeering, bribery and public enemy methods to preserve it. thats NOT a competitive practice, and it has NO place in a market that is supposed to be free.
no.
im not paying ZIT to a record company until things are set right. if they see in themselves the right to be bitches, well, i can play that game too.
a lot of people here have the balls to defend ideas that are against overreaching patent/copyright malpractice and mishaps, even at times at the cost of getting sued.
but you dont have the balls to post something with your own username, despite it is certain that noone is going to sue you, bash you in the head or steal your panties ?
i didnt read any further than 'fuck you'.
my first, and only advice to you, a graduate student, is this :
learn to speak in proper, civil manner before you rant about ANYthing, if you want to be taken seriously and get your opinion respected on the face of this planet.
there. if i should put in a manner you would be able to understand : now you can shove your flaming and ranting wherever you see fit.
SMALL service provider.
in order to put ssl certificates to a small farm of servers or some number of vpsesyou are using, you need to buy a wildcard ssl. do you know the wildcard ssl prices ?
you dont.
nothing in the world on, or off the net is guaranteed.
its all about making it HARDER to be put in the place of a victim.
and its not only about government either. one rather eavesdrop a website's connection and get the personal details of thousands of users, than try to hijack 1-2 self signed ssl connections. personal data would fetch much more higher price on the black market.
no. im not delusional. you are careless and uninformed.
Secondly, if a person don't understand this is just a warning and he can bypass it if he trust the site to be safe, I wouldn't let him go without warnings. It may restrain his access for one or two site, but he would be safer until he know better.
'one or two site' per billion makes millions of websites.
and there is no 'until they know better' for majority on the web. their knowledge of technical matters related to web will stay the same regardless of what is shoved, pushed in their faces.
what kind of thing are you smoking ? or what kind of reasoning is this ?
ff2 warning was just a commonplace warning. not 'YOURE GETTING HACKED !!' style overly alarming one like the ff3.
its too long a talk to 'demonstrate' these to you, who is someone apparently very uninformed about web communities, shared hosting, privacy issues, and what pricing do the ssl certificate providers ask, for wildcard ssls that many small businesses may need. the web is not only about security, its also about privacy, as it is much more than single standing websites.
you NEED encryption to provide better security (through encryption), and most importantly, PRIVACY, to your community users, clients, vpn users, whatnot.
especially in an age that almost every government has started snooping and eavesdropping internet connections.
Find five. There's nothing disastrous in that message. The icon doesn't even have a red exclamation point. It states quite clearly what's gone wrong and offers the option to get past that. If a small business needs to self-sign their certs then a little education of their users prior to switching over to the SSL channel would quickly remove any reservations they might have about proceeding.
that is to you. a registered slashdot user, who is probably working in an i.t. related field, or geeky enough.
i hate to break it to you pal, but we dont constitute the majority on the web. we are at best a noticeable minority. web is comprised of billions of internet users that cant tell firefox from ie, leave aside recognizing that 'there is nothing wrong' with that message.
to average web user, that warning would mean 'youre being screwed, run away from this website asap', REGARDLESS of what technicalities the contents of the warning says. they wont understand a zit about those technicalities anyway.
what kind of logic is this ?
1. create your own CA and tell your customers to import the CA by clicking here (before putting them in ssl mode). It's really not much trouble to set up your own CA.
first, you are not in communication with potential customers, and they will never communicate with you and become a customer after they see that horrible ff3 warning. you wont even get a chance to tell them what is going on.
second, same goes for many potential website users that are signing up for a community.
additionally godaddy is one of the shittiest service providers on the web. so if the solution you are offering is godaddy, please, keep it to yourself, and even firefox3 too.
precisely so. and i think that is our biggest problem as of now, since many countries from turkey to and even sweden, leave aside usa, has started monitoring everything that passes their countries' networks.
also do not forget that increasing privacy violation, deep packet inspections, surveillance and snooping is a MAJOR problem in every part of the world as of now.
ssl encryption provides the people with increased privacy, and makes it a tad harder for governments trying to peep on people.
yet, with this self righteous ssl cert move, firefox 3 is actually going to DETER the usage of self signed certs, and make it easier for governments or any interested party to snoop on many web users.
great move. very public minded.
It's not like Firefox makes it impossible to access a web site with a self signed certificate. It just makes it very obvious that something is wrong with the certificate, and tells the user that he shouldn't trust it to much.
there close to a billion people on the net that wouldnt tell what to do when faced with such a disastrous looking warning as ff 3 prints out when met with a self signed ca.
also there are equally many people that would rather skip visiting/subscribing to a site when they see the hassle ff3 puts out.
therefore many small service providers, businesses, communities that would not afford a decent certificate will be hurt in all respects, not to mention many users.
excuse me, but this is a very stupid, self righteous and jacobin move.
that is the EXACT kind of thing slashdot criticizes almost EVERY government, country, organization, corporation for, yet, you people are actually applauding it in this case.
EVERYthing on the web is susceptible to various attacks. yet, we are not mandating anyone to pay to some 3rd party source for a 'fix' in any of them. yet, it is the case of ff3 and the self signed certs. how come ?
so you people are basically arguing that because there can be man in the middle attacks, we should be forcing EVERYONE into the lap of verisign ?
how populist, how public minded, how democratic.
This article seems like an attempt to insert drama where recognized security professionals already have agreed that this is best practice. Wait until CAcert is in Mozilla, and if it gets special treatment by not being treated the same as all of the other CAs, then you'll have something.
'security professionals' do not build the web, or do they constitute the market, or the people.
there are a LOT of community websites (that cater to thousands of people, the smallest one), small businesses, their customers, vpn users, a lot of people that are going to be hurt by this overly self righteous move.
it is easy to be indignant and force stuff upon people, saying 'it is the right thing', while working on an open source project part time, from a secure, corporate level information technology job.
one thinks it seems right for you, and therefore it is probably right for others. of course, all the while clueless about how many people, businesses, organizations and communities use self signed certs throughout the web, just because their isolated position.
its basically letting go of half of the security for improving the other half.
lets see, what are proponents of this are saying ? they are arguing "ssl is not just about encryption, its also about knowing that you can trust the source"
well, thats basically an entirely stupid approach, when you consider that a LOT of websites who are now using self signed certificates will be just removing ssl encryption rather than pay yearly fees to a 'certified' vendor or annoy their users with the HORRIBLE 'youre being hacked !' style ssl warning in ff3.
what happens ? basically you will have let half of the security go while improving the other half. net gain ? zero.
utterly stupid.
"we are programmers and developers, and as a community we think this is the right thing to do" - this does NOT fly. public accepts what they like, they refuse what they dont. this is as simple as that, REGARDLESS OF what they accept or refuse may be good, or bad.
it is utterly stupid to go overly jacobin and enforce something on people 'for improving the security on the web', in an open source project that is made by people FOR the people.
a lot of websites, service owners, businesses using vpn and their clients and their users are going to experience hell lot of problems due to this extreme self righteousness forced upon them, if they go for firefox 3.
to be honest, despite im fighting for free and open internet, linux, open source by the means available to me as much as i can, i will be advising friends and clients to stay away from ff3 because of that certificate issue.
if you think free software has usability, you have problems identifying and finding good software. you need to fix yourself.
i use a lot of free software that has very good usability. there is nothing different in selecting free software than selecting paid software - buyer beware.
thats the very thing im trying to tell a lot of 'invisible hand strokes all' fairy tale conservatives here all along. this guy just put it in a VERY short and neat form.
if we kill those marketing people, the world is going to be a much better place. preferred method should be beating to death by a stick.
of course, thats excluding nycl from the lawyers list.
i would like to remind you that hillary clinton has remained as poisonous as any poison ivy can be, until 2008, and probably still remains as such. so your argument is invalid. just because someone is getting out of office, does not mean that they wont be able to influence things.
verly-obedient populace resulting from excessive media control and from everyone being too in-debt and thus too over-worked to invest time in their own government. Secondly, violation of the "design and philosophy" of the system by governing parties that has gone unpunished.
all leads to corporationism and what corporations do to united states.
a total bastardization of capitalism, corporations control the daily lives of citizens in indirect ways. because much of profit is garnered by the corporation, the citizens are paid minimum that is possible for every level. distribution of wealth therefore is horribly bad. 'competitive free market' cant fix it either, because, inevitably, after a certain treshold, corporations become SO big that the country cant risk going against those corporations for fear of economic instability and crisis. and reinforcing the cycle, corporations can also buy laws from 'sponsored' lawmakers for their own benefit. add the media that is under control of the few big corporations to this equaation, and you have your problem.
excuse me, but all these point to the fact that u.s. system of government is broken. stuff seemed to be working 1776-1950, because globalization had not arrived by then yet, and there werent many huge megacorporations that had economies greater than many countries. (as of now around 20 corporations are in the list of world's biggest 100 economic powers, leaving many countries behind). the world have not seen so big economic power resting in chunks concentrated in private sector, and did not have anything to mitigate the damage they would cause.
and here we are today. lawmakers are putting out laws that benefit a few corporations without any fear of reprisal from their constituents. they are just shelling out the ages old "it will provide jobs" excuse, and everyone falls for it.
little they realize that, in its current form, 'job' basically means indentured servitude of the 21st century kind. long hours of work, diminishing benefits, decreasing pay and job security. all the while reinforcing the cycle.
it is a downward spiral. it is dangerous.
lobbyists are not petitioning the government as 'citizens'. they are petitioning as representatives of holders of big cash. and they are sponsoring representatives to sponsor laws for their own benefit.
no citizen has that kind of petitioning power.
if the country prioritizes its corporations' profits more than it prioritizes its citizens, its citizens prioritize their selfish agendas more than they value their education.
you reap what you sow. simple as that.
musicians dont get ZIT out of the records they sell. the amount per cd/song they get is SO pathetic that it is negligible. the record companies force them to go on concert tours to earn the millions they are earning. this is a self reinforcing slavery cycle. even if you're a top band, your record earns the record co countless millions, but you are forced to go over lengthy concerts in which you will at most accrue $1-2 m after going through countless countries and 5 to 10 concerts.
excuse me, but musicians arent getting shit out of this deal, and im not going to pay a record company $20 bucks an album, whereas the musician gets only a few cents out of it.
it doesnt make sense.
previously it was hard to distribute a creative material. you had to record it to tapes distribute to stores, advertise it, sell it. now there is internet. now there are cds that cost 0.01 per. storage and distribution is much easier. (compare the space that is required by a casette tape to a cd and how much you can squeeze into a transport). the cost of distribution have taken a dive, and profit margins rose. but we are STILL paying same bucks per album like 20 years ago. WHAT is the deal here ?
let me tell you the deal. record companies are making huge profit margins now distribution costs are down, and they are enjoying it TOO much that they are resorting to malpractice, racketeering, bribery and public enemy methods to preserve it. thats NOT a competitive practice, and it has NO place in a market that is supposed to be free.
no.
im not paying ZIT to a record company until things are set right. if they see in themselves the right to be bitches, well, i can play that game too.
why anonymous ?
a lot of people here have the balls to defend ideas that are against overreaching patent/copyright malpractice and mishaps, even at times at the cost of getting sued.
but you dont have the balls to post something with your own username, despite it is certain that noone is going to sue you, bash you in the head or steal your panties ?
and,
why so serious ?