What an epic fail for TLS. The certification system is broken by design and now apparently the block encryption as well. Let's take this opportunity to draft a new standard that:
A) Solves the having-to-trust-cert-authorities in china by using DNSSEC instead for certification. It should also optionally support manual cert distribution or remember-public-key for advanced users.
B) Just like SSH it should supports a range of handshake methods/encryption algorithms. It's insane to rely on a single algorithm. So when (note "when", not "if") an algorithm gets busted I can simply patch my browser.
So somebody, please write an RFC now, anyone?
I don't consider emergency relief "charity" so I think there is some mix-up in terminology here. When it comes to emergency relief there are already systems in place, if not governments then at least the UN. If you want to talk about the real problems like world poverty, lack of education, widespread disease, non functioning markets and election systems things tend to get a lot more complex than "people starving because this disaster cuts of their supply of food so we need to give them food". You need to realize that most of the world is actually not in a state of emergency but have problems just as pressing in the long term as people starving in the short term.
What I'm criticizing here is that many charity projects just burns a pile of money for the sake of easing the consciousness of people that are better off, which helps nothing at best and is counterproductive at worst. For example building a bunch of schools so children can get education. Very heart-warming but futile when you don't have teachers and the kids needs to work anyway to provide for their family so the families are not interested in getting education for their kids. The well functioning market economy is the best tool invented so far to generate wealth - and charity is just a temporary flow of resources that could actually interfere with that mechanism. Especially when the goal of the investment is to have a huge impact in the short term just like many charity projects do, since the easiness to gather money is proportional to how seemingly pressing the issue is that being addressed by the charity is.
What's interesting though is charities that attempts to kick start business and entrepreneurship in poor regions. There has been some interesting projects in that area that touches on micro-loans, hands-on education and getting involved with the actual people you are trying to help. I don't want to call that "charity" though since that word has another meaning to m. ("blindly giving away money to things that makes me warm and fuzzy"). If charity was more focused around those kind of projects though I would be less critical of the form it takes today.
You're assuming politicians in general have a clue about anything remotely technical. And this is Pakistan. Because the Netscape developers called the state mechanism in HTTP "cookies", politicians thought they understood what "cookies" did and began to regulate them.
Also, as usual most people here in Slashdot will start to brainstorm technical solutions and rage over the fact that society hasn't reached their cryptographic utopia yet where people memorize 2048 bit RSA key pairs and all centralized information technology has been replaced with distributed p2p counterparts. When your government wants to spy on you, you have a social problem - not a technical one.
Your analogy is invalid. Not being able to view the source code of a program you are using is obviously not the same as being a "slave". Being able to improve existing source code and profit from it is also obviously not the same thing as "being able to own slaves". Your views honestly scare me if you truly believe using proprietary software is "slavery". It makes me understand what was going on in FOSS extremists heads though when they introduced GPLv3.
100% correct. They can no longer be trusted and should be instantly removed. If they come back with a full post mortem study, including the steps they have implemented for it to never happen again, plus a full list of all fraudulent certificates they have issued they should be reconsidered again, but only after sufficient penalty time has passed, say one year. This is to prevent other CAs from doing the same mistake.
Oh and the CA system is utterly broken. This is the scenario all security researchers anticipated and failed to be surprised by. When can we get a standard based on DNS-SEC instead?
"Money is the root of all money." -- the moving finger