Sorry, my mistake. You are closer to the prerequisites than I was.
You need a signed assertion:
https://www.youtube.com/watch?...
But getting a signed assertion is pretty easy, if it's a cloud service.
Just sign up.
Anyway, most implementations have been fixed. I hope.
Unless they upgrade or downgrade the XML-parser and break it by accident.
There are so many definitions of cloud.
The above mentioned solution could be based on open source software (the research project is open source).
In a similar fashion to how Wordpress is currently hosted, your get updates from the vendor (WordPress) not from the hoster, but in the case above with encrypted data.
Yes, SaaS providers will pretty much never go for it, because dealing with encryption means extra work for them.
I was just pointing out it isn't completely impossible. Because that is what most people assume.
You might not be aware of what the attack is.
The attack is about sending specially crafted XML requests/responses to circumvent the checks of the authentication system. Which allow you to login as a user of your choice.
This has nothing to do with breaking TLS, what you do need is: the username and to know which application (URL) they are allowed to login into.
Let's not kid ourselfs.
We all make mistakes.
Especially when we start to generate HTML based on different sources.
One mistake meant: the visitor on the webpage got to see an error instead of most of the page when you are not using XHTML.
XHTML was just to complicated, not flexible enough and strict.
Could it be that is also the reason JSON is now much more popular than XML ?
The Tao of IETF still mentions:
"We reject kings, presidents and voting. We believe in rough consensus and running code"
http://www.ietf.org/tao.html
Maybe it's just me, but might it apply here ?
Before the httpbis working group started looking at proposals for HTTP/2.0 SPDY was already implemented and deployed in the field by mutliple browser vendors, library builders for servers and several large websites. A bunch of research documents was written. And a protocol specification document draft existed. SPDY wasn't created in the open perse, but it was iterated with the help the community.
So the IETF WG let people suggest proposals:
http://trac.tools.ietf.org/wg/...
And then they voted.
SPDY got selected.
Also the SPDY draft was used as a basis for writing the new HTTP/2.0 draft.
Is anyone surprised ?
There might fundamental parts of the protocol which might have turned out differently if they would have gone through a open collaborative process.
But at first glace it doesn't look that bad.
I can see the appeal of rubberstamping what already exists.
SAML ? Don't make me laugh:
"In this paper we describe an in-depth analysis of 14 major SAML frameworks and show that 11 of them
" In order to protect integrity and authenticity of the exchanged SAML assertions, the XML Signature standard is applied. However, the signature verification algorithm is much more complex than in traditional signature formats like PKCS#7. The integrity protection can thus be successfully circumvented by application of different XML Signature specific attacks, under a weak adversarial model."
Also as a foreigner I'm now a 100% sure I can't put my data in a US cloud:
You can do some computational things on encrypted data, like create a database, which obviously adds some overhead. For example cryptdb:
http://css.csail.mit.edu/crypt...
And built an application which then decrypts the data on the client when the user needs access to it, for example there is Mylar from the same research group as the database above:
https://css.csail.mit.edu/myla...
There was a law (amendment) proposed, it got shot down:
https://en.wikipedia.org/wiki/...
Also notice the last line on Wikipedia says:
"As of May 2014, Aaron's Law was stalled in committee, reportedly due to tech company Oracle's financial interests.[42]"
If anything is missing, it's probably only missing on Windows.
Support on Linux and Mac is jut fine, I think.
Windows:
- client support is kind of OK
- virtual filesytem support is kind of OK
The biggest missing solution:
- Windows server support. There are some expensive solutions, not sure how well they work.
My suspicion is it would be a virtual community.
Like a large minecraft.
How do you bomb that ?
Especially if we create a distributed version of that with no dependence on a single or small number of computers.
There used to be a boat which did abortions in countries where the law wasn't favorable to abortion:
http://www.womenonwaves.org/en...
The laws of the sea were the only ones that applied.
Why would you create many centralized points if you can create a decentralized system ?
They worked more than 9 years on Tribler might as well start using it, right ?:
http://www.tribler.org/
https://github.com/Tribler/tri...
Something I've been missing in this discussion is a notion of scale.
This is a statistic from 10 years ago from the US:
- the average citizen uses 10 times more energy when going from and to work each day (the use of their car) than all their energy use of the rest of the day combined.
If I'm not mistake, this includes natural gas.
Now this number has shifted in the past 10 years.
But let's say a batterypack for the average home is about quarter the size of what goes into a car.
Also what would happen at homes when electrical cars are driving down the price of batteries ?
What if you life in a country where power from the grid has a different price for night than day ?
Well, that system isn't going to last is it ?
Will it smooth out demand on the grid during the day ?
Lots of changes coming in the future, they could be bad, they could be good. They will be bad for some people, good for others.
I do know one thing Elon Musk will probably make some more money if he can deliver on some of his goals.
Rooftop solar and battery storage cannot even begin to compete with efficient central generation and distribution.
I would think utilities think 10, 20 maybe 30 years ahead. Because they have to invest in building things. Large things.
In Germany they had a public opinion that renewable energy would be a good thing, so politics created a fund which put money behind it, lots of money.
The result:
http://www.greentechmedia.com/...
Investments by electrical companies have become really hard to do, because they are making less and less money on their investments:
"Wholesale electricity prices in Germany have dropped 60 percent since 2008 as renewable energy, which is heavily subsidized and has priority access to the grid, gets dispatched first due to its much lower short-term marginal production costs than traditional plants, displacing natural gas, coal and nuclear power."
http://instituteforenergyresea...
Their next goal ? Funding energy storage technologies:
http://www.energystorageforum....
So what did the largest utility company do ?:
http://www.theguardian.com/env...
Money is the root of all evil, and man needs roots.
