My guess would be:
Microsoft is 'helping' Cyanogen to add some kind of cloud service.
Basically, putting you data in the Microsoft cloud.
I assume Cyanogen doesn't mind, because it's optional.
Well, that is my guess.
Yes, it's a really hard.
Lots of people have tried, for years now, they've all failed:
http://media.ccc.de/browse/con...
Things that might look good in theory still turn out to be a big fail in practise. Even just getting the implementations right is really, really hard.
Using a blockchain will probably fail too.
Remember if we knew how to make Bitcoin or Darkcoin/Darkwallet/Darksend/Coinjoin/etc. really, really good anonymous, we would have already done it.
I think this is a good sign for a differerent reason.
We all know OpenSSL could be a lot better. Supposedly they got more funding.
If they are busy finding and fixing bugs that's could be a good thing.
Let's see how many new and existing APIs use JSON in comparison to XML:
http://www.programmableweb.com...
http://www.programmableweb.com...
Seems like a pretty clear trend to me XML is on the way out.
SOAP or WSDL you say ?:
Well, usually you use JSON with REST.
At the last technology conference where they all immplement 'micro services'. I asked several people does REST/JSON need a WSDL-like solution:
They all answered: no
If you want to describe your REST/JSON API, there are solutions though:
Sorry, my mistake. You are closer to the prerequisites than I was.
You need a signed assertion:
https://www.youtube.com/watch?...
But getting a signed assertion is pretty easy, if it's a cloud service.
Just sign up.
Anyway, most implementations have been fixed. I hope.
Unless they upgrade or downgrade the XML-parser and break it by accident.
There are so many definitions of cloud.
The above mentioned solution could be based on open source software (the research project is open source).
In a similar fashion to how Wordpress is currently hosted, your get updates from the vendor (WordPress) not from the hoster, but in the case above with encrypted data.
Yes, SaaS providers will pretty much never go for it, because dealing with encryption means extra work for them.
I was just pointing out it isn't completely impossible. Because that is what most people assume.
You might not be aware of what the attack is.
The attack is about sending specially crafted XML requests/responses to circumvent the checks of the authentication system. Which allow you to login as a user of your choice.
This has nothing to do with breaking TLS, what you do need is: the username and to know which application (URL) they are allowed to login into.
Let's not kid ourselfs.
We all make mistakes.
Especially when we start to generate HTML based on different sources.
One mistake meant: the visitor on the webpage got to see an error instead of most of the page when you are not using XHTML.
XHTML was just to complicated, not flexible enough and strict.
Could it be that is also the reason JSON is now much more popular than XML ?
The Tao of IETF still mentions:
"We reject kings, presidents and voting. We believe in rough consensus and running code"
http://www.ietf.org/tao.html
Maybe it's just me, but might it apply here ?
Before the httpbis working group started looking at proposals for HTTP/2.0 SPDY was already implemented and deployed in the field by mutliple browser vendors, library builders for servers and several large websites. A bunch of research documents was written. And a protocol specification document draft existed. SPDY wasn't created in the open perse, but it was iterated with the help the community.
So the IETF WG let people suggest proposals:
http://trac.tools.ietf.org/wg/...
And then they voted.
SPDY got selected.
Also the SPDY draft was used as a basis for writing the new HTTP/2.0 draft.
Is anyone surprised ?
There might fundamental parts of the protocol which might have turned out differently if they would have gone through a open collaborative process.
But at first glace it doesn't look that bad.
I can see the appeal of rubberstamping what already exists.
SAML ? Don't make me laugh:
"In this paper we describe an in-depth analysis of 14 major SAML frameworks and show that 11 of them
" In order to protect integrity and authenticity of the exchanged SAML assertions, the XML Signature standard is applied. However, the signature verification algorithm is much more complex than in traditional signature formats like PKCS#7. The integrity protection can thus be successfully circumvented by application of different XML Signature specific attacks, under a weak adversarial model."
Also as a foreigner I'm now a 100% sure I can't put my data in a US cloud:
You can do some computational things on encrypted data, like create a database, which obviously adds some overhead. For example cryptdb:
http://css.csail.mit.edu/crypt...
And built an application which then decrypts the data on the client when the user needs access to it, for example there is Mylar from the same research group as the database above:
https://css.csail.mit.edu/myla...
There was a law (amendment) proposed, it got shot down:
https://en.wikipedia.org/wiki/...
Also notice the last line on Wikipedia says:
"As of May 2014, Aaron's Law was stalled in committee, reportedly due to tech company Oracle's financial interests.[42]"
If anything is missing, it's probably only missing on Windows.
Support on Linux and Mac is jut fine, I think.
Windows:
- client support is kind of OK
- virtual filesytem support is kind of OK
The biggest missing solution:
- Windows server support. There are some expensive solutions, not sure how well they work.
My suspicion is it would be a virtual community.
Like a large minecraft.
How do you bomb that ?
Especially if we create a distributed version of that with no dependence on a single or small number of computers.
He has not acquired a fortune; the fortune has acquired him. -- Bion
