Sure it can. You just push a new root certificate to your devices and intercept away.

Issuance of a bogus certificate to fool one of the parties to a SSL conversation is called a Man-in-The-Middle attack which is fraudulent conduct; pushing a fraudulently issued a certificate document claiming to be the other party and that this false thing was the other party's key.

This is nothing to base a security model on, as the attack actually compromises encrypted data --- the parties to a legitimate conversation have no way of knowing who the "security appliance" will be leaking the sensitive information contained in their encrypted conversation to.

Whoever put the code into production should be going to jail. There is no mitigating circumstance against falsely issuing a certificate and presenting it claiming to be someone else's domain name.

It doesn't matter whether you are a global CA, an Enterprise CA, or someone's given you a locally trusted root... anyone doing such is going to be going to jail, and again, nothing to base an IPS or IDS on.

Technical books are different, but anything that busts the current obscene textbook scam is a win for society, hands down.

Textbooks generally aren't available as e-Books. If they are, they are not going to be $9.99... however. They may split up the 25 chapters, and sell each one as a $10 eBook, however.

Then sell the Appendices as a separate $10 book, and each chapter's homework assignments as a $10 eBook, then a $10 eBook for each chapter's answer key.

Security is not meant to be, and now can't be a bolt-on feature without disrupting performance of the network. Nor is security what dictates the design of your protocols --- IP traffic is not meant to be intercepted, and more and more of it is becoming encrypted. Your IDS/IPS cannot look inside SSL traffic, either, which could contain exploit code (conveniently packed and encrypted by the SSL container).

You now need to move and have multiple IDS or IPS security agents on the end devices themselves; perhaps on the NIC, where you most certainly could have access to disparate MP-TCP sessions, with some software engineering.

I'm so sorry, it seems hard that you will now need to manage 1000 IPSes on all your endpoints which is less convenient than one centralized IPS, but the centralized IPS was always a hack and likely to be compromised or circumvented, for example, by tunneling, or leveraging a secondary WiFi network, as it's a ripe target.

In principle, the only sound thing to do is going to be to move your detectors.

Unfortunately as long as ICANN is under US jurisdiction, you're going to see disputes like this heading to US courts.

It's NOT icann I am concerned about.... it is the registry operators such as Verisign.

ICANN itself pretty much doesn't have any direct authority to do anything to the registration system on their own; they have to adopt a policy, or so.

ICANN could be further mitigated if internet citizens would be willing to fund another organization living in another jurisdiction to share authority with ICANN and adjust both organizations so that they have to agree on certain matters, or for certain changes.

The problem is..... every individual company; including every registry operator.... has to exist SOMEWHERE, and there is a good chance whatever government exists at that 'somewhere' is eventually going to realize that, and, perhaps, attempt to abuse their position.

So ideally you would have all technical tasks divvied up, with no single organization under any one single jurisdiction is technically empowered to implement some random judge's order that is not agreeable to the public or to the community.

can only seize domains that are managed by registrars or registries in countries in which they have jurisdiction

In this case, the registrant of the domain has a transferrable right to move the domain, and the registrar is acting as an agent of the registrant in maintaining their registration, AND the registry has given the registrar all the capabilities required to effect the technical aspects of the transfer on their own..

If the registry were truly looking out for the registrant's interests: they would provide a mechanism such as registry lock to allow the registrant to "SEAL" the domain on their own and make transfers not authorized with their keys, impossible, even by the registrar.

Why is one part of the domain name considered property but the other part isn't?

Because registrants have been conveyed a transferrable "right" to their registration, which has a set of privileges which are mostly identical to property rights, other than the fact that the registry generally reserves the right to take their name from them under a UDRP dispute resolution procedure, and the registrar generally reserves the right to shut off their domain, in case they determine that there's been a terms of service violation.

What we've seen from Steam sales is that lower prices mean more revenue - often vastly more. Are books the same?

Maybe some, but not all books are the same. Perhaps the average book is the same.

There are many important books that will probably never sell very many copies.... such as the K&R book "The C Programming Language"

The authors need to be free to price their books accordingly and not have all books given a dictated price based on what the market will bear for the average book, when the is high variability in terms of "what a book is" and how big its audience is, and there are plenty of outliers.

The windows firewall creates terrible delays and jitter, so the impact on for instance sip telephony is terrible.

It seems that your past frustration with one specific application has clouded your judgement.

The windows firewall is not to be disabled, period. "Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft." (System will no longer be supported after doing so, and there will likely be a number of kinds of network issues -- for example, disablement of the firewall breaks certain applications, may cause problems with terminal services, etc.)

Now, there will be some exceptional situations where bypassing windows firewall security may be necessary, and an acceptable compromise; providing a compensating control is put into place --- such as a dedicated network segment for the one computer, with additional hardware firewall.

But past pains do not justify another wrong.

I think Firefox should boycott the site.... display a message about it being possibly malicious/dangerous to all users attempting to visit OKCupid, showing a link to the article as a warning message in bright red... (Just kidding <EG>).

TCP performance on the Internet is almost totally limited by latency (AKA RTT or round trip time for the ACKs), not the bandwidth.

Modern TCP stacks, including Windows 7, 8 and Linux these days have a feature called TCP Timestamping, where an RTT estimate is taken for the connection, and a feature called TCP Autotuning where the window size is automatically scaled up to fill a Long fat pipe.

So no... the days where TCP throughput of a session was totally limited by latency are long gone.

You could even run a network monitoring app. But the browser is one highly visible one that most people already have installed.

Perhaps you could, but now essentially you are having "users that think they have problems" downloading an extra application and they start monitoring after there's a problem most likely.

This means your app cannot get the right data on what's normal for the user or for the world, because you have a sample of app users that are biased towards users that already are experiencing network issues of some sort, and you don't have a good baseline for the user that installed it either.

It will probably end up pissing off ISPs to the point of either finding ways of faking the data, blocking the data, or just as policy telling customers to ignore the speed numbers.

If the data is blocked, the browser should figure out why and explain to the user that there seems to be an issue with their network; in other words "Blocking" should make it even worse for the ISP. a smarter browser UI could be a tremendous help to support technicians, which the ISPs should absolutely love ---- perhaps even tell the user exactly which entity to contact, even display their ISP's support number on the screen, to help accelerate the problem resolution process, and providing access to comments by other users of the same ISP, leading to happier customers, and customers who can share info with each other pertinent to troubleshooting or why this is happening, etc.

A lot of people won't be able to distinguish when something is their ISP's fault and when it might be the end servers fault.

I am suggesting the browser should also take some responsibility to the interpretation of the results here. There should be a highly visible "troubleshooting" button that causes some tests to be run. Explanations should be right there in a natural language that any English speaker could understand.

The browser should not show an alert if there is not enough data to make a conclusion with a fair measure of statistical confidence.

We can definitely make a strong distinguishment between a "web site performance issue" and a client connectivity issue, with data from a sufficient number of users.

The browser would also need to take into account geographic location and client connectivity, however.

e.g. Is the site slow because the visitor is half way around the world from the nearest mirror, or is it slow because they're connecting over congested WiFi or 3G networks, instead of a wired connection?

I realize it's not "easy", but the web browser is the only software component that is in a position to take the kinds of measurements that are required and help alert the user to the problem, tell the user which entity they should contact, and assist with troubleshooting.

SO when you pay for that service it says something like "up to 75mbps" which in reality means that the speed test and google's home page could see that much speed and everyone else will look like dial up from the 1990's.

I have a suggestion.... Web browsers should take some measurements and display prominently in a visible status bar or other location.... average TCP throughput --- And Estimated average bandwidth;

Both a "this site" value, a "this browser session" value, and (Optionally) if the user decides to share their numbers, Community average bandwidth for this site, Community average bandwidth for this ISP, and Community average for this site on this ISP.

If Community average for this site on this ISP is more than a standard deviation below Community average for this site,

Then a little warning exclamation point should appear to the right of the browser bar. On mouseover, and for a few seconds after loading the page, a little warning bubble should appear for a few seconds. "Your internet service provider seems to have below average performance in loading this page."

Or is this an option?

RFC 3280 #4.2.1.11

The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. Restrictions apply to the subject distinguished name and apply to subject alternative names.

...

>

It is an option that was not forced on the root CAs. Essentially none of the public CAs are signing from intermediary CAs with name restrictions applied to their certificates.

Generally the restriction mechanism is only allowed to do something kind of "creepy"; where the root CA essentially "sells" this service to a smaller company for perhaps $50,000 or so and issues a restricted certificate --- that allows whoever bought this service to sign subcerts within certain constraints.

or at least just force via policy certain certificates onto each computer's browser as trusted?

That works fine for Internet Explorer on Windows via group policy.

It doesn't work for Firefox or Java (separate private trusted certificate storage databases).

More importantly: It doesn't work for iPhones, Androids, or macs accessing intranet resourses, or that require a valid certificate to setup Activesync connection.