But do well-known companies still make VCRs with a digital OTA tuner and affordable blank tapes? I thought new VCRs sold nowadays were either A. limited to line-in recording, which means you have to sit there and change the channel between one timer program and the next, or B. not actually VCRs but VCPs (video cassette players

You make a good point. I guess my misconception was that sender pays for long haul transit and the endpoint pays for the last mile. But if receiver pays, even for long haul, then you can DDoS someone's billing by flooding his connection with packets. And if receiver pays, even for long haul, then why does Comcast slow down Netflix? All Comcast's customers are already paying.

If "Jehovah" ought to be discarded due to sound changes and scribal errors, why isn't "Jesus" discarded in the same way?

TL;DR: Install Perspectives if you want to use an unknown CA.

Broken by StartSSL, which provides personal use certificates without charge.

They can. They just have to find some out-of-band way to get their keys onto visitors' machines in order to circumvent a MITM-from-day-one attack. This could involve DANE, which puts keys and certificates in DNSSEC. Or it could involve the Perspectives extension for Firefox, which verifies a site's certificate through diverse Internet routes between the site and notary servers whose certificates are delivered in a browser extension package signed by the browser vendor.

I have my own problems with PGP's assumption of transitive trust. Just because you can vouch for someone's identity doesn't mean you can vouch for that person's ability to correctly vouch for others' identities.

If you feel so strongly that I am lying to myself, then please explain what is incorrect in the following three statements: TCP is a connection-oriented protocol in the Internet Protocol Suite. TCP connections have two halves, one in each direction. Traffic is billed based on who sends more data down each half of the connection.

So how do you make sure your Internet connection doesn't have a man in the middle attack from day one?

The monetary barrier hasn't been on the very itself for at least a couple years. It's been in the fact that older TLS stacks (such as those that shipped with Windows XP and Android 2.x) couldn't handle Server Name Indication (more than one certificate per IP address), along with the disappointingly slow uptake of IPv6. So until April of this year, when XP security patches ended, each site owner needed to pay its hosting service for a separate IPv4 address.

The ISP's premises is the private property of the ISP. If Netflix wants its box sitting in Comcast's private property, it can pay rent, just as you would have to pay rent to lawfully live on private property owned by a landlord.

Since when does Comcast offer a platform for amateurs and small-time professionals to publish their videos? I thought Comcast was for the Disneys, Scrippses, and Discoverys of the media world.

Cogent offered half a year ago to pay the actual costs of the upgrade. The ISPs in question appear to want to extract a markup on top of that.

You are correct that TCP is stateful. But the fact that TCP is stateful is irrelevant. ISPs are Internet Service Providers, and Internet Protocol is stateless. From the point of view of an ISP's infrastructure, TCP is just an application that runs on Internet Protocol. Otherwise, it'd be possible to manipulate billing through the equivalent of switching between FTP's PORT and PASV commands, which change only who sends the SYN.

So why don't ISPs accept Netflix's offer to provide a caching server without charge that keeps the most popular traffic on their net?

And Netflix "calls" you back with the data.

A circuit-switched network such as the PSTN allows sending information in both directions over one "call". A packet-switched network such as the Internet, on the other hand, doesn't see "calls"; it sees "datagrams". Except for last mile customers, each side pays for how many packets it sends. Otherwise, it'd be possible to manipulate billing by doing the equivalent of the difference between PORT and PASV in FTP.

Then ask about a specific work to which Netflix has the rights and the TV provider division of the ISP does not. "I'm having trouble watching House of Cards at home. It works fine on $different_isp_next_town_over. Might this be a problem with Comcast?"

Do you really mean "every browser in the world" that supports TLS or just "every major desktop browser" that supports TLS? I was under the impression that some of the browsers that run on home entertainment hardware lacked UI for adding a certificate. For example, where might I find CA options on, say, "Internet Channel powered by Opera" for the Wii video game console?