Follow Slashdot stories on Twitter


Forgot your password?

Comment: Re: How about basic security? (Score 1) 270

by Dagger2 (#49518463) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

It's actually not much of a problem. I run v6 everywhere and I've never had any problems reaching other v4 hosts.

Why? Because I also run v4 everywhere and use that to reach v4 hosts. This is extremely easy to do: you just deploy v6, and then don't undeploy your v4, and there you go. v6 works over the same network topology as v4 does, so you can easily run both.

This also has the advantage of not being impossible.

Comment: Re:IPv6's day will come, but... (Score 1) 270

by Dagger2 (#49518297) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

I don't buy this argument: tech people manage to remember their v4 addresses today (which usually consist of a pair of 32-bit addresses for each host), so they ought to be able to remember their v6 addresses (which consist of 48-56 bits of prefix plus 8 bits of host ID, with the rest of the bits being zero).

Unless they pick a horrible nasty address that's not mostly zeros, but if you pick a nasty unrememberable address and refuse to use DNS for it then you can't really complain about how nasty and unrememberable it is.

Comment: Re:I need a IPv6 firewall (Score 1) 270

by Dagger2 (#49518259) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

It isn't particularly hard. Just drop connections that come from the internet by default. Something like this in ip6tables on the router:

ip6tables -A FORWARD -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
ip6tables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited

Basically it's exactly the same as you do on v4, except you don't add a -j MASQUERADE rule. You can open holes in it by doing:
ip6tables -A FORWARD -p tcp -d <dst IP> --dport 3389 -j ACCEPT
or even something like:
ip6tables -A FORWARD -p tcp --dport 22 -j ACCEPT
to allow inbound ssh to all machines at once.

Comment: Re:IPv6 is not an upgrade, it's a totally new thin (Score 1) 270

by Dagger2 (#49518075) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

It's not that it wasn't considered. The biggest problem with interop between v6 and v4 is that you can't really do interop between v6 and v4. The v4 header only has 32 bits available for the dest host, so there's no way to specify which v6 host you want to send packets to.

Unless you count NAT64-like solutions or 6to4-like solutions, both of which do already exist.

And IPv6 still has the same shortsighted flaws for futureproofing as IPv4; It lacks extensibility. Sure it looks infeasibly big now, but they keep saying that and then we find we run out of space. It wasn't that long ago when a terabyte was considered unbelievably big yet now computers routinely come with drives of such capacities!

It does lack a way of expanding the address space, but we'd need to actually run out of space first for that to be a problem, and 128 bits really is a lot. 1 TB drives and v6 are in completely different ballparks: if v4 is 1 TB, then v6 is 80 million billion yottabytes. There are 300 million /64s available... for each person on the planet. And each /64 has essentially no limit on the number of hosts it supports. I could understand an argument that each person might end up running billions of computers (which would be no problem at all), but a quarter of a billion networks? Each?

And that's just using the 2000::/3 space. There are five more unused /3s available, so we could do it all over again five more times (presumably with smaller-than-/64 subnets) before actually running out.

Comment: Re:Opposite? (Score 1) 42

I'd say the main purpose is to encrypt more stuff, and "not throwing a wobbly when you see a self-signed cert" is just a part of that. (Since you can't just turn off cert warnings and be done with it; you need some way to enable encryption without enabling authentication.)

It's not just for forms, or whatever "submit" was supposed to mean. All HTTP requests to the site except for the first one (per session? I'm not sure how long these headers are cached for) will go over TLS.

Comment: Re:Opposite? (Score 1) 42

No, we created it to make it actually possible to do unauthenticated encryption with self-signed certificates on public websites. Currently, nobody uses self-signed certs because of the invalid cert warnings.

<meta> tags or HTTP headers are sent after the SSL negotiation, so neither of them can change the negotiation behavior. (Putting text on the page telling people to ignore the warning doesn't work either, because they'd need to ignore the warning just to see the text.) The only way a new header is going to work is if you use http:// for the first request, and then include a header that tells the browser it can pull the same pages over TLS, but without doing authenticity checks on the certificate.

Which is pretty much how this Alt-Svc header works.

Comment: Re:Opposite? (Score 2) 42

Valid certificate not required. In particular this means you can use self-signed certs without a big massive warning.

Obviously a valid certificate via https:// is better, but if your choice is between a self-signed cert that throws a big warning and unsecured http://, you're going to choose the latter. Alt-Svc adds the option of delivering your http:// site over an encrypted connection.

(Nitpicker's corner: yes, the connection will be unauthenticated, which yes, means an active MITM can still read the contents. An active MITM is harder to pull off than passive sniffing, is obviously more evil, and is detectable, which makes this better than unsecured HTTP even if you don't get 100% perfect protection with it.)

Comment: Re:Good. +1 for Google. (Score 1) 176

by Dagger2 (#49392229) Attached to: Chinese Certificate Authority CNNIC Is Dropped From Google Products

So, with the third party out of the equation, how does one know that the security certificate you receive from is the one that intended you to receive?

By comparing the fingerprint with the list of valid fingerprints for the site, as published by the site via DANE.

Of course, browsers refuse to implement that...

Comment: Re:Bulls... since when will self driving cars have (Score 4, Insightful) 451

by Dagger2 (#49290367) Attached to: Lyft CEO: Self-Driving Cars Aren't the Future

I don't know that. It should be perfectly possible to make a machine that can drive as well as, or better than, a human can. Have we managed to make that already? I don't know, but from the info Google have been publishing, it actually looks like we have, or are pretty damn close.

Just because it's a machine doesn't automatically mean that it sucks at making decisions. Humans are machines too, and we let them drive.

Comment: Re:Now if they will sell them without MS Windows (Score 0, Troll) 161

by Dagger2 (#49208831) Attached to: Ultralight Convertibles Approaching Desktop Performance

If it would boot your Linux distro it'd also boot whatever malware was trying to trojan Windows and that's exactly what they're trying to avoid

No it's not. Malware is the excuse, much like child porn or terrorists are the excuse for internet filtering (and more or less anything else you want to force through as a law these days).

The real goal is to make it as hard as possible to switch away from Windows.

The world is coming to an end. Please log off.