Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Re:Ugh, WordPress (Score 1) 29

I recently moved from hand-written HTML for my personal site to Jekyll, which is the engine that powers GitHub pages. It does exactly what I want from a CMS:
  • Cleanly separate content and presentation.
  • Provide easy-to-edit templates.
  • Allows all of the content to be stored in a VCS.
  • Generates entirely static content, so none of its code is in the TCB for the site.

The one thing that it doesn't provide is a comment system, but I'd be quite happy for that to be provided by a separate package if I need one. In particular, it means that even if the comment system is hacked, it won't have access to the source for the site so it's easy to restore.

Comment: Re:Validating a self-signed cert (Score 1) 346

by TheRaven64 (#48623991) Attached to: Google Proposes To Warn People About Non-SSL Web Sites
That's the best way of securing a connection, but it doesn't scale. You need some out-of-band mechanism for distributing the certificate hash. It's trivial for your own site if you're the only user (but even then, the right thing for the browser to do is warn the first time it sees the cert), but it's much harder if you have even a dozen or so clients.

Comment: Re:The web is shrinking (Score 1) 346

by TheRaven64 (#48623981) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

The 'brought to you by' box on that site lists Mozilla, Akamai, Cisco, EFF, and IdenTrust. I don't see Google pushing it. They're not listed as a sponsor.

That said, it is pushing Certificate Transparency, which is something that is largely led by Ben Laurie at Google and is a very good idea (it aims to use a distributed Merkel Tree to let you track what certificates other people are seeing for a site and what certs are offered for a site, so that servers can tell if someone is issuing bad certs and clients can see if they're the only one getting a different cert).

Comment: Re:This again? (Score 1) 346

by TheRaven64 (#48623971) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

It depends on your adversary model. Encryption without authentication is good protection against passive adversaries, no protection against active adversaries. If someone can get traffic logs, or sits on the same network as you and gets your packets broadcast, then encryption protects you. If they're in control of one of your routers and are willing to modify traffic, then it doesn't.

The thing that's changed recently is that the global passive adversary has been shown to really exist. Various intelligence agencies really are scooping up all traffic and scanning it. Even a self-signed cert makes this hard, because the overhead of sitting in the middle of every SSL negotiation and doing a separate negotiation with the client and server is huge, especially as you can't tell which clients are using certificate pinning and so will spot it.

Comment: Re:So perhaps /. will finally fix its shit (Score 2) 346

by TheRaven64 (#48623949) Attached to: Google Proposes To Warn People About Non-SSL Web Sites
Every HTTP request I send to Slashdot contains my cookie, which contains my login credentials. When I do this over a public WiFi network, it's trivial for any passive member of the network to sniff it, as it is for any intermediary. Worse, because it uses AJAX stuff in the background, if I briefly connect to a malicious access point by accident, there's a good chance that it will immediately send that AP's proxy my credentials. I've been using this account for a decade or so. I don't want some random person to be able to hijack it so trivially.

Comment: Boy who cried "wolf" (Score 2) 346

by antifoidulus (#48622967) Attached to: Google Proposes To Warn People About Non-SSL Web Sites
Have they ever read "The boy who cried wolf"? You warn people that their local community bulletin board website isn't encrypted enough times and they will probably start to ignore all your warnings. All this would probably do is annoy people to the extent that they will automatically click away any warning window, including when certs are invalid, possibly forged etc. In other words, it will really annoy people and could even be detrimental to security. Maybe if they restricted it to POSTs not GETs, though that may just incentivize lazy developers to use GETs instead of POSTs.....

Comment: Disgusting! (Score 5, Funny) 81

by fuzzyfuzzyfungus (#48620237) Attached to: Manufacturer's Backdoor Found On Popular Chinese Android Smartphone
It's repulsive the sort of tactics that commie chinamen will stoop to, putting backdoors into their products like that. Why, here in America, those are 'features' that you consent to by opening the package, as documented on page 46 of the EULA, as interpreted in mandatory binding arbitration by the company's legal team! It must suck to live in such a benighted, unfree, country, where your cellphone is probably spying on you and may well come preloaded with malware...

Comment: Re:Hmmmm ... legality? (Score 1) 138

by Anonymous Brave Guy (#48619349) Attached to: Amazon UK Glitch Sells Thousands of Products For a Penny

It certainly seems to be true that courts in the UK have shied away from questions of whether any given level of consideration is sufficient, favouring a simple finding of whether there was any consideration or not. My intended point was more that while obvious nominal consideration explicitly written into a negotiated contract might reasonably be interpreted as a demonstration of intent to enter into a binding agreement, in this case I'm not sure how well that argument works. In other words, it's not just about whether 1p constitutes consideration, it's about whether that nominal consideration demonstrates an intent to commit to the deal. It would be interesting to hear what any actual lawyers thought about this argument, but sadly it doesn't look like we'll find out here.

Comment: Re:This is not the problem (Score 1) 638

by TheRaven64 (#48619343) Attached to: Economists Say Newest AI Technology Destroys More Jobs Than It Creates
You're right, but it's not always the devices within the same product category. A lot of stuff that's in consumer devices begins life in very niche applications (e.g. military or medical devices) to get the first bit of R&D funding and then needs another big chunk to become cheap enough for consumer devices.

Economists state their GNP growth projections to the nearest tenth of a percentage point to prove they have a sense of humor. -- Edgar R. Fiedler