Become a fan of Slashdot on Facebook


Forgot your password?
Slashdot Deals: Deal of the Day - 6 month subscription of Pandora One at 46% off. ×

Comment Re:Mailing lists (Score 1) 139

Unfortunately, DMARC breaks even mailing-lists which do not tamper with the contents of the messages at all. The reason is simple: SPF. Rewriting envelope senders is the proper way of forwarding mail since ages.

If you want to have proper integrity checks of e-mail messages, use PGP, not DMARC.

Comment Re:Mailing lists (Score 2) 139

What they mention is not a list of solutions, but a list of silly work-arounds, which break well-established semantics of e-mail headers. Falsifying information about the author of the message (that is, the From header) for the sole sake of making the message compatible with DKIM is broken.

Comment Re:Some Sense Restored? (Score 2) 522

A traditional init script is just a shell script, including almost invariably a couple of nasty race conditions and other subtle bugs. Starting and stopping a daemon safely is close to impossible in shell. I am not a huge fan of systemd, but init scripts written in shell are a nightmare.

Comment Re:NSA (Score 1) 127

I think part of the rationale is that a self-signed certificate very well might be a sign that you're the victim of a man-in-the-middle attack, and it needs to be treated as a serious potential threat.

This sounds good in theory, but the reality is that self-signed certificates (or those signed by an authority your browser does not recognize) are several orders of magnitude more common than MiTM attacks.

Otherwise, I agree that a big part of the problem is unusable UI for managing certificates in almost all existing browsers.

Comment Re:NSA (Score 1) 127

I expect the browser to clearly inform the user whether the connection is safe (HTTPS with a verified certificate) or unsafe (either plain HTTP, or HTTPS with an unknown certificate). I also expect the user to check that a connection to his bank is reported as safe. If you are interested in preventing attacks against careless users, the browser might also notify the user that a site previously known to have a safe connection, no longer has one. However, I do not think this is of much help: many users just enter the domain name of their bank and rely on the bank to redirect the HTTP version to the HTTPS one, which is where a MiTM attacker can always succeed. (An interesting special case is invalid certificates: expired ones, or certificates issued for a different domain. Here, a big fat warning could be appropriate.)

Comment Re:NSA (Score 5, Insightful) 127

Is "as bad as no encryption" a reason for yelling on the user and presenting it like the worst security problem ever? Even if I accept the premise that it is as bad as no encryption, the obvious conclusion is that the browser should present it the same as no encryption.

Actually, it is not as bad. It still keeps you safe from passive attacks (like your ISP collecting all data for a three-letter agency, which analyses them later).

Comment Re:RTFA (Score 1) 530

Actually, people with exceptionally good problem-solving abilities seldom have exceptionally high scores in IQ tests, since they often find multiple solutions to a task, totally unexpected by the test's author.

To do two things at once is to do neither. -- Publilius Syrus