Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Comment: Forever day vulns in IE/XP (Score 1) 292

by tepples (#48627451) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

This "non-trivial number of users" is already compromised or very close to it. Because Microsoft is no longer issuing security updates for Internet Explorer on Windows XP, you can probably assume that Internet Explorer on Windows XP is insecure in other ways that could compromise your users' confidentiality.

Comment: Renewal is manual (Score 1) 292

by tepples (#48627395) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Startssl.com offers free certs

Unlike web hosting, StartSSL does not auto-renew.

contact your hosting provider, and they should be able to do this for free or a very small charge; if they want an arm and a leg, it's time for you to find a better host.

For a small site, WebFaction will probably work unless much of your audience uses Internet Explorer on Windows XP.

Comment: Because not all journals are open access (Score 1) 292

by tepples (#48627263) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Why do we need security to view academic articles

The site needs SSL's confidentiality to protect your session cookie, which represents your subscription to the journal that includes the academic article, from getting Firesheeped by an eavesdropper. And you need SSL's integrity and authenticity to ensure that the data tables in the article aren't modified in transit.

Comment: Paywalls; HTTPS proxy (Score 1) 292

by tepples (#48627223) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

I fail to see how going to my local newsite to read about the new antics of our clown politicians needs to be encrypted [...] I will encrypt what I deem to be sensitive in nature.

Your session cookie, which represents your privilege to read the news site, is "sensitive in nature".

and load slower because the proxy can't cache it when a fellow work colleague visited the site earlier in the day.

Just because your "fellow work colleague" paid for a subscription to your local news site doesn't mean you did as well. Even if the site isn't paywalled, you could install the root certificate of your office's HTTPS proxy and surf through that.

Comment: Expectations based on URI scheme (Score 1) 292

by tepples (#48627191) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.

I think this double standard relates to the difference in end users' expectations when they see "http" or "https" in the address bar. People have been conditioned to think it's OK to put in a password or a credit card number just because the URI scheme is "https".

Comment: Annual manual StartSSL dance (Score 1) 292

by tepples (#48627147) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

Why must any site be unencrypted?

Because it may not be worth it for every operator of a small web site to pay extra per month to a hosting provider and certificate provider to enable encryption. In the case of StartSSL, this payment is not in money but in the labor to renew every year. And though modern browsers support Server Name Indication (SNI) to allow name-based virtual hosting over HTTPS, HTTPS shuts out those remaining users of Internet Explorer on Windows XP unless you pay your hosting provider extra for a dedicated IPv4 address.

Comment: Users of your self-signed site (Score 1) 292

by tepples (#48627081) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

I trust that self-signed cert more than any of your "trusted" CAs you fuckers!

The untrusted certificate warning page offers a button to view and add a certificate. If and only if you have verified the key fingerprint of a particular site's self-signed certificate out of band, it's secure to click that button. Just don't expect the general public to add your own site's self-signed certificate without giving them a secure way to verify that they're not behind a MITM.

Comment: Re:503 (Score 1) 292

by tepples (#48627059) Attached to: Google Proposes To Warn People About Non-SSL Web Sites

If you verify the self-signed certificate the first time you use it, it can't be substituted for another self-signed certificate at any later point in time without triggering an alert.

In other words, the logic commonly used with SSH. But it doesn't help if you happen to be behind a man in the middle "the first time you use it". For this first time, you still need some other way of verifying the key fingerprint.

Comment: Re:Copyright expiry differs (Score 1) 92

by tepples (#48626859) Attached to: To Fight Currency Mismatches, Steam Adding Region Locking to PC Games

For one thing, the SCOTUS ruling applies to selling individual physical copies. The Steam, Nintendo eShop, PlayStation Store, and Xbox Live Marketplace services make a new copy on each machine where a game is installed. So the first sale rule about importation of a lawfully made copy doesn't quite apply.

And even in the case of disc games, differences in copyright term can still make a copy "not lawfully made". Let me give a more concrete example: Say there was a book written in 1925 by someone who died in 1940, and someone adapts it into a video game. Thus the video game is a derivative work of the book. Selling a copy of the game in Europe is legal because the copyright in the book expired at the end of 2010. Selling a copy of the game in the US would not be legal until the end of 2020. Under what logic would the derivative become legal to sell in the US just because it was lawfully sold in another country with a shorter copyright term?

Comment: Copyright expiry differs (Score 1) 92

by tepples (#48626557) Attached to: To Fight Currency Mismatches, Steam Adding Region Locking to PC Games

I was under the impression that some region coding exists because of different copyright laws. It might be legal to sell a game in Europe but not in the United States if it's based on a work whose copyright has expired in the European Union (70 years after publication for works made for hire) but not in the United States (95 years after publication for works made for hire), or vice versa (US: 95 years after publication for 1923-1977 individual works; EU: 70 years after death of last surviving author for all individual works).

Mediocrity finds safety in standardization. -- Frederick Crane

Working...