Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Phishing is good (Score 1) 249

If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....

So no, Facebook is not succeeding as a replacement for the Internetâ"only for the very narrow slice of the Internet that was previously dominated by MySpace.

Comment Re:Phishing is good (Score 1) 249

If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....

So no, Facebook is not succeeding as a replacement for the Internet—only for the very narrow slice of the Internet that was previously dominated by MySpace.

Comment Re:Phishing is good (Score 1) 249

If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....

So no, Facebook is not succeeding as a replacement for the Internet—only for the very narrow slice of the Internet that was previously dominated by MySpace.

Comment Re:Never saw that coming (Score 1) 249

It's not always a home ISP that's doing subtle MITM modification. It might be someone malicious in the same coffee shop as you.

Assuming DNSSec gets deployed as it should, someone in the same coffee shop will be able to passively snoop, but won't realistically be able to be in the middle of the communication unless the infrastructure is badly broken. After all, two hops over Wi-Fi should always realistically have higher latency than one hop plus a DHCP response. The biggest weakness is UDP-based DNS. For that matter, you could disable UDP-based DNS today, and you'd pretty much kill any hope of MiTM attacks by anybody other than your ISP. Arguably, you probably should.

Or it might be a government agency using the Fullscreen API to spoof the chrome of the entire desktop environment.

At that point, your endpoint is untrusted, so the communication is untrusted, period. There is no security mechanism that can have any real benefit if you cannot trust the browser itself or the operating system under it.

Comment Re:i cant believe what im seeing. (Score 1) 69

my one wish before I die --assuming I can merge-- is to see the second sign for the exit to interstate 10. Could this app be the miracle ive prayed for between prayers for the sweet release of death? I sure hope so.

Fear not, my friend, for I have heard tales of a land beyond the jam—a mythical place called the O.C.—where giant mice and princesses roam the streets and the terrors of Hollyweird are but a distant memory. But to get there, you must turn left now, for your current path leads only to drowning after you drive off into the ocean at Huntingdon Beach. Beware the Tides of March.

Comment Re:Never saw that coming (Score 1) 249

Without TLS, how do you ensure that a man in the middle isn't altering the information that you retrieve from said "Informational websites with no credentials"?

You don't, but it almost never matters. MiTM attacks tend to be harder than passive sniffing, and there are very few reasons why any ISP in its right mind would do so. They're far more likely to do blocking, or redirect a streaming site to their own streaming site, or other absurdity that's easy to spot.

Comment Re:but you arent a traditional CA (Score 1) 249

The few times I've used Let's Encrypt was during testing phases, as a place-holder until I had the time to get a "real" cert. My company has an inane procedure to get purchase orders to pay for anything, so often it takes a couple of weeks to get to the point of being able to purchase anything via a "new vendor". If you can't afford $5 or so to get a year-long cert, then your either not serious about your site or doing something wrong.

Or you have more than the one subdomain that most CAs allow for $5 certs. Even with a limit of five for Let's Encrypt, it takes two certs for my main domain. Bare domain, www, images, git, homeserver, kinji, and I feek like I'm still forgetting one. A wildcard domain cert starts at two hundred bucks.

Comment Re:Never saw that coming (Score 1) 249

Does anyone remember what the point of SSL was? It's just so our users don't see the non SSL warning right?

You say that jokingly, but there's some truth to that. The need for TLS is proportional to the damage done by compromising the connection. Informational websites with no credentials do NOT need TLS, typically, and the push to add TLS more broadly has played a major role in lowering the bar for getting a cert (out of necessity), thus weakening an already weak system further.

Comment Re:Phishing is good (Score 1) 249

Normal people may want to visit paypal for the first time ever which means no AutoFill data or any indication they've arrived at the website they can really trust.

Normal people trust their search engine to return the real PayPal site when they search for it. The worst realistic scenario from a non-user getting otherwise redirected to a fake version of the site is having to contest false charges on a credit card and report the card stolen. No big deal. It becomes dangerous when you associate a bank account with it, which no mentally competent person should do when visiting a site referred from some random new website. But once you have done that, accidentally giving out your password to a phishing site becomes a really big deal, because you probably won't get that money back.

Idiots who say you should trust a website based on its name think too much of people.

What the h*** else can you possibly use as a basis for trust? Do you expect us to create a little walled garden that prevents the free flow of information just in case some bad person decides to do something bad with that ability? We had that. It was called AOL, and it failed because it was too limited compared with the real web.

The only way to be sure that my connection attempt is not spoofed is what? VPN? No, you cannot trust it either. DNSSEC hasn't really taken off and then you cannot really trust CAs nowadays.

You should really be encouraging broader adoption of DNSSec so that we'll eventually be able to make DNSSec validation mandatory instead of whining on Slashdot that we aren't taking the problem seriously. Or propose a better solution. Either way.

Sorry, I've never seen so many idiots at /. simultaneously.

With all due respect, has it ever occurred to you that if you think a large number of really smart people are idiots, it probably means that you don't understand the problem as much as you think you do? Just saying.

Slashdot Top Deals

May Euell Gibbons eat your only copy of the manual!

Working...