Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Product placement (Score 1) 66

There's no commercial free option for Sling, there's no commercial free version for PS Vue

Would you prefer $200 per month? Because that's what Sling and the like would cost if every channel were as expensive as HBO.

why pay for a service and still be saddled with commercials?

What would the film The Wizard be without commercials for NES games?

Comment Re:Apple problem mostl or platform-independent iss (Score 3, Informative) 115

The closest thing to "something inherent about the Apple design" is Apple's tighter control over production of devices with Lightning and MagSafe connectors through refusal to license relevant patents. Android devices, on the other hand, use standardized USB micro-B and USB C connectors. Licenses for patents that cover standard USB connectors are offered under "FRAND" (uniform royalty) conditions. So any safe USB charger is a safe Android charger.

Comment Which Wikipedia pages you view may be sensitive (Score 1) 43

If you want to selectively block media types, you can do that using a browser extension installed on each PC. Or you can set up a proxy on localhost on each PC and have the browser installed on that PC trust that proxy's root certificate. Then you're back down to two parties being able to see the communication: the client and the localhost proxy, and the server. This regains blocking by media type but loses a shared cache.

It's also possible to configure your Squid proxy to behave differently on sites that are unusually privacy-sensitive using a stare rule. Log the SNI field of each ClientHello message from your proxy's clients. Build a list of which hostnames ought to be cached (high-traffic sites) or not (financial or medical sites), and be transparent with your users about the process of building this list. Bump (MITM) the high-traffic sites so that you can cache them, and splice (tunnel) the sensitive ones so that you can reassure users that your proxy isn't snooping this particular connection. The user will be able to tell whether a connection is through your proxy by looking at who issued the certificate. For example, in Firefox, one can click the lock in the URL bar, click the right arrow, and read "Verified by:".

On the other hand, see replies to bigjosh on Coding Horror Discourse, who expressed the same need for caching. One of the replies expresses a possibility that the fact of having read articles about a particular subject on Wikipedia might itself be sensitive even if Wikipedia is public and cacheable.

Comment Re:https "evRywhr" is 4 sites, not so much, Users. (Score 1) 43

Do you disbelieve that root-ca's in the US or other monitoring countries couldn't be forced to give out subordinated CA's to install @ ISP monitoring sites?

That's what "certificate transparency" is supposed to block.

MITM proxying that lowers security for all https sites (finance, et al.).

The problem might be related to the historic use of the scheme and port as a hint for whether or not it ought to be possible to treat a particular connection as Cache-Control: public or not. I'll have to think about how to most effectively express this problem to "encrypt all the things" types.

Simply by going w/HTTPS instead of HTTP creates increased server load and increased network latencies.

There are anecdotal reports that HTTP/2 over TLS can have less latency than cleartext HTTP/1.1. So if you add HTTP/2 to your MITM, you may be able to mitigate some of the TLS overhead.

From the time I connect to some sites, till I leave, google, et al, have encrypted connections going.

A hosts file or client-side tracking blocker extension works for HTTPS just as well as for cleartext HTTP.

Comment Two alleged infringements in Emacs (Score 2) 69

When the notice states that the "infringing file" was a Ubuntu ISO image. . . . . This was years ago

Was this around July 2011, when Emacs was discovered to include copyright infringements? Or around June 2012, when certain falling block games were ruled to infringe copyright, with M-x tetris in Emacs possibly next on the hit list of a video game developer who thinks free software should never have existed because it destroys the market?

Comment Re:https "everywhere" is 4 websites, not so much U (Score 1) 43

When you connect to an encrypted site, you really connect to your ISP's pass-through traffic decoder, which then passes another encrypted circuit on to wherever you were going.

That's true only if your ISP is using an intercepting proxy. Because the proxy's internal CA is not installed as a trusted root on a stock client, a stock client will display an "untrusted issuer" warning. So I imagine that networks serving only a minority of clients, such as corporate or school networks or ISPs in less-developed economies, would force an intercepting proxy on clients newly introduced to the network.

HTTPS safety is an "illusion" to get you to use it so you can't easily be selective about what you block or cache by site.

Blocking "by site" is still possible with HTTPS, as the Server Name Indication (SNI) field of the TLS ClientHello message contains the hostname in cleartext so that the server can know which virtual host's certificate to present. Intermediate caching or blocking at a finer level than "by site" does require MITM though.

Caching rate on HTTP sites -- 10-30 or higher %, on HTTPS -- 0%

Are you referring to caching on the client or caching on intermediate proxies? Clients cache HTTPS the same way they cache cleartext HTTP. Intercepting proxies cache HTTPS only if the user has chosen to trust the proxy.

Comment Re:https "everywhere" is 4 websites, not so much u (Score 1) 43

That's what I meant by https "everywhere" harming security for those sites that have a legitimate need for it. By implementing a MITM proxy, it makes all https streams less secure.

Cleartext HTTP: Any router on the path can see the communication.
HTTPS: Only three hosts can see the communication, namely the client, the server, and the corporate MITM.

It's still an improvement.

The more internal-proxies that implement MITM HTTPS for their internal needs/wants, the more pressure those not wanting those streams to be easily visible or cacheable will work to disable that "hole"

Are you referring to public key pinning? Native apps for smartphone-derived operating systems already do this as a common practice.

Slashdot Top Deals

If I had only known, I would have been a locksmith. -- Albert Einstein