Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Encryption without trust = dangerous illusion (Score 1) 250

There are plenty of registrars that do this in countries where the laws govern the application of domain names. I didn't get my domain in my own country because of this. I didn't want to go through the hassle of registering a business name, providing identification and tax documentation and then paying 5x more for the domain and hosting as a result of this.

For what it's worth I am not asserting anyone who wants a domain should be vetted in any way. I'm only saying if your going to hand out domains and certs like candy the domain registrar is the best place to do that instead of doing it separately in a different insecure step elsewhere.

Yes. It's worth remembering why we stepped away from this approach. The

To reduce operating costs and increase profits?

ability to encrypt separately to the high cost of the ability to encrypt + validate kept a large portion of the internet unencrypted. DVs lowered the bar to encryption which cuts out a whole lot of risk factors.

I have no problem with DV itself. I have a problem with vetting of actual organizations being rendered meaningless and I have a problem with CA's being in the business of handing out DV certs.

Err no you can't MitM with a certificate that doesn't match the domain you're talking to.

No need to break a trust chain or develop exotic methods to subvert crypto when the chain of trust itself is an illusion. Consider the following 7-step plan:

1. Gain access to the victims wires
2. Go to any of a zillion different CA's or LE.
3. Submit CSR or equivalent to chosen CA
4. Follow automated validation procedures
5. Leverage access to victims wires to screw with unsecured DNS requests and or unsecured web requests to fool automated validation procedure.
6. Install valid certificate assigned to you by a legitimate CA.
7. Leverage your new certificate to MITM your victims systems to your hearts content.

CA's have no business handing out DV certs.

Comment Re:Encryption without trust = dangerous illusion (Score 1) 250

WaffleMonster's point as I understand it is that DV should never have existed, that the choice should have been between OV and cleartext passwords.

Once OV effectively died the function should have been handed over to domain registrars who maintain a relationship with domain owners. Registrars are best positioned to hand out certificates as standard feature of domain ownership. CA's have no business touching DV.

As for cleartext passwords INCLUDING cleartext over TLS there is no excuse for continued use of insecure authentication protocols. Many are being owned because they were taught it swell to enter passwords into adhoc web forms whether encrypted or not. A certificate-less HTTP session secured by TLS-SRP provides protection from impersonation. DV does not even pretend to try.

Comment Re:Encryption without trust = dangerous illusion (Score 1) 250

You seem to imply because something is free and automated that there is a lack of trust.

While not my point. I absolutely agree with the above statement because it is factually accurate. ALL of these automated systems depend on INSECURE responses from INSECURE protocols in order to issue certificates including LE.

Third party DV is pointless because registrars are way better positioned to handle this.

The domain registrars need to take over and all of this redundant third party crap needs to go.

What you're complaining about is trust beyond the machines and into the organisation and people behind the servers. This is something outside of the scope of DVs, outside of the scope of Lets Encrypt, and quite critically also handled and displayed differently to the user by the browsers.

Originally this was NOT the case. To get a cert for your domain you were required to be vetted as an organization. Once CA's got out of the business of vetting organizations rather than ownership of domains they became dangerously redundant.

There's nothing dangerous here, just a bunch of people who don't know what they are talking about. You want to pretend to be www.playpal.com go right ahead. You want to pretend to be PayPal Ltd [US] with the domain www.playpal.com?

Nothing dangerous here after having explicitly discounted endless parades of impersonation attacks. The original value of the CA is effectively gone.

Well Lets Encrypt won't let you do that.

Yes it will if you can manage to intercept traffic from LE and your victim. It's all leap of faith and redundant.

Comment Encryption without trust = dangerous illusion (Score 1) 250

Years ago everyone who wanted an SSL cert had to provide actual corporate documentation reviewed by actual people. Everything was essentially "EV".

Then all the CA vendors said fuck it, lets make more money on volume without doing any work and switched to automated systems.

Finally Let's encrypt came along and said double fuck it not only will we use automated systems but we'll make it FREEEEEEEEE.

The end result is a phenomena well known to the technology industry. A race to the bottom where everyone ends up screwed because there is no discipline and no market incentive to chose any path other than the one of least resistance.

We now live in a world where insecure jems like RFC6844 (DNS CAA) are necessary because CA's are too lazy even to be expected to coordinate amongst themselves.

I don't believe a world of countless dozens of overlapping planet scale trust anchors is rational to begin with. I have always advocated for any signing to leverage domain holders relationship with their registrar as a standard feature of domain ownership and get lazy third party CAs out of the equation altogether. The whole system has basically devolved into this only with much worse security/financial/effort outcomes for all concerned anyway. Way past time to force the worlds CAs out of business.

Yes originally it at least made sense if you were a bank or ecommerce site or something important you paid dearly each year for a cert and got something out of it in return. The second CA's abdicated their only value over domain registrars ... meaningfully vetting those seeking their blessings it should have been the second they ceased to exist altogether. They essentially became parasitic leaches from that point forward and the world has suffered for it as a result.

Comment Re:sorry, but most people want that. (Score 1) 104

The world makes a lot more sense when you look to people's real world choices as a measure of what they want. They had choices. They made their choices in ways that favored constant tracking and surveillance.

What people want is separate from what they understand or are willing to accept. Your willfully conflating two unrelated concepts.

Comment Tu quoque (Score 1) 104

Forced enslavement of 12 year old children to work coal mines is legal in Oregon so it should be legal in all remaining 49 states.

My neighbors happen to be contract killers so murder should be legal.

Yo Judge!! some dude in front of me was speeding like waaayy faster than me so I shouldn't have to pay this here traffic fine.

Shoplifting should be legal because I live on the west side and EVERYONE else does it.

BUUUTTT MOOOOMMEEEEE!!!! Lil Jimmy did it tooo!!!!!!

Comment Re:DRM (Score 4, Insightful) 255

As with almost all technology, it depends on context.

The context of EME is the worlds Internet users.

DRM can be abused to lock up content far in excess of normal copyright protections.

DRM also makes new and useful business models practical, giving us modern replacements for old school rental stores from the likes of Netflix and Spotify, which obvious work out for a lot of people.

There is no mystery or question surrounding the result.

Content providers are somewhat limited to means of access and distribution to what people actually have unless willing or able to go out of their way. When you lower the barrier for making DRM viable the practical result is more DRM. This WILL happen.

This means more browsers downloading and executing black boxes from companies like Adobe. An outstanding trustworthy organization with an absolutely out of this world stellar security record.

For those who think restricting access and encouraging proliferation of closed proprietary bullshit is bad widespread EME in browsers does exactly this.

Protocol/standards designers have very little actual power to dictate terms to anyone yet they are hardly powerless. While capacity for mitigating unchecked commercial interests is often severely constrained the capacity to cause damage by letting them run rampant is not so limited.

When organizations like W3C allow themselves to be corrupted ICANN style it's time for those who care to divest themselves and support a competing structure. W3C is VOTING for the legitimacy to go ahead with this knowing full well there is nothing approaching broad consensus on the subject. The procedures they are using to achieve the desired result (DRM) is explicitly against their own stated principals.

Comment STT-MRAM or bust (Score 1) 63

XPoint is well... pointless. It can't compete with MRAM and by the time it matures enough (If it matures enough) to substitute flash in any kind of significant way MRAM is likely to have already taken over.

MRAM has effectively infinite read/write endurance, high density and performance characteristics of static ram.

XPoint even if executed perfectly has only a narrow window in which it can hope to remain relevant.

Comment SJW approved projection (Score 0) 319

There are a number of compromise projections which are better overall representations for general purpose use. Equal area maps distort landforms. Conformal maps distort area and so selecting one of either extreme is always suboptimal as a general purpose representation.

The only reason anyone knows or cares about this projection is the re-inventor of the projection's past political statements. Trading one extreme for another isn't progress. It's just stupid.

Comment Re:Lots of links to articles, phfft (Score 1) 234

What the author was implying is that you should take relatively straightforward components of a function and break them out as their own sub-functions with a very descriptive name, especially the inner workings of nested loops. If you take the inner loop and replace it with a function call that describes what the inner loop does, then your outer loop actually gets much easier to read, as it does not have the distraction of the gritty details of how the inner loop performs its duties. With properly written sub-functions, you can simply read the name and understand what it is doing without having to actually read the function at all. I have personally done code reviews on code that has been re-factored in this fashion, and the readability of the code is night and day.

I disagree. Commenting a code block accomplishes the same thing and "distractions" reasoning for taking up a few more lines on a page is of unconvincing value and probably dangerous. What IDE does not allow you to collapse by scope? For all you know someone may discover an important side-effect by actually noticing structure of intervening code. When you replace comments with function names then function names also risk becoming as stale and dangerous to believe as comments.

My personal view organizing code generally to maximize readability at the expense of minimizing complexity leads to unnecessary accumulation of debt that will ultimately be paid back with interest in any non-trivial project.

Comment Re:VR naysaying (Score 1) 141

Actually the vive is not tied to steam at all. You can use it with OpenVR, never even install Steam. Don't let facts get in the way of your bullshit though.

This is incorrect. OpenVR is just an interface shim. You need a hardware stack to drive it and that stack for Vive can only be installed via steam.

Comment Re: The best one... (Score 1) 141

Just wondering, have you tried Minecraft, or any game where you have to "walk" using a controller or keyboard? I don't mean teleporting. Games that make you straffe or move forward/backward without actually moving are the only thing that make me feel queezy. Most games avoid that though since they figured it out in testing. If you have tried those games and don't get sick, mind telling me what graphic card you have? I use a 980 and was thinking that the motion sickness effect could be refresh rate related

Everyone is busy royally fucking up locomotion. Strafing motions are fine. I've played overload alphas (DESCENT) for hours in VR with no problems. Strafe only controls are awesome.

What is getting everyone sick is move to where you are looking schemes which intentionally create disconnects in change of direction/rotation without the user actually doing it. I would argue in many cases without actually wanting to do it either. These mechanics actively penalize players for daring to look around.

Slashdot Top Deals

"There is no distinctly American criminal class except Congress." -- Mark Twain

Working...