Become a fan of Slashdot on Facebook


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Are they big enough? (Score 1) 111

yes. for 3 reasons:
-when you get a CA, you want it to work in all browsers... market share may not be high, but it is still a very popular browser. spread the word that the site do not work in all browsers is enough to cause panic in many people

- mozilla, microsoft, google and apple are usually in sync about CA issues. This was found by mozilla and they decided the action they will take... other companies will now analyze this and take their own actions. As mozilla action is a good one, it may be accepted by the other companies as well. The political power of mozilla is a lot higher than the 8%

- MS Edge have 5%, less than firefox... would you ignore it? market share numbers change a lot across countries, sites, user type and type of device. Mozilla on mobile have a very low market share and higher on desktop... all this is just junk numbers, when users start to complain, the perceived small market share number seems to increase by magic :)

Comment Re:Damnit, I'm on Startcom (Score 1) 111

read the article: only NEW certs will be distrust, existent ones will keep work, until they expire.
In a year, if they behave and follow all rules, they MAY be trusted again.... if they keep doing wrong things, they will be removed.
basically, mozilla removed the CA market from then for one year as penalty

Comment read the article: only NEW certs will be distrust (Score 1) 111

please read the article... only the NEW certs will be distrust, old ones will keep valid until they expire. You might have problems only on renews...

If they behave well and follow all the rules, in one year they may be trusted again... if they keep trying to issue certs using past dates, they will be totally removed and if they ever try to reenter the CA business, they will have to follow again all the audits, tests, checks, etc... takes ages, log of money and in the end, mozilla can still say "NO"

Comment They are luck! (Score 1) 1

After reading the document, they are breaking the rules and lying about that. Also, they tried to hide they control startcom ( for many people) and changed the way they worked. For a type of service based in TRUST, this breaks all the trust on their actions and leadership.

They are luck to ONLY get one year suspended trust. If they survive, they may learn and issue again certificates later on... Lets also see if they will inform the users that mozilla will stop trusting then (although i suspect that google might also take similar action) or if they will try to do any "marketing" stunt and "forgot" to warn the users about it.

Anyway, firefox will disable this CA and the ball is in their side now... other CAs will also see what can happen to then when they agree to get in to shady practices.

This is why i trust mozilla (at least for now, we never know what the future holds), they really try to make a better web

Submission + - Game over for WoSign and Startcom? ( 1

Zocalo writes: Over the last several months Mozilla has been investigating a large number of breaches of what Mozilla deems to be acceptable CA protocols by the Chinese root CA WoSign and their perhaps better known subsidiary StartCom, whose acquisition by WoSign is one of the issues in question. Mozilla has now published their proposed solution (GoogleDocs link), and it's not looking good for WoSign and Startcom. Mozilla's position is that they have lost trust in WoSign and, by association StartCom, with a proposed action to give WoSign and StartCom a "timeout" by distrusting any certificates issued after a date to be determined in the near future for a period of one year, essentially preventing them issuing any certificates that will be trusted by Mozilla. Attempts to circumvent this by back-dating the valid-from date will result in an immediate and permanent revocation of trust, and there are some major actions required to re-establish that trust at the end of the time out as well.

This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe — and potentially business ending — penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where — hardly good PR!

What does Slashdot think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?

Submission + - OpenSSL Patches Bug Created by Patch From Last Week

Trailrunner7 writes: Four days after releasing a new version that fixed several security problems, the OpenSSL maintainers have rushed out another version that patches a vulnerability introduced in version 1.1.0a on Sept. 22.

Last week, OpenSSL patched 14 security flaws in various versions of the software, which is the most widely used toolkit for implementing TLS. One of the vulnerabilities fixed in that release was a low-risk bug related to memory allocation in tls_get_message_header.

The problem is, the patch for that vulnerability actually introduced a separate critical bug. The new vulnerability, which is fixed in version 1.1.0b, only affected version 1.1.0a, but it can lead to arbitrary code execution.

Submission + - Ask Slashtot: How to determine if your IOT device is part of a botnet? 1

galgon writes: There has been a number of stories of IoT devices becoming part of
Botnets and being used in DDOS Attacks. If these devices are seemingly working correctly to the user how would they ever know the device was compromised? Is there anything the average user can do to detect when they have a misbehaving device on their network?

Comment Re:Reminds me of Tribalwar's Goatse incident. (Score 1) 282


This is the correct way to solve direct loading of images, not courts... change the image and let the other side suffer by the mistake
If they copy the images, apply copyright... if they update the link, keep changing it or use the referer... it is a lost battle for the abusive site.
you can also simply block serving the images without the correct referer, but messing other people sites is way better :)

Comment Re:Money Laundering, too (Score 1) 73

humm... how would that work? i have tons of dirty money, buy a item for $400, then what? sell it for $1 ? even if i sell it for $200, how do i get my money back? steam do not give you real money back... maybe i could buy some games and sell the account? you still have to explain where did that $200 come from, of i sell 2000 accounts, that would be VERY hard to explain.

Stupid and rich kids and greedy people, i do believe, money laundering i do not see it

Comment Re:Forget about Edge. It's Firefox that's interest (Score 1) 57

most "memory leaks" today are add-ons related... add-ons had too much access to the firefox internals and simple errors could cause problems.
mozilla tried to limit what add-ons can access and is trying to push then to external process, so it is easier to see where the leaks are coming.

Try to disable add-ons and restart firefox to check where the leak is coming

Comment Re:Forget about Edge. It's Firefox that's interest (Score 1) 57

first, from your text looks like it is a huge difference, but it is inline with the other ones
second, edge is preloaded, chrome tries to have multiple process and be modular, so for this test might not need to load everything... but firefox is monolitic (mostly), so the at startup will load everything. If there is any flash loaded, even worst, as the flash in firefox is still a separate process and will always eat more cpu. Yes, all this are firefox problems, but... read below

finally, mozilla knows that for several years. they already have some code blocks in multi-process (but it was hard, as the base code was build as monolitic since day one) to sustain firefox until the new firefox (called servo) with rust is ready. That one will be more secure, modular since day one and be faster than any current browser. So yes, know problem, already being fixed

Servo should have the first public alpha (beta?) release in the next few months

Slashdot Top Deals

The cost of feathers has risen, even down is up!