Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment OCSP actually is a short-term certificate (Score 1) 172

The best incremental refinement is short-lived certificates auto-issued by intermediate CAs. [...] The refinement being pushed instead of the obvious one is "OSCP stapling"

An OCSP response is a short-term statement issued by the CA that a TLS server's certificate is still valid. It can be thought of as exactly the sort of "short-lived certificate" that you describe. Stapling allows a TLS server to cache this response and present it alongside the main certificate. If only the TLS server contacts the CA to get OCSP responses, the CA can't see clients.

Sovereign Keys

From a footnote in the proposal: "In the current draft, there are additional requirements, including that an OCSP check for the CA certificate is successful".

Comment Re: blacklist them (Score 1) 172

A domain-validated certificate is for ensuring the authenticity of communications between your machine and a machine operated by the owner of a particular hostname. It isn't for ensuring that the owner of a particular hostname has any right under other applicable law, such as typosquatting provisions of trademark law, to use that hostname.

Comment Re:The following is going to happen. (Score 1) 172

Well, Let's Encrypt certificates are now going to be treated like self-signed certificates. Don't believe me? Just wait and see.

With both Mozilla and Google as "major sponsors" of Let's Encrypt listed on the front page, I don't see how this will happen any time soon. If Microsoft and Apple distrust Let's Encrypt for following the same CA/Browser Forum Baseline Requirements as every other certificate authority issuing domain-validated (DV) certificates, the only way to avoid a double standard would be to distrust all DV certificates. And as of today, the service formerly known as Hotmail appears to be using a DV certificate.

Comment Caching by you vs. by your ISP (Score 1) 172

An unencypted connection is fast, cacheable, and secure enough when you're just transfering photos and cat videos.

As far as I know, my browser does cache content served over https exactly the same as served over http.

But your ISP cannot cache said content. Say you have a classroom full of children all reading the same article on Wikipedia, and it's in a remote area with the only available Internet connection being a 0.13 Mbps ISDN or satellite link. With cleartext HTTP, a Squid or Polipo proxy can pull every . But with HTTPS, the proxy has to fall back to a separate CONNECT tunnel and transfer the same article 20 times unless the proxy is configured to intercept TLS, with its own root certificate in all browsers configured to use the proxy. Failure to cache in such a situation is inefficient, slow, and possibly costly if it causes the school to exceed a monthly Internet data transfer quota. (Source)

Comment How big is the DANE key? (Score 1) 172

[First-visit validation of a self-signed certificate is] where key fingerprints in DNS can help

Not until the root domain and major TLDs are signed with a key stronger than 1024-bit RSA. Short keys are why browsers haven't added support for DANE.

Even unauthenticated encryption is better than no encryption, because it prevents passive attacks.

It also gives the user a false sense of security that an active attack is not in progress. A self-signed certificate places the bar between "passive attack" and "active attack", but browser publishers have defined the https scheme to prefer a bar between "active attack" and "typosquatting".

Comment Block all DVs (Score 1) 172

The process might in fact be to block all domain-validated (DV) certificates and allow organization-validated (OV) and Extended Validation (EV) certificates. This would parallel the policy implemented by the Comodo Dragon browser, which displays a warning for DV certificates:

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business. Although the information passed between you and this website will be encrypted, you have no assurance of who you are actually exchanging information with, and many websites connected to cyber-crimes use this type of security certificate. Prior to exchanging sensitive information including login/password, personal identity information, or financial details such as credit card numbers with any website that generates this warning, you should find some alternative method of validating this business or consider abandoning the transaction.

Comment Re:The self-driving car is blamed for human error (Score 1) 215

The problem is, statistics don't matter if an automated car kills someone in a situation that a human wouldn't have. One day if they are 100x safer, I would hope they would be safe in all situations that a human would be.

This is arguably why the FDA kills more than it saves. Who studies how many lives are saved by medical advancements and compares it to those saved by preventing bad medicine from getting to market. What is an extra 5 years on average of delaying good drugs vs. bad ones getting out too soon then stopped after they become a problem?

Nobody studies the tens of thousands dying because a heart med gets to market late vs. a few dozens who might die if it gets to market too soon.

Comment Re: Uh, why? (Score 1) 134

What was the software running on it? Or did it crash without any non-IBM supplied hardware or software?

I'm trying to think of any Windows software I actually bothered to run. It was on a Novell network, I was sitting at it. I was in IT and we didn't have any fruity groupware or anything (this was before that crap was popular) so I really just ran ordinary applications, and tried to stick with the utilities and accessories that came with the OS. We didn't have budget for a bunch of OS/2 apps, though.

Did Mossad break into your home and steal your shoes, as well?

No. They didn't even steal my Casio terrist watch.

Comment Re: Uh, why? (Score 1, Interesting) 134

Let me put it this way: if I had to use systemd/Linux or OS/2, I'd choose OS/2. Being able to boot properly is an important trait for any OS. OS/2 has this ability. Systemd/Linux often does not.

As much as I hate systemd, it really has no place in this conversation. You can get Linux without systemd, so you're presenting a false dichotomy in any case.

I've also had OS/2 corrupt itself on an unclean shutdown and fail to boot. I haven't had this with Linux since the early days of xfs.

Comment Re:Uh, why? (Score -1) 134

OS/2 was a very stable and reliable operating system

What? Who told you that? I ran 2.1, 3.0 and 4.0 and they were all unremittingly unreliable pieces of shit. Not just that but I ran them on a fucking PS/Valuepoint 486, so there was absolutely no excuse for incompatibility. Linux makes OS/2 look like Windows 3.1. The system was especially likely to explode when you ran Windows programs, too, and Windows compatibility was absolutely the only reason many people bought it.

I was actually running OS/2 for evaluation at a site that was ALL IBM, every single PC, every single piece of networking equipment, and OS/2 was still a horrible pain in the asshole. People remembering it fondly have memory problems.

Comment Re:Battlestar Galactica Quote (Score 1) 218

My quote emphasizes the need for distinguishing between police and army.

Your quote fails to recognize that it doesn't matter who's policing you if their goal is not to do the will of the people, because the people have thrown up their hands and said fuck it and given up even trying to keep them in check.

The police behave just like the military, except with shittier muzzle and trigger discipline.

Comment Re:Hire Actual Human Reviewers Maybe? (Score 2) 218

Seem to recall articles here on /. about Google's reviewers having to look at so much shit, they basically broke down mentally within a year

There must be a subset of the 4chan-esque crowd which will do the job they are paid to do faithfully in spite of being shitlords. Hire them, their eyeballs can withstand anything.

Slashdot Top Deals

Help fight continental drift.