Erm, you can refuse to give Signal access to your contacts and it will still work. I just tried it.

You will see phone numbers instead of names, and starting a new conversation is a bit tricky, just like when you don't give WhatsApp your contacts. But it works.

Facebook Messenger doesn't need your phone contacts because it operates on the basis of Facebook contacts and Facebook already has all your Facebook contacts.

Facebook may be evil, but I don't understand why we blame Facebook for this "exploit".

The user grants Website X permission to use their Facebook data. Website X obtains that data. Website X subsequently runs a malicious script on their own website which harvests that data.

Wouldn't this be, like, the fault of Website X?

EXACTLY. The summary is horrible. It made it sound like Google invented a novel technique that makes the KPTI/Variant 3 (Meltdown) mitigation slowdown "negligible". But actually the blog post simply says:

• They invented a technique called Retpoline that mitigates Variant 2, with negligible performance impact; and
• When testing KPTI/Variant 3 (Meltdown) mitigation on their own workflows, they found the performance impact negligible.

If both sides are behind a NAT, HTTP wouldn't work either (without the serious reconfiguration they you mentioned), no?

I'm curious, how would you deploy code in other languages that also depend on external modules/packages?

Nah, not that. The lock screen asks for the passcode. This article is about the Apple ID password. (Again, I can't confirm how exactly it works - maybe it only asks for that when you use iCloud)

From what I've read (can't confirm since I don't use iOS), the system sometimes asks for your password even if you use TouchID for authentication. If so, there's the flaw.

You can't really compare this to desktop OSes like Windows or Mac OS.
The security model there is different. All "apps" you run on them are implicitly trusted; there is no security barrier between apps.

You don't need to fake a Gmail login prompt on Windows because you can simply read the memory of the browser or Gmail app and it will gladly give the memory contents including the password to you (if it still has it).

In iOS, each app is supposed to be isolated from each other and from the OS so this is a big(ger) deal.

If your browser would let any web site show https://myaccount.google.com/ in the address bar with the green padlock, is that not a security flaw?

Not saying this is exactly the same, but if a platform makes it very hard or impossible for the user to detect a phishing attack, it is a security flaw.

When the break-in first came to light, lots of people criticized Equifax, but a vocal minority said something along the lines of "No system is absolutely secure. We don't know if the hackers used a zero-day vulnerability against Equifax. They could have followed all the security best practices and still be hacked."

My response was "If the past is any guide, every time a major company was hacked, it was eventually traced to vulnerabilities in outdated software that should have been patched months ago. I am going to assume this is the same."

Turns out I was right. Companies never learn.

I fail to see how DNSSEC is the solution.
You'll be going from trusting a bunch of different CAs, to trusting a single domain name registry for your security.
Yes, the current CA system is bad, but having a single point of failure is even worse IMO.

I believe it was an error. Although HTC does deserve part of the blame.
You see, the "stock keyboard" was actually a third-party app, which is ad-supported by default.
The HTC version is supposed to be a special ad-free version, but somehow during the latest update the app developers pushed the ad-supported version to HTC devices as well.

If anything, this demonstrates the dangers of bundling apps that you don't directly control.
And who's to say the ad-free version doesn't still track the user or collect personal information? If it wants it could collect all your passwords too!
It was really poor judgement on HTC's part to use such an app for a sensitive component like the stock keyboard.

Google works fine for me on Firefox.
You really should check if you are being MITM'ed.

As much as I don't trust Google, at least Chrome is (mostly) open source.
Opera is not open source except for the third-party open source components that they used and modified.
And given that it was adware not too long ago, I simply can't trust it.
I need to trust my browser.

Is subscriptions still available? They seem to have removed the subscriptions link from the front page.