Posts by brotherelf 287 publicly visible posts • joined 16 Jun 2014
No, the point is there currently is no retroactive proof of control: even if I now own the business.example domain, I cannot revoke the certificate you legitimately got a week ago when you still owned it. (But you still would need to hack the DNS to do anything useful like redirecting traffic that wants to visit me to visit you instead.)
Last time I checked, Let'sEncrypt will discontinue OCSP. (Which of course makes perfect backasswards sense: OCSP staples that I've seen are valid for seven days. Why bother stapling if can force renewal instead? And of course, renewal doesn't fix any issue at all because renewal doesn't need to roll over the private key.)
Recently a friend from the New England area proudly spread the word about a newly built residential building that has battery-only backup, no diesel.
(Mind you, same friend didn't seem too worried about going to Singapore to watch the F1 Grand Prix.)
"Nobody sues gutenberg.org after all."
I beg to differ. gutenberg.org was geoblocked from Germany between 2018 and 2021 for copyright infringement of works of Thomas Mann (and others).
(In the interest of clarity: AIUI they felt they should block their entire catalogue instead of just the works the court had ordered them to. Also, since it was only their organization, the mirrors still remained available for several months.)
We send the client the code to execute in the browser we make, but look, a groove-toothed squirrel!
(And nope, last I checked, every browser had support for x.509 certificates because TLS client auth is a thing, but there's no JS interface that exposes it.)
The article sounds a bit "everybody worries about this quantum computing which doesn't exist at this level", but it is prudent to stay *well* ahead of the curve in terms of breaking and forging. If we look at digital signatures as a feature of your govt ID, for example: the smartcard you spec now gets into your citizens' wallets in two or three years at the earliest and will probably be valid for ten years or so, and you don't exactly want to say "oh it's 2023, I don't trust a digital signature from 2021 anymore", so yes, "at best breakable by nation-state-level actors only (but not large-scale organized crime, e.g.) for the next 20 or 25 years" is a very very valid requirement.
"Bridge technology" that will go online in roughly a decade? Just what the hell improvements in renewables are you hedging for? (Assuming we're not talking about Hoover Dam size projects, I would expect any improvements in solar panel efficiency or turbine shape or whatnot could be phased in more-or-less with scheduled maintenance/renewal. Because yes, stuff will break, because everything does, but that kind of RE has lots more resilience built in. Your runway has run out, your "bridge" would have needed to be operational about a decade ago.)
As much as I'd like to see that, I consider it perfectly plausible that a shrink-wrapped phone's batteries are "nominally empty" (beyond a factory QC test charge) by design, if only because they have been through some sort of shipping process, which may have different regulations for charged and uncharged Li-Pos/Li-Ions.
I'm pretty sure my last phone was uncharged, as were my last couple of laptops, as were the smartwatch and the gaming console. Not 100% sure about the e-reader.
There's probably a dozen "maker" projects to build your own with an Arduino of some sorts, but to be quite honest, I'd never give anything that has been touched by my soldering iron control over more than 5W or so, and USB cup warmers notwithstanding, that won't brew you tea.
That's the "best" wording I've seen since a form asked me whether I wanted to forgo opting out of a voluntary exemption from contributing to the pension funds scheme about 20 years ago. (The only hint to what would happen was that one option said "I realize this deducts from my current salary")
I hope this is a drop-down where both options are labeled "(DANGEROUS!)", at least?
… clicked and was disappointed it's not a recurrence of IBM Chef Watson, which was at least amusing on a boring afternoon.
(For those young enough, Chef Watson was trained on recipes, so you could see what an "AI" would make of "I have some dark chocolate and tuna, where do we go from here".)
No, Firefox does no such thing. It's the web server sending HSTS headers (which mean "once you successfully https, always upgrade http to https for the next X seconds), an upgrade-insecure-requests CSP, redirects to https on http, or optimally, all three.
(Making https the default protocol if you leave it off in the URL bar is being debated and would indeed be easy with almost no compatibility concerns, but that is something that's happening vaguely now, not "for many years".)
One of those moments where I'm not sure if the article is glossing over what is commonly understood or doesn't get it. The level of danger a MosCA poses is the same whether you are its customer or not. The danger is that CAs are decentralized in a "anybody can issue anything" way. If you root-trust MosCA, they can issue certificates for anything. "I get my regular certificate from them" does not make that easier or harder, because that process doesn't expose the private key in sane setups. (Yes, I know most CAs have insane setups because customers can't keep two files around for two days and find them again.)
There used to be HPKP, where a site could say "I guarantee my certificates are issued by CA XYZ for the next n days", but that was dead before it got off the ground, because it's only "trust on first use" and requires things like backup keypairs.
And no, don't answer "what about CAA", this is not what CAA does. CAA is verified at issue-time by the CA, it's protecting against social engineering.
Country identified. I suspect the meningococcal vax ads are an effect of the MiniHealth just throwing money into the ad slot machine and not specifying target audiences, so you get it if you're otherwise boring enough that sports clothes manufacturers won't bid high enough for the ad spot.
Weirdest ads I've seen were: the candidate for mayor from the next town over, "find a vax near you" ads for a country that's not even on the right continent, and a one-hour DJ set. Seriously.
Technically that is already the case. The current wording around working from home vs. teleworking vs. working from a home office is very carefully crafted so they don't have to send H&S to check whether window glare reflects on your screen and whether your chair meets ergonomic requirements etc., not to mention things like "can you lock away the computer or otherwise ascertain your kid doesn't install their virus-ridden pirated copy of Doom on the device you're handling business matters on".
… as python-using folks found out a while ago.
Fortunately, that could be fixed quite easily: browsers already send "upgrade-insecure-requests:1" in the request headers if they want that, so you can redirect conditional on that and that wget from CentOS 5 that doesn't speak TLS 1.2 and doesn't know today's CAs¹ will be none the wiser.
Combine with a moderately-sized HSTS and, given that Key Pinning is deprecated, you have a reasonably-good-of-both-worlds.
¹ if that sounds suspiciously specific, it's because it is. Busybox offered a working wget, once I hid the old openssl from it so it would use its own implementation.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
