jasondj @ jasondj @ttrpg.network Posts 0Comments 224Joined 2 yr. ago
But you only really need one to say it’s authentic. There are levels of validation that require different levels of effort. Domain Validation (DV) is the most simple and requires that you prove you own the domain, which means making a special domain record for them to validate (usually a long string that they provide over their HTTPS site), or by sending an email to the registered domain owner from their WHOIS record. Organization Validation (OV) and extended verification (EV) are the higher tiers, and usually require proof of business ownership and an in-person interview, respectively.
Now, if you want to know if the site was compromised or malicious, that’s a different problem entirely. Certificates do not and cannot serve that function, and it’s wrong to place that role on CAs. That is a security and threat mitigation problem and is better solved by client-based applications, web filtering services, and next-gen firewalls, that use their own reputation databases for that.
A CA is not expected to prevent me from hosting rootkits. Doesn’t matter if my domain is rootkits-are.us or totallylegitandsafe.net. It’s their job to make sure I own those domains. Nothing more. For a DV cert at least.
Public key cryptography, and certificates in particular, are an amazing system. They don’t need to be scrapped because there’s a ton of misunderstanding as to its role and responsibilities.
Yeah, except you aren’t supposed to TOFU.
Literally everybody does SSH wrong. The point of host keys is to exchange them out-of-band so you know you have the right host on the first connection.
And guess what certificates are.
Also keep in mind that although MS and Apple both publish trusted root lists, Mozilla is also one of, if not the, biggest player. They maintain the list of what ultimately gets distributed as ca-certificates in pretty much every Linux distro. It’s also the source of the Python certifi trusted root bundle, that required by requests, and probably makes its way into every API script/bot/tool using Python (which is probably most of them).
And there’s literally nothing stopping you from curating your own bundle or asking people to install your cert. And that takes care of the issue of TOFU. The idea being that somebody that accepts your certificate trusts you to verify that any entity using a certificate you attach your name to was properly vetted by you or your agents.
You are also welcome to submit your CA to Mozilla for consideration on including it on their master list. They are very transparent about the process.
Hell, there’s also nothing stopping you from rolling a CA and using certificates for host and client verification on SSH. Thats actually preferable at-scale.
A lot of major companies also use their own internal CA and bundle their own trusted root into their app or hardware (Sony does this with PlayStation, Amazon does this a lot of AWS Apps like workspaces, etc)
In fact, what you are essentially suggesting is functionally the exact same thibg as self-signed certificates. And there’s absolutely (technically) nothing wrong with them. They are perfectly fine, and probably preferable for certain applications (like machine-to-machine communication or a closed environment) because they expire much longer than the 1yr max you can get from most public CAs. But you still aren’t supposed to TOFU them. That smacks right in the face of a zero-trust philosophy.
The whole point of certificates is to make up for the issue of TOFU by you instead agreeing that you trust whoever maintains your root store, which is ultimately going to be either your OS or App developer. If you trust them to maintain your OS or essential app, then you should also trust them to maintain a list of companies they trust to properly vet their clientele.
And that whole process is probably the number one most perfect example of properly working, applied, capitalism. The top-level CAs are literally selling honesty. Fucking that up has huge business ramifications.
Not to mention, if you don’t trust Bob’s House of Certificate's, there’s no reason you can’t entrust it from your system. And if you trust Jimbo’s Certificate Authority, you are welcome to tell your system to accept certificates they issue.
They got the idea from Svalbard. In case of global catastrophe.
Idk man. I used to think that my kids are badly behaved and I would’ve never gotten away with that when I was a kid…but the reality is I was just as much of a little shit, the only difference now is we all finally decided that hitting kids is bad. Repressed trauma’s a hell of a drug.
Their citation for that is their own article, which doesn’t mention anything about selling data from phones, but does talk about cars generating upwards of 25GB per hour of raw telemetry data. Again, mostly uncited.
The point of that line is to drive intra-site clicks and mislead you into getting more upset and drive the ever important “engagement”. Unfortunately a common theme in modern media.
But tons of stuff would have to get sync’s every time you connect your phone. Better to have them cached, encrypted at rest, decrypted by key stored in the phone, and just do a diff-sync.
This should be very easily possible with CarPlay and Android Auto. I have no idea if it does or not. But as Apple and Android both control both their respective app and the OS of the attached phone, there’s no reason it can’t (and even pre-compile diff packages for known cars, or expire and purge both sides after X days without a connection)
That may not be true for regular old Bluetooth though…which likely has more to gain in performance from caching the resources due to BTs limited throughput, but also has to conform to standards.
How close is this stuff to HP’s Cyan?
Seriously, these cases seem like giant nothingburgers.
Did you expect that your car wouldn’t have your text message when it’s displaying it on the screen or reading it out loud?
Now, is there malicious intent? Can they be retrieved by technicians at the dealership if your phone isn’t plugged in? Is it forwarding them back to Honda Corporate or Zuck himself? If so, that’s a significant problem that would probably belong to Android Auto and Apple CarPlay…they should be storing them encrypted and only be able to decrypt them when the phone is connected. But I don’t see any mention of that in the article.
All the fucking cybersecurity bullshit I gotta go to as a network admin for a federal contractor and the baddies can just have some tech illiterate federal representative install whatever back doors they want on their personal computers under the guise of morality or whatever.
Went to go see Book of Mormon yesterday w/ my wife.
She hadn’t seen it before. I went a few years ago, but she had the flu so I ended taking her brother at the last minute then.
I told her it’s from one of the creators of Southpark, and South Park is a lot tamer now than it was in the 90s. And that it’s on Broadway so it’s high-art. Which might work for a lot of the first act save for the occasional toilet or shock humor. Totally thrown out the window by the end though.
Know what I like the most?
Cake farts.
What’s a redditism? Is that like some sort of augmented reality porn bot?
When was it economically viable to replace hand-sewn lumber with lumber mills?
Then they went and made portable electric saws. What a world!
And then electric drills! And laser levels!
Remember paper ledgers and abacuses? Ever hear of Microsoft Excel?
We keep making tools that always increase productivity and reduce time and cost. It’s Constant incremental progress, and on a large scale it’s great because it frees up (human) resources to focus on new industry and technology, which furthers the CIP. On the micro scale, there may be a small number of temporarily displaced workers as jobs shuffle around and workers re-skill.
But at this particular intersection of technology, we are at a pretty bad spot. We are on the verge of massive progress in multiple industries, and wealth has concentrated in the elite classes. “Temporarily displaced workers” won’t have the capital to re-skill or invest their own resources into new industry. This is bad.
Don’t say doing your wife…
Don’t say doing your wife…
Don’t say doing your wife…
…doing your…son?
Revoke their citizenship. Drop them down to documented aliens. Let them earn their citizenship back the same way immigrants do, after a probationary period, of course. And in addition to prison time.
Can imprisoned persons legally naturalize anyway? Normally they would just get deported.
Like the Gwyneth Paltrow stuff?
Or the 90s mechanic soap? Does that still exist? I don’t know.
You don’t have to buy one with a window.
Hell I saw fridges with Android screens and I’m like hell naw. I did get a smart one so I can get notifications if the kid leaves the door open and so I can track power consumption over time without sticking a kill-a-watt in a really tough spot. But the Android systems they put in fridges feel obsolete on the showroom floor. Absolutely embarrassing, and probably completely useless after about 4 or 5 years when Android stops supporting the SoC and when you stop getting root certificate updates and start getting SSL errors on every page and app.
It sucks because a lot of places around me don’t carry powder. I’d much rather be using that than the gel.
Sir this is a 🐧.