Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday February 24 2020, @07:05PM   Printer-friendly
from the honestly,-it's-for-your-own-good... dept.

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months:

Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.

The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.

By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements – or risk breaking pages on a billion-plus devices and computers.

[...] Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.

"Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us.

We note Let's Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg's cert is a year-long affair so we'll be OK.

GitHub.com uses a two-year certificate, which would fall foul of Apple's rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there's plenty of opportunity to sort that out. Apple's website has a year-long HTTPS cert that needs renewing in October.

Microsoft is an interesting one: its dot-com's cert is a two-year affair, which expires in October. If Redmond renews it for another two years, it'll trip up over Safari's policy.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1) 2
  • (Score: 2, Funny) by Anonymous Coward on Monday February 24 2020, @07:19PM (1 child)

    by Anonymous Coward on Monday February 24 2020, @07:19PM (#961942)

    Only those catering to hipsters will be impacted.

    • (Score: 0) by Anonymous Coward on Monday February 24 2020, @07:55PM

      by Anonymous Coward on Monday February 24 2020, @07:55PM (#961960)

      Only if it's an Apple approved website that didn't miss their Apple membership dues.

  • (Score: 5, Insightful) by bradley13 on Monday February 24 2020, @07:45PM (126 children)

    by bradley13 (3053) on Monday February 24 2020, @07:45PM (#961957) Homepage Journal

    This is like the asinine requirement to change your password frequently. It doesn't increase security, but it does cause a lot of hassle.

    Worse: it means that you must build in a mechanism to update certificates into *everything* - which is itself a risk factor. Depending on the projected lifetime of a system, it may well be safer to install a long-term certificate, rather than opening a new attack vector through an update mechanism.

    On top of which: this is non-standard behavior. Who does Apple think they are? Microsoft from the 1990s?

    --
    Everyone is somebody else's weirdo.
    • (Score: 2) by barbara hudson on Monday February 24 2020, @08:02PM (73 children)

      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 24 2020, @08:02PM (#961967) Journal
      What's to prevent people from just ignoring any warnings of expired certain? They ignore everything else.
      --
      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
      • (Score: 5, Informative) by ikanreed on Monday February 24 2020, @08:59PM (53 children)

        by ikanreed (3164) Subscriber Badge on Monday February 24 2020, @08:59PM (#961996) Journal

        Lol, browsers have gotten very good at hiding actual control from users.

        Nowadays you don't get a pop up asking if you want to procede, you get a page that looks like an error, then at the bottom, there's "report" and "go back", and a tiny hidden link for "more information"

        When you click more information there's FINALLY a "I understand the risks and wish to proceed". It's stupidly over the top for "identity not verified" especially given it only ever pops up for tiny fucking sites where I don't know who runs it anyways.

        • (Score: 1, Insightful) by Anonymous Coward on Monday February 24 2020, @09:51PM (52 children)

          by Anonymous Coward on Monday February 24 2020, @09:51PM (#962018)

          When you click more information there's FINALLY a "I understand the risks and wish to proceed". It's stupidly over the top for "identity not verified" especially given it only ever pops up for tiny fucking sites where I don't know who runs it anyways.

          Also, if you are using any sort of API calls that go to a different port, for example https://example.com:12345 [example.com] in addition to regular https://example.com [example.com] to get your javascript, the acceptable of bad certificate on example.com will still cause the example.com:12345 to fail with HTTP Status Code: 0. You have to manually accept those extra ports explicitly too. And that makes it a completely useless exercise. Might as well go to http only unless you want to play the stupid certificate what-a-mole game or accept short certs only.

          • (Score: 2) by barbara hudson on Monday February 24 2020, @10:29PM (51 children)

            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 24 2020, @10:29PM (#962046) Journal
            So use UDP instead of HTTP. As long as the total amount of data exchanged is less than the packet size, you don't have to reassemble the data from multiple packets. And if you do have to reassemble them it's not THAT big a deal. A coworker needed to have something more responsive than http, I showed him how to do it. UDP is perfect for interactive tracking of mouse movements - just transmit a fine grained timestamp, mouse button state, and x/y. Easily fits in less than half of a 64-byte minimum sized packet. At the server, if the packet timestamp is lower than the newest one, just drop it, same as properly written desktop apps do to keep from getting jerky and bogged down by rapid mouse movements (though this was more of an issue 30 years ago, but it still is good practice today when connected to a server).
            --
            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
            • (Score: 2) by Pino P on Tuesday February 25 2020, @04:02AM (50 children)

              by Pino P (4721) on Tuesday February 25 2020, @04:02AM (#962211) Journal

              So use UDP instead of HTTP.

              Many developers have used the web platform as a way to avoid having to hire a bunch of people to develop and deploy five different native client applications, one for each operating system. What corresponding client for some UDP-based presentation layer is installed on, or already available for, all five major desktop and mobile platforms (Windows, macOS, X11/Linux, Android, and iOS)?

              • (Score: 2) by barbara hudson on Tuesday February 25 2020, @01:11PM (49 children)

                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @01:11PM (#962334) Journal
                UDP is a transport protot. You use the same clients as HTTP. The same programming languages on the server and client as HTTP. In other words, if you want to use pho on the server and a web browser on the client, do so. TCP/IP is built upon UDP, so you're using it anyway. TCP/IP takes care of things like making sure that packets arrive in order, and re-fetching dropped packets, but this adds to latency. In a game, tatency is evil. You want those keystrokes and mouse movements fast. An occasional dropped packet isn't important, and a stale packet can be ignored.
                --
                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                • (Score: 2) by Pino P on Tuesday February 25 2020, @02:20PM (42 children)

                  by Pino P (4721) on Tuesday February 25 2020, @02:20PM (#962366) Journal

                  UDP is a transport protot. You use the same clients as HTTP.

                  For applications built on the web platform, these clients are Firefox, Chrome, Edge, and Safari, and I thought Firefox, Chrome, Edge, and Safari could only do HTTP and HTTPS. Or did you mean write your own native application to use instead of a web browser and end up limited to users of one operating system?

                  • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @03:24PM (41 children)

                    by Anonymous Coward on Tuesday February 25 2020, @03:24PM (#962389)

                    Wooosh?

                    Can anyone point to a nice diagram that shows the layered nature of an Internet stack? My limited understanding is that the transport layer (including UDP) is several layers away from clients like FireFox and using UDP directly will be transparent to FireFox (etc).

                    • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @09:58PM (40 children)

                      by Anonymous Coward on Tuesday February 25 2020, @09:58PM (#962572)

                      Not whoosh, as far as I can tell.

                      The original statement was to "use UDP instead of HTTP" in regards to JavaScript or other code running on the browser engine accessing server APIs. That code is limited to whatever the engine API the browser makes available. This means that the engine API would have to expose some sort of UDP call in order to directly use UDP. The only directly exposed UDP service is WebRTC in the vast majority of browsers and even that requires following the application flow and creating peer connections. Other than that, they are all some form of HTTP connection. So no, you can't just "use UDP instead of HTTP" inside the browser, as you are stuck with whatever they give you.

                      Regardless, most browsers use SOCK_STREAM in their socket() calls in the HTTP network engine, rather than SOCK_DGRAM, so they don't have to do the work themselves. You have to specify the AF and SOCK (as you can't depend on the defaults) when creating a socket(), so the type of socket you get is anything but transparent to the browser itself. I'd suggest looking up a basic socket() HOWTO, if you'd like to know more.

                      • (Score: 2) by barbara hudson on Wednesday February 26 2020, @02:12AM (39 children)

                        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:12AM (#962676) Journal
                        The browser doesn't just speak HTTP/HTTPS. If you thought for a moment, it speaks a ton of protocols - FTP is the first that comes to mind. UDP is the same. You can access it via simple javascript, the same as http/https. And php speaks all those protocols as well. Instead of bitching, why not consider that it might be possible and give it a try?
                        --
                        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                        • (Score: 0) by Anonymous Coward on Wednesday February 26 2020, @02:23AM (38 children)

                          by Anonymous Coward on Wednesday February 26 2020, @02:23AM (#962684)

                          What JavaScript API allows you to send arbitrary UDP packets?

                          • (Score: 2) by barbara hudson on Wednesday February 26 2020, @02:45AM (37 children)

                            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:45AM (#962695) Journal
                            The same javascript that allows you to transmit and receive voice and video and any other real-time service over the web. Stuff that needs to be fast, like DNS. Things like Videolan. Look around - there's sample code out there (ignore the WebRTC shit - it's not the UDP you're looking for but something built upon it with limitations).
                            --
                            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                            • (Score: 0) by Anonymous Coward on Wednesday February 26 2020, @02:52AM (36 children)

                              by Anonymous Coward on Wednesday February 26 2020, @02:52AM (#962697)

                              None of that answers the question: What JavaScript API allows you to send arbitrary UDP packets?

                              • (Score: 2) by barbara hudson on Wednesday February 26 2020, @03:01AM (35 children)

                                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @03:01AM (#962700) Journal

                                No API - plain ordinary Javascript. Read a book. The stuff that people don't know how to write any more because they need a fucking pre-made API from github or stackoverflow for everything.

                                This reminds me of the c++ idiots who need the STL for everything because they don't know how to manage memory, create and free stuff, make their own objects, just glue together stuff others created. And then we wonder why code is so crappy. Glue and caulking are not the way to do things.

                                --
                                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                • (Score: 0) by Anonymous Coward on Wednesday February 26 2020, @03:09AM (34 children)

                                  by Anonymous Coward on Wednesday February 26 2020, @03:09AM (#962706)

                                  Somewhere I'd have to call one of the functions provided with some sort of data. So, I'll phrase it this way:

                                  I have the data "Hello, World!" What JavaScript would I have to include in the script tag of my HTML page so the browser engine of the client sends that as the only data in UDP to the server located at 23.239.29.31?

                                  • (Score: 2) by barbara hudson on Wednesday February 26 2020, @05:18AM (33 children)

                                    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @05:18AM (#962727) Journal
                                    As I said, go read a book. It's what I had to do (I had 2 different editions of O'Reilly's best JavaScript book). It's in there, when combined with a couple of Perl books. In other words, RTFM. You're asking me about code from more than a decade ago, that I showed a coworker how to implement, while opposing deployment because tracking every mouse movement is a privacy violation. Fortunately the code got junked, but I see from resent news that someone else had the same idea.
                                    --
                                    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                    • (Score: 0) by Anonymous Coward on Wednesday February 26 2020, @06:07AM (32 children)

                                      by Anonymous Coward on Wednesday February 26 2020, @06:07AM (#962737)

                                      What is this magical non-API call then that lets you send arbitrary UDP data as its sole payload? You claim it already exists for scripts in the browser, you should know what it is. The reason why you won't name it is because you can't name it because it doesn't exist.

                                      • (Score: 2) by barbara hudson on Wednesday February 26 2020, @10:05PM (31 children)

                                        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @10:05PM (#963152) Journal

                                        And that's the sad commentary on today's fucked up "web developers." Think everything has to be developed by someone else and turned into an API so they don't have to have any understanding whatsoever of what they're doing - just find some shit on github and glue it together.

                                        Same thing happened with quite a few other programming languages to "make them more accessible". "We need an API." No, you don't. People using whole frameworks to do a stupid mouse roll-over or an image zoom. Javascript has made people stupid AND lazy.

                                        Everything you need an API to do, you can do without an API in ordinary Javascript. Didn't you know that?

                                        I like to think of it as going along the philosophy of "Comments? It was hard to write, it should be hard to read." I still comment code, but not much. It's not easy maintaining comments and code in sync, so the cure is to go minimalist. So someone who needs excess comments hopefully won't screw around with the code because they'll realize they don't understand it.

                                        This is not github. This is not stackexchange. This is not some stupid bootcamp. I totally oppose using frameworks, have for decades. If you need a framework, it just says you have gaps in your knowledge you need to attend to. What good is it to be able to do something quicker if you don't really understand what you're doing? If the framework goes in a different direction? It changes features you depended on? It disappears? It ends up with malware or spyware? You won't even know how to fix or remove it. So you'll waste time looking for an older version, or another framework, because you haven't mastered the basics.

                                        Kind of like the "UX Experts" who think they know crap because they can pump out .psd files of "what it should look like."

                                        Go read the O'Reilly Javascript books. You won't need a framework or an API for anything.

                                        --
                                        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                        • (Score: 0) by Anonymous Coward on Thursday February 27 2020, @02:48AM (30 children)

                                          by Anonymous Coward on Thursday February 27 2020, @02:48AM (#963288)

                                          Again, the reason why you won't name it is because you can't name it because it doesn't exist. Especially because, at a minimum, you'd have to call one of the kernel's network or device driver's interface somewhere in there because no browsers are crazy enough control the hardware directly. Except those aren't available in the browser's JavaScript engine either, so you'd have to call one of the interfaces they do expose. Hence why you can't prove me wrong by showing some interface that isn't actually an interface capable of doing what you claimed.

                                          • (Score: 2) by barbara hudson on Thursday February 27 2020, @03:07AM (29 children)

                                            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Thursday February 27 2020, @03:07AM (#963298) Journal
                                            And this is exactly the reaction I expected. Stupid web monkeys who don't realize that NOTHING in JavaScript requires an API. Or a web framework. And you complain that you don't get any respect because you don't want to acknowledge that all those APIs and frameworks are just libraries of plain ordinary JavaScript code. Look at the source, then pick up a book and learn how to do all those framework functions in plain ordinary javascript. Without having to include tons of unnecessary crap you're not using.

                                            Bunch of crybabies. Go read a book and actually learn something so you can do more than cut-and-paste "coding ".

                                            --
                                            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                            • (Score: 0) by Anonymous Coward on Thursday February 27 2020, @06:18AM (28 children)

                                              by Anonymous Coward on Thursday February 27 2020, @06:18AM (#963338)

                                              As I said, at a minimum you'd have to call out to the kernel or device driver since you don't possess the necessary privilege to touch the hardware directly (just like any other unprivileged user space application regardless of the language it was written in). Except the browser engines don't let you call out in such a fashion to either the kernel or drivers. So please, tell us all this magical way you send UDP packets with an arbitrary payload without talking to the kernel's network interface, the device drivers, or any other API from inside the browser's JS engine.

                                              • (Score: 2) by barbara hudson on Friday February 28 2020, @02:08AM (27 children)

                                                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday February 28 2020, @02:08AM (#963906) Journal
                                                No, you don't, any more than you need to do that for http, ftp, etc. So grow up, read a few books, look upon it as a challenge, and get the FUCK away from "what's the API." As soon as you wrote that you self-identified as a non-programmer (most devs aren't programmers, they just glue stuff developed by others. That's you. Step up your game or GTFO).
                                                --
                                                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                • (Score: 0) by Anonymous Coward on Friday February 28 2020, @02:43AM (26 children)

                                                  by Anonymous Coward on Friday February 28 2020, @02:43AM (#963918)

                                                  So you don't need to use a kernel or device driver interface at a minimum from inside the browser? Interesting. How does literally no one else on the planet know that browsers run as a privileged processes to enable its direct access to the hardware bus and exposed that access to the JavaScript engine?

                                                  • (Score: 2) by barbara hudson on Friday February 28 2020, @03:01AM (25 children)

                                                    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday February 28 2020, @03:01AM (#963921) Journal

                                                    You obviously don't understand what "privileged access" means. There's privileged access to memory and function calls on a local computer (server or client), and then there's privileged ports (any port below 1024, which it is understood that the server listening on that port probably is running as a privileged user, often root) Browsers can make calls to any remote port lower than 65536. It's up to the server to allow or deny. See /etc/hosts.

                                                    Again, you obviously do not have the depth of knowledge required to understand if you think that the client (web browser) would somehow need privileged access. It doesn't - otherwise the internet wouldn't work.

                                                    --
                                                    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                    • (Score: 0) by Anonymous Coward on Friday February 28 2020, @03:59AM (3 children)

                                                      by Anonymous Coward on Friday February 28 2020, @03:59AM (#963944)

                                                      Oh, so you aren't talking about direct access to the hardware and acknowledge ring protection and its layers privilege. Great! Then that means, as I previously pointed out before, that you would have to use one of the interfaces of the kernel or driver that is talking to the hardware. Which directly negates your repeated assertion that you don't need to use one. And to pile on, such interface would have to be exposed in the browser's JavaScript engine in order for the JavaScript to talk to the kernel or driver. Except, as I also previously pointed out, they aren't.

                                                      • (Score: 2) by barbara hudson on Friday February 28 2020, @05:19PM (2 children)

                                                        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday February 28 2020, @05:19PM (#964182) Journal
                                                        And no, you don't have to write Javascript code to talk to the kernel at any point,, any more than you would with javascript that sends and receives http, https, ftp, etc., so either RTFM or GTFO. You're pissing me off with your ever-growing display of ignorance.

                                                        Better yet, log in so we can all have a good laugh.

                                                        --
                                                        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                        • (Score: 0) by Anonymous Coward on Friday February 28 2020, @08:03PM (1 child)

                                                          by Anonymous Coward on Friday February 28 2020, @08:03PM (#964304)

                                                          Exactly, the JavaScript running in the browser's engine doesn't directly access the hardware or talk to the kernel. So it has to use the engine's API in its standard library in order to affect the hardware and send packets of any kind.

                                                          • (Score: 2) by barbara hudson on Saturday February 29 2020, @03:45AM

                                                            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Saturday February 29 2020, @03:45AM (#964500) Journal
                                                            Fuck off or log in, troll. There is NO Javascript api, which is what you claimed. What the browser does is irrelevant to your argument, because the browser is providing services to the javascript engine, same as the operating system is providing services to the browser. But there is no api necessary for this - just bare javascript. And yor original claim was that you had to use a javascript API, which is bullshit.
                                                            --
                                                            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                    • (Score: 0) by Anonymous Coward on Friday February 28 2020, @08:56AM (20 children)

                                                      by Anonymous Coward on Friday February 28 2020, @08:56AM (#964037)

                                                      Actually, maybe we should take this step by step. You'll note that most of these are Yes/No or short answer.

                                                      Do you think that A. all processes can talk directly to the hardware bus, or B. only those belonging to the proper protection ring? An "A" or "B" alone will suffice.

                                                      Do you think any of the big web browsers run a process that has access directly to the hardware bus through either of those mechanisms? Y/N

                                                      If the browser doesn't have access to the hardware directly, do you concede that it must do so through another process, such as the kernel or device driver? Y/N

                                                      If it does do it through the kernel or device driver, does it do it through some sort of interface? Y/N

                                                      If it does do it through an interface, is it composed of exposed calls (such as "system calls") or another mechanism? Short answer

                                                      Regardless of the mechanism to communicate to the driver/kernel does the browser have to expose it in some manner in the JavaScript engine to the code running on said engine for the code to be able to use it? Y/N

                                                      Or, if the browser has direct access to the hardware, does the browser A. expose an interface in the JavaScript engine so the code is able to use the hardware or B. give code running in the JavaScript engine direct access to the hardware, or C. use some other mechanism? "A", "B" or "C" only will suffice.

                                                      If there is an interface from either of the previous two questions, is it exposed the JavaScript running inside the browser engine as A. Calls or B another mechanism? A or B will do fine here too.

                                                      If another mechanism, what is that mechanism? Short answer.

                                                      If there is direct access to the hardware given to the JavaScript running on the browser engine, how does it take advantage of said hardware? Short answer.

                                                      • (Score: 2) by barbara hudson on Friday February 28 2020, @05:16PM (19 children)

                                                        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday February 28 2020, @05:16PM (#964181) Journal
                                                        Now you're further showing that you have no idea of how client/server works. The client uses the same mechanism to talk to the hardware no matter what the communications protocol. So it doesn't matter if it's http, udp, ftp, telnet, gopher, or whatever. The only task is to communicate with the hardware to send data packets. The lower layer that interacts with the hardware doen't care what the protocol is, as long as the packet meets the hardware's packet spec.

                                                        The same applies to the server. As long as the underlying hardware layer can send and receive the packets, it doesn't matter what the upper layers

                                                        Upper layers take care of things like accepting or rejecting packets and assembling them into streams of data. That's why you can put an ethernet card into promiscuous mode and read ALL the packets on the network, and not just those addressed to your machine - because the hardware is capable of accepting all packets irrespective of destination. It's also why you can give one ethernet card multiple ethernet addresses.

                                                        When sending and receiving data, web browsers don't give a shit about the underlying hardware layers and have no need to directly access them. Same with all other client/server programs. It's because of multiple layers of abstraction.

                                                        So, as I said before, go read a book. In fact, I'd suggest you read many books, because you don't have a clue about what you're asking about and it's not my job to beat up on you for your failure to RTFM.

                                                        --
                                                        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                        • (Score: 0) by Anonymous Coward on Friday February 28 2020, @08:01PM (18 children)

                                                          by Anonymous Coward on Friday February 28 2020, @08:01PM (#964302)

                                                          Great. I was right, you do understand that browser processes don't talk directly to the hardware. This means that they use an exposed interface (usually system calls) of the OS and can't do anything network wise without one. Which means that the web browser would likewise have to expose some sort of interface to the JavaScript running in the JS engine that ends up talking to that OS interface. Now, by definition, that interface exposed in the engine would have to be in the engine's standard library. Which means the JavaScript running in the engine would have to use the API of the library in order to use the interface for anything to work its way down through the engine to the OS's interface in order to send anything across the wire.

                                                          • (Score: 2) by barbara hudson on Saturday February 29 2020, @03:38AM (17 children)

                                                            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Saturday February 29 2020, @03:38AM (#964496) Journal
                                                            You still don't get it. The browser sits on the client. It has no reason to have direct access to the hardware, especially ring 0. It goes through the regular layers of the OSI network stack, same as http. ftp, etc. No reason for javascript code to call anything in the kernel, ever.

                                                            Fuck are you stupid! Troll is troll.

                                                            There is no javascript api for any of those protocols. None. Grow the fuck up and RTFM/

                                                            --
                                                            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                            • (Score: 0) by Anonymous Coward on Wednesday March 04 2020, @05:44AM (16 children)

                                                              by Anonymous Coward on Wednesday March 04 2020, @05:44AM (#966370)

                                                              Exactly, that is what I've been saying the whole time. Now for the next step, the browser doesn't expose any builtins, language features, or interfaces, whether in the language's standard library or the "Web API," that allows access to the network stack below the presentation level (and only a limited few even allow presentation level access), which means there is literally no way for JavaScript running in the browser engine to do arbitrary UDP packets.

                                                              • (Score: 2) by barbara hudson on Wednesday March 04 2020, @12:17PM (15 children)

                                                                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday March 04 2020, @12:17PM (#966436) Journal
                                                                Just as there's no way for JavaScript to do http? Because that's what your argument boils down to. Fuck off, moron.
                                                                --
                                                                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                                • (Score: 0) by Anonymous Coward on Wednesday March 04 2020, @08:35PM (14 children)

                                                                  by Anonymous Coward on Wednesday March 04 2020, @08:35PM (#966681)

                                                                  No, because the browser has APIs in the WebAPI library that allow it to do HTTP requests. Perhaps you have heard of XMLHttpRequest objects or fetch(), among others. No such interfaces exist for sending arbitrary UDP packets.

                                                                  • (Score: 2) by barbara hudson on Wednesday March 04 2020, @09:07PM (13 children)

                                                                    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday March 04 2020, @09:07PM (#966692) Journal
                                                                    You're wrong. And your ignorance is not my problem. If you had done like I said you'd already have the answer. And that's all I'm going to say on the subject. Not my fault that you lack insight or knowledge. So again, fuck off stuoid script kiddie.
                                                                    --
                                                                    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                                    • (Score: 0) by Anonymous Coward on Thursday March 05 2020, @07:15AM (12 children)

                                                                      by Anonymous Coward on Thursday March 05 2020, @07:15AM (#966880)

                                                                      I'm not wrong. In fact, if you were correct, you would have have just mentioned what those interfaces are while mixing it with the insults you impotently hurl. Same as if I made the same claim about C not having such an interface, you would have pointed out the Berkeley/POSIX/Win32 socket API in the C standard library. The fact that you won't cite the interface for web JavaScript running in the browser engine to do arbitrary UDP speaks volumes and illuminates the real reason being the fact you can't point to something that doesn't exist.

                                                                      • (Score: 2) by barbara hudson on Thursday March 05 2020, @05:06PM (11 children)

                                                                        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Thursday March 05 2020, @05:06PM (#966986) Journal
                                                                        You still don't get it. One thing I learned over the years is that it's far better to let someone who is an asshole in real life stew in their own juices. It's far better revenge if revenge is warranted, than correcting them. So I'm applying the same lessons to the Internet. I have no need to prove anything, and you even missed an obvious reference to how it's done, so I'm going to enjoy myself knowing that your childish tactics of "if you knew you'd say how" are just that - appealing to a persons need for validation. I have moved beyond that - when I say I don't give a fuck, and you continue to squirm, trying to "prove " that I don't know something, it puts a smile on my face. You trolled and lost. Because that is exactly what your current tactic is - trolling.

                                                                        It's been proven that people who say "fuck off" to idiots once in a while live longer. So I am enjoying my inner bitch.

                                                                        Real life example - a dentist broke my upper jaw. She was insolvent, so suing her would have been pointless. The reason she was insolvent was untreated bipolar disorder, which made it impossible to run a structured practice - always late, high assistant turnover, periods where she went from a screaming fit to locking herself in the office and melting down.

                                                                        Years later, she's still plagued by the same demons. As far as I'm concerned, it's karma. If I had followed through with an official complaint, she would have been forced to get help. After all her threats to try to stop me from filing a complaint with the regulators, I decided that giving her exactly what she wanted was the best punishment. Same thing here. Only someone incredibly insecure would give two shits about "proving" themselves to an anonymous idiot. And only an idiot would think such a tactic would work. So fuck you, idiot.i owe you nothing.

                                                                        --
                                                                        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                                        • (Score: 0) by Anonymous Coward on Thursday March 05 2020, @08:11PM (10 children)

                                                                          by Anonymous Coward on Thursday March 05 2020, @08:11PM (#967072)

                                                                          And yet you keep coming back with how it is somehow my lack of education, when it is you talking out of your ass. You probably painted yourself into a corner, realized your mistake, and therefore all you have left is obfuscation. Same as how I showed two interfaces for HTTP, by now it would have been drastically easier to show what language feature, standard library, Web API, etc. interface allows you to do UDP from the web platform in the browser's JavaScript engine, rather than bore everyone with stories of your Dentist.

                                                                          • (Score: 2) by barbara hudson on Thursday March 05 2020, @08:59PM (9 children)

                                                                            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Thursday March 05 2020, @08:59PM (#967088) Journal

                                                                            Except that I have zero reason to give in to your juvenile taunts. Grow up. You are an anonymous idiot and I owe you nothing. I don't owe you consideration, nor respect, nor information.

                                                                            What's in it for me to give you the knowledge that I worked hard to obtain? We have no relationship, you came off as an asshole right from the start, so not only do I have any reason to help you; I have plenty of reasons not to.

                                                                            At this point even if you were offering to pay for the information, I'd say no. Technically I was paid to show another employee how to do it, I developed it on company time, maybe you should ask my former boss for a license if you're that desperate. But you're not - you're just mentally masturbating, with no real practical use for it. But if you're serious, $25,000.00 would incentivize me to go through my archives from 15 years ago. You'll even get a tax deduction since I'll declare it.

                                                                            --
                                                                            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                                            • (Score: 0) by Anonymous Coward on Thursday March 05 2020, @11:46PM (8 children)

                                                                              by Anonymous Coward on Thursday March 05 2020, @11:46PM (#967154)

                                                                              All this talk and you still can't point to anything. People are free to do a web search or go through the JavaScript language reference and built-in browser libraries and interfaces in the JS engine for web code and they will quickly see that there is no way to do what you claim. Since you can't win on merit and point to something that doesn't exist, I guess you are going for attrition.

                                                                              • (Score: 2) by barbara hudson on Friday March 06 2020, @12:34AM

                                                                                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday March 06 2020, @12:34AM (#967177) Journal

                                                                                I'm quite willing to. The price is $25,000. Put up or shut up.

                                                                                I no longer give away code for free. Open source has a revenue problem. I've made that quite clear. $25,000.

                                                                                Either you have a need for the code, in which case you will pay for it, or you don't need it, in which case you're just being a jerk-off.

                                                                                But the days of fixing other people's problems for free are long gone. I got paid for it once, I'm not going to just give up up to some asshole on the Internet for free.

                                                                                10% will be donated to soylentnews.org. After all, why not? It's tax deductible.

                                                                                --
                                                                                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                                              • (Score: 2) by barbara hudson on Friday March 06 2020, @12:38AM (6 children)

                                                                                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday March 06 2020, @12:38AM (#967179) Journal

                                                                                You'll never find it online. I had a hunch, tested it, and it worked. In other words, not something a script weenie would ever think of. You'll never find an API because it doesn't exist. As I said repeatedly.

                                                                                But there are clues, even in this thread. But you'll never see them because you can't do original work. So, $25,000 for the code, which, if you need it, you will pay. Or stop wasting my time.

                                                                                --
                                                                                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                                                • (Score: 0) by Anonymous Coward on Friday March 06 2020, @01:21AM (5 children)

                                                                                  by Anonymous Coward on Friday March 06 2020, @01:21AM (#967193)

                                                                                  Wasting your time? You didn't have to post two vacuous posts. That was your choice. Although it is interesting to see how much your story has changed and how much effort you are wasting against something you yourself are calling a waste of time. Again, far less to have just cited the interface, language feature, or whatever imagined construct in the first place. But then again, you can't demonstrate the existence of something that doesn't.

                                                                                  • (Score: 2) by barbara hudson on Friday March 06 2020, @02:04AM (4 children)

                                                                                    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday March 06 2020, @02:04AM (#967217) Journal

                                                                                    Considering I got paid for it over a decade ago and we still have web morons claiming it's not even possible, it obviously has economic value. The original implementation was for detecting bots clicking on ads. Obviously you want the least overhead possible so the user doesn't notice the extra cpus used to track them. Bot activity was a problem for the search engine I worked for. It affected ad revenue.

                                                                                    I'm a bit surprised that nobody else has figured this out in the intervening decade and a half - just goes to show that people can't think outside the box.

                                                                                    We both know you have no use for the implementation because you're just a no-talent web monkey at best, but there's a non-zero chance that at some future date someone who actually needs this and realizes that I'm for now still the only game in town will see this and we'll come to a deal. I don't buy lottery tickets, but the odds of a payoff are greater than getting $25k from the lottery and there's no cost of entry. Logic dictates that if I can turn the screws on you at the same time, why not?

                                                                                    After all, your arguments have established that it's not something readily available anywhere else, even considered impossible. So if anyone wants it for bot detection, more responsive games, remote monitoring, etc, they'll pay, since there is no open source version and people like you can not figure it out even with hints.

                                                                                    Last hint - you need to study the development history of languages, not just the language itself, if you really want to do interesting things. But that requires curiosity, something you lack in sufficient quantity.

                                                                                    So why would I just give it away to a moron web monkey?

                                                                                    --
                                                                                    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                                                    • (Score: 0) by Anonymous Coward on Monday March 09 2020, @07:53PM (3 children)

                                                                                      by Anonymous Coward on Monday March 09 2020, @07:53PM (#968634)

                                                                                      Sure, they will come to you. You are "offering to sell" something that not only doesn't exist but isn't even yours according to you own posts. Something you came up with but everyone else says doesn't exist, and even the people who write the engines, say was purposefully left out. No wonder no one has come knocking on your door, they are too busy negotiating with the people selling bridges. Especially since the only way to hear about this magical invention is interweaved between your ostentatious pomposity. May want to work on your sales skill.

                                                                                      Not that it will help much since it is quickly became apparent that you don't know what an interface in general or API in specific is, given one of your other posts about how there isn't one because "browser is providing services to the javascript engine, same as the operating system is providing services to the browser". The funny thing is that they do it through an interface, usually an API. Similar to how the browser was written using the libc or other library API of the OS, which was written using the kernel's user space API in turn.

                                                                                      • (Score: 2) by barbara hudson on Tuesday March 10 2020, @12:59AM (2 children)

                                                                                        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday March 10 2020, @12:59AM (#968790) Journal

                                                                                        The chance might be 1 in 10,000, but why not take it? After a lifetime, I've probably got a ton of stuff I don't consider all that big a deal that others still haven't figured out, same as others in the biz can say. Forgotten technological solutions that cut through the crap that has accreated around software in the last 30+ years.

                                                                                        Stuff that shitty web "programmers" never knew. Ways of looking at problems that shitty web "programmers" cannot even begin to conceive.

                                                                                        It's like the old joke - you want a good c or c++ program, hire a c developer. You want a good Java program, hire a c programmer. It's a joke, but it's funny because it's true.

                                                                                        Fucking no-nothing web monkeys. Step out of your little microcosm and take a decade or two in the real world.

                                                                                        --
                                                                                        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                                                                        • (Score: 0) by Anonymous Coward on Wednesday March 11 2020, @07:33PM (1 child)

                                                                                          by Anonymous Coward on Wednesday March 11 2020, @07:33PM (#969773)

                                                                                          Even if it did exist, you admitted to stealing it. But again, it doesn't exist. So the odds are definitely lower than 1 in 10,000. They specifically left out the ability to directly use packets that low on purpose. But if it makes you feel better, I'll pencil you in after the interview I am conducting with the astronaut that landed on Jupiter.

                                                                                          • (Score: 2) by barbara hudson on Thursday March 12 2020, @02:07AM

                                                                                            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Thursday March 12 2020, @02:07AM (#970013) Journal

                                                                                            I created it. How can I "steal" what I created? It wasn't created on my employer's dime, I just showed a co-worker how to do it. Unlike where you live, people here own what they create on their own time. Uless you're stupid enough to sign a contract that makes everything you do, did, or will do in the future your employer's property (which doesn't stand up in court here anyway, so sign away, but YMMV if you live somewhere else).

                                                                                            Look, I gave more than enough clues for anyone with enough experience to figure it out. You're obviously not in that group, but that is not my problem. Your childish attempts to get me to reveal how I did it ("either post the API or it doesn't exist" was just one example, because web monkeys need an API to do everything, even mouse rollovers, image zooms, and fetching new data from the server, none of which require an API).

                                                                                            --
                                                                                            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @10:07PM (4 children)

                  by Anonymous Coward on Tuesday February 25 2020, @10:07PM (#962578)

                  TCP/IP is build upon UDP

                  TCP is an alternative transport to UDP, not a layer on top of it. The best proof of such is probably how TCP predates UDP by over 5.5 years. December '74 vs August '80 for those who are curious and too lazy to look it up themselves.

                  • (Score: 2) by barbara hudson on Wednesday February 26 2020, @01:52AM (3 children)

                    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @01:52AM (#962658) Journal
                    Not really. The creators of old-style TCP realized they had made a mistake and separated the IP and TCP functions. This also meant that you could (1) have UDP, and (2) TCP. TCP uses the same IP datagrams as UDP, while adding things like flow control. So here's the current stack:

                    IP
                    UDP
                    TCP

                    --
                    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                    • (Score: 0) by Anonymous Coward on Wednesday February 26 2020, @02:39AM (2 children)

                      by Anonymous Coward on Wednesday February 26 2020, @02:39AM (#962692)

                      No they don't. TCP and UDP are completely independent. TCP is in no way a stacked on top of a UDP datagram. If you knew anything about the way their respective headers looked or what the packets look like, you would realize that. UDP was designed to be TCP with a bunch of stuff ripped out that wasn't necessary for types of messages, such as DNS, that still needed ports unlike bare IP or other network protocols.

                      • (Score: 2) by barbara hudson on Wednesday February 26 2020, @02:55AM (1 child)

                        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:55AM (#962698) Journal

                        The original IP/TCP implementation was wrong, so the IP layer was removed from the TCP layer. Today's TCP/IP is not the same as the original TCP/IP, same as today's Buick is not yur gramdpa's Buick. UDP and TCP both run atop IP. There's lots of code from UDP in TCP. In that sense, TCP is built upon UDP. Just because the packet headers are different is meaningless - how else would you distinguish them except by the headers?

                        Same as YModem shared lots from XModem, and ZModem shared lots of the same design with both. Serial communications hasn't really changed that much in 40 years if you dig enough.

                        --
                        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                        • (Score: 0) by Anonymous Coward on Wednesday February 26 2020, @03:02AM

                          by Anonymous Coward on Wednesday February 26 2020, @03:02AM (#962701)

                          Your ability to miss the point is amazing. If TCP really were stacked on top of UDP, as you claim, just as the application layers are stacked above them and the internet layers below, then a TCP datagram would literally be a UDP datagram whose payload is a TCP datagram same as how an IP packet's payload is a transport layer datagram, and how the transport layer's payload is the higher level's headers and data. If I weren't convinced you were being obstinate on purpose, I'd suspect you were as mentally ill as your SN nemesis.

                • (Score: 2) by FatPhil on Wednesday February 26 2020, @10:05AM

                  by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 26 2020, @10:05AM (#962781) Homepage
                  > TCP/IP is built upon UDP

                  Garbage. TCP & UDP are both separately built on IP.
                  --
                  Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 2) by driverless on Tuesday February 25 2020, @03:07AM (18 children)

        by driverless (4770) on Tuesday February 25 2020, @03:07AM (#962175)

        Apple will just make it impossible to skip, in the same way other browsers already make it impossible to skip things like self-signed certs that you trust because you signed them yourself for the IoT box sitting on an isolated local network that doesn't need SSL in the first place.

        In Apple's case though, it's a great business deal for commercial CAs since now the annual renewal fee for permission to use encryption is enforced by the browser. And before anyone says "Let's Encrypt", any serious commercial site needs to buy their permission to use encryption from a commercial CA, they can't go with Let's Encrypt.

        Has Apple bought any commercial CAs recently, or are they planning to run their own CA?

        • (Score: 4, Insightful) by barbara hudson on Tuesday February 25 2020, @03:17AM (17 children)

          by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @03:17AM (#962184) Journal
          So don't use encryption. Most sites don't need it anyway.
          --
          SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
          • (Score: 5, Insightful) by driverless on Tuesday February 25 2020, @03:25AM (5 children)

            by driverless (4770) on Tuesday February 25 2020, @03:25AM (#962186)

            Then you run into another braindead agenda where you have to run a gauntlet of warnings every single time you go there and/or enter your credentials because, y'know, security.

            • (Score: 1, Troll) by barbara hudson on Tuesday February 25 2020, @03:37AM (4 children)

              by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @03:37AM (#962197) Journal
              Cookies don't require HTTPS. So no need to re-enter login information every page. Or just don't use Safari. Apple probably wants to stop supporting it anyway, so this is a good first step to encourage people to use some else, same as letting people use non-default apps on IOS is a first step to stopping spending money on keeping default apps current.
              --
              SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
              • (Score: 2) by Pino P on Tuesday February 25 2020, @04:10AM (3 children)

                by Pino P (4721) on Tuesday February 25 2020, @04:10AM (#962214) Journal

                Cookies don't require HTTPS. So no need to re-enter login information every page.

                Not using HTTPS means a user's password will be sent in plaintext over the Internet every time that user logs in. What steps should one take to plan an authentication means around an expectation of such repeated disclosure of the shared secret?

                Or just don't use Safari.

                All third-party web browsers in the iOS App Store are wrappers for the WebKit engine of Safari.

                • (Score: 3, Insightful) by barbara hudson on Tuesday February 25 2020, @01:53PM (2 children)

                  by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @01:53PM (#962347) Journal
                  We're talking Safari users. Do you really give a shit? This is entirely on Apple for lying about certificates being expired. It's wrong, whether its Apple, Google, or Microsoft. It's also anticompetitive behaviour. An antitrust issue, and Apple and Google already have a few of those going around.
                  --
                  SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                  • (Score: 3, Insightful) by Pino P on Tuesday February 25 2020, @02:16PM (1 child)

                    by Pino P (4721) on Tuesday February 25 2020, @02:16PM (#962362) Journal

                    This is entirely on Apple for lying about certificates being expired.

                    It's not a lie if the error message states that Safari is rejecting the certificate for a reason other than an expiration date in the past.

                    It's also anticompetitive behaviour. An antitrust issue, and Apple and Google already have a few of those going around.

                    Good luck making antitrust charges stick with the current lineup of the Supreme Court of the United States.

                    • (Score: 3, Informative) by barbara hudson on Wednesday February 26 2020, @02:10AM

                      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:10AM (#962673) Journal

                      The article is quite specific:

                      Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected.

                      Rejecting a valid certificate and stating that the site cannot be trusted because of the certificate OR ANY OTHER REASON is a lie. I have no sympathy for Apple on, this, same as I have no sympathy for Google forcing certs to expire at 3 years instead of 3.

                      --
                      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
          • (Score: 2) by Pino P on Tuesday February 25 2020, @04:24AM (10 children)

            by Pino P (4721) on Tuesday February 25 2020, @04:24AM (#962220) Journal

            So don't use encryption.

            HTTPS as deployed offers no option for signing-only cipher suites. Therefore, using HTTPS implies using encryption. As for not using HTTPS in the first place, read on:

            Most sites don't need it anyway.

            The specification of a growing number of web platform APIs specifies that the API's functionality shall be available only through secure contexts [pineight.com]. Attempting to access the API through cleartext HTTP fails, such as by raising a security exception. A site using any of these web platform APIs needs HTTPS.

            • (Score: 2) by driverless on Tuesday February 25 2020, @10:52AM

              by driverless (4770) on Tuesday February 25 2020, @10:52AM (#962305)

              This is exactly what Android does, try and access some web service via HTTP instead of HTTPS and you get "CLEARTEXT communication to a.b.c.d is not permitted by network security policy", because Google knows much better than you do what needs to be secured and what doesn't, in this case an Arduino on an isolated network that controls watering room plants. Obviously that needs TLS, because Google says so.

            • (Score: 3, Insightful) by barbara hudson on Tuesday February 25 2020, @02:02PM (8 children)

              by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @02:02PM (#962353) Journal
              Most users aren't logging into web sites. HTTP is just fine. They're not running web apps on those sites. HTTP is just fine. How many sites want you to register, you hit the back button instead? For most users just reading a web page, HTTP is just fine.
              --
              SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
              • (Score: 2) by Pino P on Tuesday February 25 2020, @02:12PM (3 children)

                by Pino P (4721) on Tuesday February 25 2020, @02:12PM (#962358) Journal

                Most users aren't logging into web sites.

                Most users are logging into at least two of webmail, Facebook, Twitter, some specialized forum, and some online store.

                For most users just reading a web page, HTTP is just fine.

                Are you claiming it's "just fine" for home Internet service providers to intercept connections and insert ads?

                • (Score: 2) by barbara hudson on Wednesday February 26 2020, @02:07AM (2 children)

                  by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:07AM (#962669) Journal
                  Like I give a shit about anyone using Facebook or Twitter. You shouldn't either. They deserve whatever crap they get, because by this time there's no excuse.
                  --
                  SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                  • (Score: 2) by Pino P on Wednesday February 26 2020, @02:28PM (1 child)

                    by Pino P (4721) on Wednesday February 26 2020, @02:28PM (#962843) Journal

                    It's still probably the case that most users are logging into at least two of webmail, some specialized forum (such as SoylentNews), some online store selling physical goods (such as eBay or Amazon), and some subscription video streaming service.

                    • (Score: 2) by barbara hudson on Wednesday February 26 2020, @10:22PM

                      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @10:22PM (#963169) Journal
                      The only one on that list is soylentnews. I won't use webmail, eBay, Amazon, or ANY video streaming service.

                      And I'm not overly worried about someone snooping on my posts here, or I wouldn't make them in the first place. Sheech! Not everyone is a mindless sheeple who "needs" (for some ridiculous value of "needs" streaming video, social media, and webmail because otherwise they don't know what to do with themselves. No wonder people don't talk to each other any more - they're out of practice.

                      --
                      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
              • (Score: 1, Informative) by Anonymous Coward on Tuesday February 25 2020, @05:50PM (3 children)

                by Anonymous Coward on Tuesday February 25 2020, @05:50PM (#962458)

                HTTP "was" just fine.

                Now HTTP is the reason to have your web page down listed on google searches.
                Now HTTP is the trigger for a warning message in your browser.
                Now HTTP will be flagged as insecure and possibly malicious.

                Stop pretending this is the 90s. When iphone users stop browsing websites that fail to show, HTTP will no longer be "just fine" for anyone.

                • (Score: 2) by barbara hudson on Wednesday February 26 2020, @02:20AM (2 children)

                  by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:20AM (#962681) Journal

                  Some people don't give a shit about site rankings in Google searches. Helps keep out those more clueless folks.

                  So what about a warning - it's just an icon that indicates the site doesn't use HTTPS. Studies show most people don't even see it, and those who do don't know what it means, so again, so what?

                  Flagged by who? That stupid icon that most people don't even see? If you're just going to a site to read crap, and yu don't need to log in, HTTPS is overkill.

                  --
                  SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                  • (Score: 2) by FatPhil on Wednesday February 26 2020, @10:40PM (1 child)

                    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 26 2020, @10:40PM (#963190) Homepage
                    Parent post, being AC, wouldn't see this were I to reply to him directly, but you being logged in will if I place it here, and I think you might enjoy the rant: http://n-gate.com/software/2017/07/12/0/
                    No idea who the person behind that site it, but I like his forthrightness.

                    My webserver is an original RasPi, and I sure as heck don't want any unnecessary overheads on it (for me, when I'm developing/debugging), so I'm glad some are still fighting the cult of "https everywhere" (which is gradually removing sites from the subset of the internet visible to my 10-year-old smartphone).
                    --
                    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
                    • (Score: 2) by barbara hudson on Wednesday February 26 2020, @11:02PM

                      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @11:02PM (#963200) Journal

                      From your link:

                      I do not give a shit about SEO and I fervently wish for the speedy retirement of everyone who does. SEO shitbags rank with email spammers as the absolute lowest pigshit dirtfuck dregs of humanity. The world would be a better place without any of their noise.

                      I get spam all the time asking if they can interest me in having them do SEO for soylentnews.org, or paid content, or whatever. Probably targeting me because I don't use a nym. Maybe I should pretend I actually have anything to do with decisions here and collect all their "amazing offers" and post them for shits and giggles.

                      --
                      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    • (Score: 5, Insightful) by knarf on Monday February 24 2020, @08:28PM (1 child)

      by knarf (2042) on Monday February 24 2020, @08:28PM (#961976)

      They'll probably launch Apple-certified long term certificates for a ....special... price which circumvent this limitation. Apple gets another few million, their flock will laud their daring incredibly amazing initiative, rinse, repeat.

      • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @12:47AM

        by Anonymous Coward on Tuesday February 25 2020, @12:47AM (#962115)

        ^^#961960

    • (Score: 2) by DannyB on Monday February 24 2020, @08:50PM (47 children)

      by DannyB (5839) Subscriber Badge on Monday February 24 2020, @08:50PM (#961991) Journal

      If you use SSL/TLS certs, then you probably already have some mechanism for updating them. After all, they have to be updated, just not as quickfully as Apple might like.

      Apple is forcing everyone to use their update mechanism more often. Possibly at greater cost.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 2, Informative) by Anonymous Coward on Monday February 24 2020, @09:21PM (7 children)

        by Anonymous Coward on Monday February 24 2020, @09:21PM (#962009)

        In the organisations that I've been working with, anything that needs to be done less often than once a year (and in most cases, every six months) means there isn't a decent process involved. This means things get forgotten, skipped, or just ignored because the 'guy that used to do it' no longer works here.

        When things are consistent with a relatively short period, they are not forgotten about, and become far more efficient as they are part of a larger process/effort. I recommend cert renewals (irrespective of expiration times) be done no less often that every 6 months.

        This is not the same as password changes, since the effort in a password change isn't the few minutes it takes to change the password, but the weeks afterwards that it takes to memorise/forget the new password. Out of fear, people choose weak passwords. This doesn't happen for certs, because as long as the effort is taken at all, the cert is good to go.

        Also, most organisations that have no cert process also don't have good security processes. Which means they make a 10 year cert so they can forget about it. Even if their systems are hacked (exposing the private keys), they don't both updating the certs because either they forget, or it's too onerous because they can't remember what they did the last time (assuming the same people even work there).

        Once a company has a good security policy and process, things like cert renewals are effortless. Especially with the automated tools provided the CAs these days. And thanks to LetsEncrypt, this automation is available to everyone and anyone at virtually no cost.

        • (Score: 2) by DannyB on Monday February 24 2020, @09:28PM (6 children)

          by DannyB (5839) Subscriber Badge on Monday February 24 2020, @09:28PM (#962010) Journal

          In the organisations that I've been working with, anything that needs to be done less often than once a year (and in most cases, every six months) means there isn't a decent process involved. This means things get forgotten, skipped, or just ignored because the 'guy that used to do it' no longer works here.

          Sounds like a security problem waiting to happen.

          Maybe that is what Apple wants to fix? Although it is hard to say with Apple. I have no particular love for Apple (since about 1998).

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
          • (Score: 4, Insightful) by barbara hudson on Monday February 24 2020, @10:34PM (2 children)

            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 24 2020, @10:34PM (#962048) Journal
            Doesn't matter what their intentions are - they're lying to their users by saying a perfectly valid cert is invalid. Hope a bunch of sites do a class action to sue Apple for slander and defamation. On this topic, fuck Apple. Guess I'll skip the last update.
            --
            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
            • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @03:24AM (1 child)

              by Anonymous Coward on Tuesday February 25 2020, @03:24AM (#962185)

              Is it legally actionable? Can it be said that a certificate is a "person" (like a company) and therefore...

              • (Score: 5, Interesting) by barbara hudson on Tuesday February 25 2020, @03:31AM

                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @03:31AM (#962190) Journal
                You're the site operator and Apple is basically saying you're incompetent and your site is insecure. Even though it's fine because the certificate isn't expired. Sounds like defamation and possibly unfair trade practices.
                --
                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
          • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @03:00AM (2 children)

            by Anonymous Coward on Tuesday February 25 2020, @03:00AM (#962172)
            So how often do you bunch change your SSH keys anyway? Every year? If no isn't that a security problem waiting to happen too?

            Meanwhile Apple should reject CA certs that have a lifespan for more than 13 months too for the same reasons. ;)
            • (Score: 2) by Chocolate on Tuesday February 25 2020, @03:27AM

              by Chocolate (8044) on Tuesday February 25 2020, @03:27AM (#962188) Journal

              No.. But maybe it should be! At ~$5 a token just think of how much money are denying hardware token makers!
              Think of the profits!

              --
              Bit-choco-coin anyone?
            • (Score: 2) by DannyB on Tuesday February 25 2020, @06:17PM

              by DannyB (5839) Subscriber Badge on Tuesday February 25 2020, @06:17PM (#962462) Journal

              I don't decide when, but I am involved with the implementation. In my case, about 1.5 to 2 years per certificate as I seem to recall.

              --
              People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 2, Informative) by Anonymous Coward on Monday February 24 2020, @09:52PM (15 children)

        by Anonymous Coward on Monday February 24 2020, @09:52PM (#962019)

        Are they really though? Certificate Authorities are only supposed to issue certificates with lifetimes shorter than ~27 months and the all the major engines reject ones longer than ~39 months. Chromium is already working to shorten it to 397 days in their next few releases and all browsers voted to support the proposal at the last meeting.

        The real issue here is with accidental infrastructure abandonment and revocation. People already hijack neglected domain names that people forget to check up on. Big companies get hit by expiring certificates all the time. Letting servers just sit with no oversight for multiple years is just asking to get hijacked, exploited, etc.

        Then you get to revocation. CRLSets are unwieldy and not complete by design. CRLs and OCSP are not checked by many browsers. Short of having a valid must-staple response, many browsers won't notice anything is wrong. With lifespans a little over two years (if the issuer is actually compliant with the best practice), your stolen/revoked certificate will continue to be a danger to everyone for years to come. For example, try https://revoked.badssl.com [badssl.com] or https://revoked.grc.com [grc.com] or https://www.digicert.com/digicert-root-certificates.htm [digicert.com] revoked demos to see how your browser handles it. There is a good chance that your browser will allow at least one and most versions of Chromium explicitly blacklist the badssl one in order to fool most people into thinking it's safe; otherwise it would allow ALL of them.

        • (Score: 5, Interesting) by sjames on Tuesday February 25 2020, @12:32AM (7 children)

          by sjames (2882) on Tuesday February 25 2020, @12:32AM (#962100) Journal

          If Apple and Google were actually serious about cert security, they would actually implement revocation.

          • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @03:11AM (6 children)

            by Anonymous Coward on Tuesday February 25 2020, @03:11AM (#962180)

            No argument there. But even so CRLs can be huge, as they need to contain every non-expired certificate that has been revoked, which can slow down browsers as they have to wait to download the whole thing. OCSP is also a privacy concern, as now the CAs know every time you check a website, and is subject to replay attacks. Both of them also suffer from what should happen if the CRL or OCSP server is unavailable and no cached copy exists.

            Just like many standards, revocation fell to the side for many reasons, chief among them being the need for speed.

            • (Score: 3, Informative) by Pino P on Tuesday February 25 2020, @04:17AM (5 children)

              by Pino P (4721) on Tuesday February 25 2020, @04:17AM (#962216) Journal

              OCSP is also a privacy concern, as now the CAs know every time you check a website

              Not if the web server checks the OCSP responder (say) once an hour, retrieves a response signed and timestamped by the CA, caches it, and includes it with the server's certificate whenever the client makes a connection. This is called OCSP stapling [cloudflare.com].

              and is subject to replay attacks.

              How so, given that responses are timestamped and expire promptly?

              Both of them also suffer from what should happen if the CRL or OCSP server is unavailable and no cached copy exists.

              Likewise if the DNS server goes down or the origin web server goes down.

              • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @05:57AM (4 children)

                by Anonymous Coward on Tuesday February 25 2020, @05:57AM (#962246)

                You should check the stats for how many websites actually do OCSP stapling, it is the hundredths of a percent. Which means that if you do OCSP at all, you will be making the request yourself to the address in the certificate.

                OCSP itself (including stapled ones) are vulnerable to replay attacks because the default OCSP interval for most providers is 7 days, with some going into multiple weeks (the last time I checked) and most web servers use the OCSP TTL for their cache length as well. For a non-stapled OCSP response, MITM only needs to get a single response, as the vast majority of CAs' servers do not honor the optional nonce value in the request and stapled responses don't use a per-client nonce anyway, which means everyone gets the same response. In addition, unless you "must-staple," it is a soft fail anyway.

                And, unlike a DNS or web server problem, which admins are aware of and usually somewhat control themselves, CRL and OCSP servers are run by the CAs. You have no control over their availability or redundancy. If your DNS goes down, you can propagate changes over the NS network or have redundant providers in the first place. Your web server goes down, you can spin up a new one or have redundancy in the first place. Your CA has an outage, then there is literally nothing you can do about it. And that is if you are made aware of the problem at all.

                • (Score: 3, Interesting) by driverless on Tuesday February 25 2020, @10:56AM

                  by driverless (4770) on Tuesday February 25 2020, @10:56AM (#962306)

                  You have no control over their availability or redundancy.

                  CAs don't have redundancy, they have reduncandy. They're only as reliable as the least secure subsystem, and a failure in any of the many brittle parts will take you down with it.

                • (Score: 2) by driverless on Tuesday February 25 2020, @10:58AM

                  by driverless (4770) on Tuesday February 25 2020, @10:58AM (#962307)

                  as the vast majority of CAs' servers do not honor the optional nonce value in the request

                  It's not the vast majority, per a survey carried out a few years ago no public CA honours the nonce. In other words every CA trusted by your browser is vulnerable to a replay attack because they completely ignore the nonce that's present to prevent the attack.

                • (Score: 2) by Pino P on Tuesday February 25 2020, @02:49PM (1 child)

                  by Pino P (4721) on Tuesday February 25 2020, @02:49PM (#962378) Journal

                  You should check the stats for how many websites actually do OCSP stapling, it is the hundredths of a percent.

                  Source please. The article I linked above ("High-reliability OCSP stapling and why it matters" by Nick Sullivan [cloudflare.com]) states that sites that use Cloudflare have been stapling since 2016 when Cloudflare introduced proactive fetching of OCSP responses as they near the typical 7-day expiration window.

                  OCSP itself (including stapled ones) are vulnerable to replay attacks because the default OCSP interval for most providers is 7 days

                  What incidents have been reported of unexpired OCSP responses being used to forge connections on a recently revoked certificate?

                  And, unlike a DNS or web server problem, which admins are aware of and usually somewhat control themselves

                  Unless the VPS provider is having an outage. For example, an SSD outage on Google Compute Engine in December 2019 [google.com] brought down the Discord chat service [discordapp.com] among other sites.

                  • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @10:58PM

                    by Anonymous Coward on Tuesday February 25 2020, @10:58PM (#962594)

                    https://www.ssllabs.com/ssl-pulse/ [ssllabs.com] shows that around 32.6% currently staple at all. According to censys, 190,921 certificates must-staple [censys.io] and 446,079,247 certificates don't [censys.io]. Even if the number were tilted so that the must-staple ones had 999 SANs and the "non-must-staple" had zero, then at best less than 30% of the domain names would be must-staple. A more reasonable number on either end of that for SANs just makes the percentage of must-staple sites worse.

                    It is a theoretical vulnerability, you asked how it was possible which two people explained. Even if there was an incident where it occurred, it may not be reported or widely publicized. But that doesn't change the fact that such a theoretical vulnerability exists, especially against those MITMed by someone or other situations.

                    And yes, lots of things can have outages, but an OCSP failure is not one of those you can plan for, work around, or have redundancy over (unlike your VPS example) without having multiple certificates from different providers spread around your infrastructure in advance or ready to go. And again, that is if you even notice the problem in the first place.

        • (Score: 4, Informative) by driverless on Tuesday February 25 2020, @03:35AM (6 children)

          by driverless (4770) on Tuesday February 25 2020, @03:35AM (#962194)

          That assumes it's a public web site. A helluva lot of certs get used for things like SCADA/IoT/embedded, and they're on RFC 1918 addresses and the like and are self-signed, you typically provision the device once at built time and that's it. If there's a compromise, you take the device offline or reflash it with clean firmware, there's no need for revocation handling or all the other X.509 bollocks.

          Except that now you can't any more because Apple has decided you need to rebuild/reprovision your device every twelve months for no reason whatsoever. In the case of SCADA gear that can never go down, it just means that you can't use Safari to talk to embedded systems any more, or at least not after the first twelve months' uptime.

          • (Score: 2) by All Your Lawn Are Belong To Us on Tuesday February 25 2020, @11:03AM (5 children)

            by All Your Lawn Are Belong To Us (6553) on Tuesday February 25 2020, @11:03AM (#962309) Journal

            I think you have that a little backwards, if I understand the summary. You can't use Safari to talk to embedded systems any more unless you're within 12 months of whatever expiration date they set, not within 12 months of start uptime.

            Even then, if you can get dating on the cert maybe you could just edit your system time to link up with it? You wouldn't do that for the general web, but for a SCADA/IoT/embedded device maybe you would. That, and the earlier, is predicated on Apple looking at the expiration date of the cert only and comparing to today, not taking the issue date/expiration date and calculating the difference.

            If it were universal that might even be a way to foil script-kiddie level hacks trying to use browsers for IoT stuff. Give your certs some ridiculous dating so no browser will recognize it unless your clock is changed to match. It's not really security but it is a layer of obfuscation.

            --
            This sig for rent.
            • (Score: 3, Interesting) by driverless on Tuesday February 25 2020, @11:11AM (4 children)

              by driverless (4770) on Tuesday February 25 2020, @11:11AM (#962314)

              Doesn't work because it would break all Internet sites with correct times because cert, CRL, and OCSP times would be out. Another cool security feature, your clock is off so the CRL is future-dated so we'll assume the cert is invalid and won't let you connect. Or at least Firefox does that.

              • (Score: 2) by Pino P on Tuesday February 25 2020, @02:28PM (3 children)

                by Pino P (4721) on Tuesday February 25 2020, @02:28PM (#962373) Journal

                Then use one clock setting to connect to SCADA and a different clock setting to connect to public websites.

                • (Score: 3, Informative) by tangomargarine on Tuesday February 25 2020, @03:43PM (2 children)

                  by tangomargarine (667) on Tuesday February 25 2020, @03:43PM (#962397)

                  We're going off into the weeds here. The far simpler solution is for Safari to not be dumb.

                  --
                  "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
                  • (Score: 2) by Pino P on Tuesday February 25 2020, @08:45PM (1 child)

                    by Pino P (4721) on Tuesday February 25 2020, @08:45PM (#962539) Journal

                    "To not be dumb" is a tall task for Safari or any other proprietary or tivoized software.

                    • (Score: 2) by driverless on Tuesday February 25 2020, @11:24PM

                      by driverless (4770) on Tuesday February 25 2020, @11:24PM (#962602)

                      Or for security people in general. Security people are supposed to provide guide rails, but most of the time they just make a roadblock.

      • (Score: 2, Touché) by Anonymous Coward on Tuesday February 25 2020, @12:26AM (20 children)

        by Anonymous Coward on Tuesday February 25 2020, @12:26AM (#962097)

        Apple is forcing everyone to use their update mechanism more often. Possibly at greater cost.

        They're not forcing me to do anything.

        In fact, after reading TFS, I was thinking about switching my sites *away* from LetsEncrypt so I can implement two or three year certs.

        In fact, if many site admins do that, this will blow up in Apple's face.

        Perhaps we could even form a consortium to purchase LetsEncrypt and change all their certs to five years just to poke those scumbags in the eye!

        • (Score: 2) by NateMich on Tuesday February 25 2020, @12:33AM (19 children)

          by NateMich (6662) on Tuesday February 25 2020, @12:33AM (#962101)

          Apple is forcing everyone to use their update mechanism more often. Possibly at greater cost.

          They're not forcing me to do anything.

          In fact, after reading TFS, I was thinking about switching my sites *away* from LetsEncrypt so I can implement two or three year certs.

          In fact, if many site admins do that, this will blow up in Apple's face.

          Perhaps we could even form a consortium to purchase LetsEncrypt and change all their certs to five years just to poke those scumbags in the eye!

          Why would you care about this at all? LetEncrypt renews the certs every month automatically anyway.
          This is a non-issue.

          • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @12:44AM

            by Anonymous Coward on Tuesday February 25 2020, @12:44AM (#962113)

            Whoosh!

            Reading comprehension isn't your strong suit, eh?

          • (Score: 2) by barbara hudson on Tuesday February 25 2020, @01:00AM (17 children)

            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @01:00AM (#962128) Journal
            So was renewing a dot.org domain. Then they hung a "for sale" sign on it.
            --
            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
            • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @03:34AM (16 children)

              by Anonymous Coward on Tuesday February 25 2020, @03:34AM (#962193)

              <sarcasm>Commie! Money is king here! I bet you believe in that "open sores" crap
              </sarcasm>

              • (Score: 3, Disagree) by barbara hudson on Tuesday February 25 2020, @03:44AM (15 children)

                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @03:44AM (#962205) Journal
                I believe in open source. I don't believe in the GPL. Without the GPL there would be way more software available for Linux, which would have made it more competitive.
                --
                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                • (Score: 1, Touché) by Anonymous Coward on Tuesday February 25 2020, @08:45AM (5 children)

                  by Anonymous Coward on Tuesday February 25 2020, @08:45AM (#962290)

                  Without GPL Linux would have the fate of BSD at best, which is used, say, in PlayStation, but you'll have to pay premium to use it, locked down. Bright future, yay.

                  • (Score: 3, Insightful) by barbara hudson on Tuesday February 25 2020, @02:21PM (4 children)

                    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @02:21PM (#962367) Journal
                    Apple built OSX atop FreeBSD. It's got a lot more market penetration because FreeBSD is NOT using the restrictive GPL. Now look at the difference in available software for OSX compared to Linux. Linux could have had the same situation if it weren't for the GPL.
                    --
                    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                    • (Score: 1, Touché) by Anonymous Coward on Tuesday February 25 2020, @11:06PM (3 children)

                      by Anonymous Coward on Tuesday February 25 2020, @11:06PM (#962595)

                      You mean I'd have to pay hundreds of dollars to buy specific hardware from a single manufacturer to use Linux? Sounds great! I better get in my time machine to warn Linus about the mistake he is going to make.

                      • (Score: 2) by barbara hudson on Wednesday February 26 2020, @01:45AM (2 children)

                        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @01:45AM (#962652) Journal
                        FreeBSD runs on Wintel and you know it, so don't be intentionally stupid. And I guess you never heard of Hackintoshes if you really want the Quartz UI.
                        --
                        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                        • (Score: 0) by Anonymous Coward on Wednesday February 26 2020, @06:22AM (1 child)

                          by Anonymous Coward on Wednesday February 26 2020, @06:22AM (#962738)

                          But all the software that you think Apple enabled for FreeBSD only run if the entire OS including the GUI is there. Which means you need a Hackintosh, which still requires certain combinations of hardware, runs the risk of getting nuked on an update, and requires an already working MacOS system to install.

                          • (Score: 2) by barbara hudson on Wednesday February 26 2020, @10:15PM

                            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @10:15PM (#963164) Journal

                            But all the software that you think Apple enabled for FreeBSD only run if the entire OS including the GUI is there.

                            Actually, that's not true. Go do some research. Apple contributed non-gui stuff back to FreeBSD that runs just fine on FreeBSD, with or without a GUI. Apple isn't the greatest, but they do give back, and Linux has benefited indirectly from their contributions.

                            --
                            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                • (Score: 3, Informative) by DannyB on Tuesday February 25 2020, @06:23PM (8 children)

                  by DannyB (5839) Subscriber Badge on Tuesday February 25 2020, @06:23PM (#962464) Journal

                  The unspoken purpose of GPL appears to be to prevent, specifically Microsoft, from taking the code, enhancing it, and putting the enhanced code into their own proprietary commercial badness.

                  Without GPL the Embrace Extend Extinguish would have gone wild with the Microsoft. Just as Microsoft tried to do with Java, and got sued for $1.2 billion for violating the plain language of the agreement, Microsoft would try to get developers developers addicted to a Microsoft-flavor of open source that only runs on Microsoft and interoperates with Microsoft.

                  --
                  People today are educated enough to repeat what they are taught but not to question what they are taught.
                  • (Score: 2) by barbara hudson on Wednesday February 26 2020, @02:24AM (7 children)

                    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:24AM (#962685) Journal

                    Microsoft has FreeBSD code. I don't see it having "embrace'd, extend'd, extinguish'd" FreeBSD. MacOS is based on FreeBSD. I don't see FreeBSD disappearing - on the contrary, Apple contributes source code back.

                    RMS was full of shit with his promise that the GPL would promote a flourishing software ecosystem. There's a lot more software choice with both Microsoft and Apple than with Linux.

                    --
                    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                    • (Score: 2) by DannyB on Wednesday February 26 2020, @03:45PM (6 children)

                      by DannyB (5839) Subscriber Badge on Wednesday February 26 2020, @03:45PM (#962907) Journal

                      I cannot disagree that RMS was full of something about a number of things he said.

                      If GPL had never been, if all software in the world had been FreeBSD, then I shudder to think what Microsoft might have done.

                      The fact that the worst didn't happen to FreeBSD might possibly be due to the GPL being the real fight Microsoft engaged against. Microsoft called out the GPL by name. Called it viral. Said it was a threat and "un-American". Jim Allchin said some of this and Ballmer said other of it, calling it cancer, etc. It's simply been too long for me to remember exact quotes and attributions at this point. The Halloween documents were clearly 'triggered' by the GPL.

                      --
                      People today are educated enough to repeat what they are taught but not to question what they are taught.
                      • (Score: 2) by barbara hudson on Wednesday February 26 2020, @10:30PM (5 children)

                        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @10:30PM (#963180) Journal

                        And yet in the end, Linux the desktop lost and FreeBSD won. If Microsoft had decided to use FreeBSD, it would have attracted too much attention to FreeBSD and there might have been other competing OSes based on FreeBSD. That could only be a good thing.

                        So now we have a duopoly on the desktop. Without the GPL, Linux could have been in the mix. And Microsoft IS moving on Linux.

                        On phones, it's also a duopoly - Android (which is terribly designed - "hypercard for phones") and Apple.

                        It's still a battle for laptops, but Chromebooks are pretty tied to Google and it's data centres. Not something I would ever use, but people want convenience over anything else.

                        And the whole idIOT thing - George Orwell would be pissing himself because it's far beyond anything he ever dreamed of. But "convenience."

                        --
                        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                        • (Score: 3, Interesting) by DannyB on Thursday February 27 2020, @03:27PM (4 children)

                          by DannyB (5839) Subscriber Badge on Thursday February 27 2020, @03:27PM (#963532) Journal

                          And yet in the end, Linux the desktop lost and FreeBSD won.

                          An interesting statement. Linux hasn't won the desktop. But has basically won everything else but the desktop. Almost any computer that is not desktop has Linux. I assume you refer to Apple as accounting for "FreeBSD + desktop" success. I'm not sure I would agree that FreeBSD is why Apple's desktop is successful. It already was successful in Mac OS 9 classic. FreeBSD was certainly a much better foundation for the evolution of Apple's products.

                          That is also the point at which I parted ways with Apple and got into Linux.

                          Android (which is terribly designed - "hypercard for phones") and Apple.

                          I'm not overly impressed with Android's design. Before Android my favorite was that WebOS thing from Palm which ran on Linux and looked very interesting. But they just didn't realize what they had and didn't get behind it. Reminds me of Xerox PARC.

                          Despite what I would have liked, Android is a pragmatic reality. It arguably has market dominance. It cannot be ignored if you want to build anything related to mobile phones or tablets.

                          Chromebooks are pretty tied to Google and it's data centres.

                          I disagree. The only tie of Chromebooks to Google is for updates to the OS. What you do with your chromebook is largely tied to the internet, but not specifically to Google. Chromebooks can be thought of as a "smart terminal" for the 21st century. Connecting to "mainframes" of the 21st century (eg, Kubernetes or similar style data centers, or other Linux clusters in data centers).

                          You CAN, and I DO, use the local storage on my Pixelbook. It's a Chromebook, yes. But I use it in many ways like a Linux laptop computer. LibreOffice, local storage, and other Linux applications, including Eclipse, Java, Tomcat, etc. And it also runs Android apps which gives me another universe of applications outside of the Linux desktop applications.

                          George Orwell would be pissing himself

                          I can't disagree with that. Agree.

                          --
                          People today are educated enough to repeat what they are taught but not to question what they are taught.
                          • (Score: 2) by barbara hudson on Friday February 28 2020, @02:50AM (3 children)

                            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday February 28 2020, @02:50AM (#963920) Journal

                            It cannot be ignored if you want to build anything related to mobile phones or tablets.

                            Au contraire, IOS generates more revenue for developers off a much smaller user base than Android does despite having several times the user base.

                            If you have to devote your resources to one of the two platforms and you want to make money, it's IOS. Has been for more than a decade. Android users are cheap (that's an observation from devs for both platforms so don't blame me, mkay :-) ).

                            That being said, Android can be shifted to operate atop FreeBSD instead of Linux (FreeBSD can run many Linux binaries without modification, and of course there's no reason that Android can't be completely ported to FreeBSD). The real problem with that is as soon as it becomes possible and it's leaked to the wild, anyone can fork it and be completely free of the Google walled garden for anything and everything.

                            --
                            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                            • (Score: 2) by DannyB on Friday February 28 2020, @02:47PM (2 children)

                              by DannyB (5839) Subscriber Badge on Friday February 28 2020, @02:47PM (#964116) Journal

                              IOS generates more revenue for developers off a much smaller user base than Android does despite having several times the user base.

                              Thus: iOS good for developers, Android good for end users.

                              Android can't be completely ported to FreeBSD

                              Or Fuchsia.

                              --
                              People today are educated enough to repeat what they are taught but not to question what they are taught.
                              • (Score: 2) by barbara hudson on Friday February 28 2020, @05:02PM (1 child)

                                by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Friday February 28 2020, @05:02PM (#964170) Journal

                                I would say that there's a distinct lack of choice in Android apps - they are mostly adware-supported. That's not good for the users in either the short or long term. Then again, it's not like people should be loading up on apps anyway, on either Android or IOS. Part of the whole "get a life, people" thing.

                                In that sense smartphones are a public health menace, and not just from distracted driving/walking ... I used to be a skeptic when it came to Internet addiction, but I've seen people are totally addicted to social media and online games, so I've changed my opinion 180 degrees, based on observational evidence.

                                When I'm sick, I can't just loll around in bed and read a book (still can't read a paper book) so I'll post here. But it becomes onerous as I get better, because I would rather be around people. It's not that the internet is a poor substitute - it isn't any sort of substitute. And yet we have people who voluntarily choose to self-isolate in the alternate reality online. I'm not optimistic of the future, and smartphones, regardless of operating system, are just too damn convenient for most people to avoid being continuously distracted by them.

                                In the end, the motivations of devs on both platforms is the same - eyeballs, either to generate ad revenue or paid revenue.

                                --
                                SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
                                • (Score: 2) by DannyB on Friday February 28 2020, @06:11PM

                                  by DannyB (5839) Subscriber Badge on Friday February 28 2020, @06:11PM (#964228) Journal

                                  I've come to realize that having hundreds of millions of apps in an app store is pretty meaningless. What matters is that there are apps that are useful to you.

                                  I've found some ad supported apps that I like. I've found other apps that I felt worth paying for, both because I liked the app, and wanted to avoid ads.

                                  Years ago I settled onto a collection of apps that I like.
                                  * calculators, several
                                  * network apps, ping, dns, ssh client, ftp server/client, traceroute, network analyzers, etc
                                  * a preferred file manager
                                  * a couple music players
                                  * notepad type app
                                  * midi apps
                                  * several puzzle games, especially "Unblock me" (aka "traffic jam") for which I've written a Java solver for, for amusement
                                  * a favorite sleep sounds app, rarely used
                                  * home control apps
                                  * browsers
                                  * Google: hangouts, keep, docs, maps, gmail, etc.
                                  * Signal
                                  * News apps
                                  * a favorite Bible app with in-app purchases (multiple translations, commentaries, etc)
                                  * streaming video apps (Netflix, HBO, etc)

                                  That, I think about covers it When I get a new phone, all those apps just appear on the new device.

                                  I rarely look in the play store for new things.

                                  Despite all those apps, I don't spend much time looking at my phone. I only use the phone for specific purposes. To read at a regular time. Check news at a fairly regular time. Occasional messaging with family members or close friends.

                                  I DO NOT use any social media ever. So no Facebook, Twitter accounts ever.

                                  So I'm not of the texting & walking type. I think the "social" media apps are the biggest to blame for that. I think people who use social networks are the least happy. Or shortest attention span. One time when I was at Epcot, after dark, outside Mission Space, I saw someone texting and walking -- right into a park bench. It happened so quick.

                                  --
                                  People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 2) by driverless on Tuesday February 25 2020, @03:09AM (1 child)

        by driverless (4770) on Tuesday February 25 2020, @03:09AM (#962177)

        If you use SSL/TLS certs, then you probably already have some mechanism for updating them. After all, they have to be updated, just not as quickfully as Apple might like.

        Yeah, because Bob's Hardware Store's top priority in the world is playing ball with some braindead certificate agenda that some geek at Apple dreamed up over their latte this morning.

        • (Score: 1, Insightful) by Anonymous Coward on Tuesday February 25 2020, @06:03AM

          by Anonymous Coward on Tuesday February 25 2020, @06:03AM (#962248)

          But Bob's Hardware Store does have a plan for that. It is called paying for a managed server/hosting.

    • (Score: 3, Funny) by DrkShadow on Tuesday February 25 2020, @12:42AM

      by DrkShadow (1404) on Tuesday February 25 2020, @12:42AM (#962111)

      Who does Apple think they are? Microsoft from the 1990s?

      They _clearly_ think they're Google!

    • (Score: 1, Insightful) by Anonymous Coward on Tuesday February 25 2020, @03:05AM

      by Anonymous Coward on Tuesday February 25 2020, @03:05AM (#962174)

      It is an acknowledgment that certificate revocation doesn't really work. Of course, a compromised cert that is trusted for up to a year is not adding much security. I'm sure Apple realizes this too, and they or Google will be pushing even shorter validity periods, in the future.

(1) 2