0 users browsing Discussion. | 1 guest | 35 bots  
    Main » Discussion » Mozilla, *sigh*
    Pages: First Previous 14 15 16 17 18 19 20 21 22 23 24 Next Last
    Posted on 19-09-10, 11:36 (revision 1)
    Post: #271 of 426
    Since: 10-30-18

    Last post: 499 days
    Last view: 14 days
    If you view the Page Info for a website you can disable cookie blocking, but there's nowhere in the UI to gain an overview of these exceptions across all websites where you've implemented custom permissions. That far left image in my screenshot doesn't show the exceptions you make via that Page Info method, nor does it let you easily view individual website configurations so it's mostly redundant.

    AMD Ryzen 3700X | MSI Gamer Geforce 1070Ti 8GB | 16GB 3600MHz DDR4 RAM | ASUS Crosshair VIII Hero (WiFi) Motherboard | Windows 10 x64
    Posted on 19-09-10, 19:49
    Stirrer of Shit
    Post: #621 of 717
    Since: 01-26-19

    Last post: 1763 days
    Last view: 1761 days
    Posted by CaptainJistuce
    Backwards-compatibility is of value.
    I don't think that "if someone can't afford a new computer, they should be banned from the internet" is a good attitude, and that's where we're headed. Current versions of Firefox and Chrome won't run on anything older than Windows 7. That ALREADY leaves a lot of people out in the cold. There is nothing wrong with their Vista and XP machines, but browser vendors said we can't use them anymore and websites said we can't use old browsers.
    If you want to tell me privacy needs to be aggressively pursued at the cost of breaking existing browsers, you need to make sure that new browsers are available for older systems.

    Well, while it's regrettable, that is the way things work anyway, so then it only makes sense that this should be made a basic underlying assumption and worked with from there.

    I mean, who the hell is too poor to afford anything but a PowerBook 190? Poor people use low-end/used/old smartphones, and they handle the Modern Web™ just fine.

    Why does it need to be made sure that newer browsers exist for older systems? In theory, there is nothing preventing anyone from making or backporting a browser if they feel the existing alternatives are inadequate, and in practice, Vista and below are exceedingly rare nowadays - heavy enough of an edge case that anyone using XP as a daily driver certainly knows what they're getting themselves into.
    Also, there's a financial incentive to NOT change the DNS infrastructure. ISPs use their status as "your DNS server" to serve ads on failed lookups instead of returning an error. Commercial filter software relies on DNS being transparent.
    Hell, commercial interests are trying to sabotage TLS 1.3, because enterprise software relies on flaws in TLS1.2 to do things that were easier to implement without abusing TLS1.2 in the first place.

    I won't deny they don't line up 100%, but they're far closer to perfect than they have ever been in the past. ISP money from DNS hijacking and commercial filter software are pennies on the dollar compared to the economic might of CloudFlare/Google.

    Sorry, but nope. There ought to exist a mechanism right now to tell my network "this domain is untrusted and nothing on my network should be allowed to connect to it", and... oh, wait, such a mechanism does exist, and it is local DNS entries.

    How can Firefox tell it is really you, the user, of which it is the agent, though? Such cases are a hundred to one compared to corporate/national attacks. You could rewrite the sentence as such, and it would still make as much sense;
    There ought to exist a mechanism right now to tell my country "this domain is terroristic and nobody in my country should be allowed to connect to it", and... oh, wait, such a mechanism does exist, and it is local DNS entries.

    DNS does not exist for the sake of censorship, it exists to provide name resolution - arguing its raison d'etre is that it should exist to do poor name resolution seems like a queer idea.

    If such bad actors do concern you, the proper course of action is an IP block.
    Instead, Firefox and Chrome want to block websites based solely on Google's "dangerous website" list. And we've already seen how THAT works. How much worse will it be when Google has the power to be overtly malicious instead of overtly inept and subtly malicious?

    Google already has the power to be overtly malicious, so there is no scenario in which this changes anything. That Firefox implements their blocklist is regrettable, but as the saying goes, he who pays the piper calls the tune.
    With that said, what does Google have to do with DoH? They run 8.8.8.8, and I would imagine they can run a DoH server too, but by my understanding so could I if I were so inclined.
    I do agree that the CA-DNS cartel is a bad idea which relies on outdated technology, and it will probably never be fixed, but since it will never be fixed I can't see any additional harm in letting the CA/DNS people control CA/DNS.

    Personally, I think it's a moot point in the long run. For applications requiring privacy, Tor is the only suitable option, and for anything else privacy is irrelevant and perhaps even undesirable. As a corollary, relying on clearnet for privacy would be like relying on UB. It would be much easier to deal with this type of matters if this were the official position of everyone, since it would follow from it that no users suffer from Internet censorship and thus the issue could be disregarded without harming anyone's privacy.

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-09-10, 23:51
    Custom title here

    Post: #688 of 1164
    Since: 10-30-18

    Last post: 63 days
    Last view: 14 hours
    Posted by sureanem
    Posted by CaptainJistuce
    Backwards-compatibility is of value.
    I don't think that "if someone can't afford a new computer, they should be banned from the internet" is a good attitude, and that's where we're headed. Current versions of Firefox and Chrome won't run on anything older than Windows 7. That ALREADY leaves a lot of people out in the cold. There is nothing wrong with their Vista and XP machines, but browser vendors said we can't use them anymore and websites said we can't use old browsers.
    If you want to tell me privacy needs to be aggressively pursued at the cost of breaking existing browsers, you need to make sure that new browsers are available for older systems.

    Well, while it's regrettable, that is the way things work anyway, so then it only makes sense that this should be made a basic underlying assumption and worked with from there.

    I mean, who the hell is too poor to afford anything but a PowerBook 190? Poor people use low-end/used/old smartphones, and they handle the Modern Web™ just fine.

    The Powerbook is a toy I traded a case of beer to a coworker for. I don't genuinely EXPECT it to still be supported, but the main thing keeping it off the net IS security theater, which affects more modern systems too.
    Computers which were bought by someone who no longer has the money to upgrade, computers which were handed off to the less-fortunate when someone else upgraded, computers which do everything they need to do fine except that someone decided that security theater requires them being banned from the internet.

    The things you can do on the internet with a little pocket computer datatablet are not actually the same as the things you can do with a desktop or laptop computer, unless your use of computers begins and ends at "surfing". Also, vision-impaired people can't see them tiny screens. People with motor disabilities can't touch them tiny screens with remotely the necessary accuracy. "Poor people should just get a cheap smartphone" is not actually a solution.


    And you don't just get to say "it's regrettable, but that's how it is" while proselytizing for the changes that MAKE it the way it is.
    It is only in the last few years that breaking changes to the internet have become a thing, and they are almost without exception done to give people a false sense of security.



    Why does it need to be made sure that newer browsers exist for older systems? In theory, there is nothing preventing anyone from making or backporting a browser if they feel the existing alternatives are inadequate, and in practice, Vista and below are exceedingly rare nowadays - heavy enough of an edge case that anyone using XP as a daily driver certainly knows what they're getting themselves into.

    Windows XP has 2.8% market share, which is more than Vista. Hell, it is more than ALL Linux(except Android).
    https://www.netmarketshare.com/operating-system-market-share.aspx?options=;{"filter"%3A{"%24and"%3A[{"deviceType"%3A{"%24in"%3A["Desktop%2Flaptop"]}}]}%2C"dateLabel"%3A"Trend"%2C"attributes"%3A"share"%2C"group"%3A"platformVersion"%2C"sort"%3A{"share"%3A-1}%2C"id"%3A"platformsDesktopVersions"%2C"dateInterval"%3A"Monthly"%2C"dateStart"%3A"2018-09"%2C"dateEnd"%3A"2019-08"%2C"segments"%3A"-1000"}

    Any argument against supporting Windows XP is also an argument against supporting any non-Windows OS(except Android).


    Also, there's a financial incentive to NOT change the DNS infrastructure. ISPs use their status as "your DNS server" to serve ads on failed lookups instead of returning an error. Commercial filter software relies on DNS being transparent.
    Hell, commercial interests are trying to sabotage TLS 1.3, because enterprise software relies on flaws in TLS1.2 to do things that were easier to implement without abusing TLS1.2 in the first place.

    I won't deny they don't line up 100%, but they're far closer to perfect than they have ever been in the past. ISP money from DNS hijacking and commercial filter software are pennies on the dollar compared to the economic might of CloudFlare/Google.

    See also: enterprise usage, ISP backend upgrades.


    Sorry, but nope. There ought to exist a mechanism right now to tell my network "this domain is untrusted and nothing on my network should be allowed to connect to it", and... oh, wait, such a mechanism does exist, and it is local DNS entries.

    How can Firefox tell it is really you, the user, of which it is the agent, though? Such cases are a hundred to one compared to corporate/national attacks. You could rewrite the sentence as such, and it would still make as much sense;
    There ought to exist a mechanism right now to tell my country "this domain is terroristic and nobody in my country should be allowed to connect to it", and... oh, wait, such a mechanism does exist, and it is local DNS entries.

    DNS does not exist for the sake of censorship, it exists to provide name resolution - arguing its raison d'etre is that it should exist to do poor name resolution seems like a queer idea.

    If such bad actors do concern you, the proper course of action is an IP block.

    DNS intentionally provides a multi-tiered system where a local DNS server can override a remote one. It has ALWAYS been intended that you can specify your own name resolution.

    Hell, the original DNS implementation was user-side only. HOSTS.TXT, MOTHERFUCKERS!

    Instead, Firefox and Chrome want to block websites based solely on Google's "dangerous website" list. And we've already seen how THAT works. How much worse will it be when Google has the power to be overtly malicious instead of overtly inept and subtly malicious?

    Google already has the power to be overtly malicious, so there is no scenario in which this changes anything. That Firefox implements their blocklist is regrettable, but as the saying goes, he who pays the piper calls the tune.
    With that said, what does Google have to do with DoH? They run 8.8.8.8, and I would imagine they can run a DoH server too, but by my understanding so could I if I were so inclined.

    "DNS can be censored, so we need to change the internet so the only way to censor the internet is through Google's blacklist"?


    Personally, I think it's a moot point in the long run. For applications requiring privacy, Tor is the only suitable option

    Translation: Privacy doesn't exist.

    --- In UTF-16, where available. ---
    Posted on 19-09-11, 20:24
    Dinosaur

    Post: #537 of 1316
    Since: 10-30-18

    Last post: 3 hours
    Last view: 3 hours
    And now Google has announced their plans to deploy D'OH:

    https://tech.slashdot.org/story/19/09/11/1437235/google-to-run-dns-over-https-doh-experiment-in-chrome

    yeah, "experiment", right...

    For those trying to get DNS replaced by D'OH:

    - No OS supports D'OH natively: at this stage, user applications are supposed to BYOD'OH support.
    - There is also no support for D'OH on DHCP, unless someone comes up with a extension field and manages OS to support it.
    - Deploy D'OH at home? You can do it, but you now have to either wait for your applications to add support to it, or the whole IT industry to get their act together and bring OS-wide support. Good luck getting Troo UNIX® Way nerds and systemd fanboys on board (the former will reject it because it's too complex, the latter will came with systemd-doh which will be buggy and create more defectors to the BSD camp, where I guess there will also be plenty of bikeshedding over the matter). Also: dealing with certificates. Yuck.
    - Your legacy boxes are not welcome to the party.
    - Same as your bootloaders: suddenly you now have to get a full TLS stack implemented into your boot ROMs/firmware/BIOS/UEFIs/whatever. Yay wider attack surfaces! Security researches are gonna inflate their bank accounts even more with their fancy logo-and-website vulnerabilities!
    - The idea of D'OH is not to bring security (wasn't DNS-over-TLS the standards complaint way to do so?) or privacy AT ALL, but to strip you, the luser from being the owner of YOUR devices, because that's how IT rolls today, in the smartdevice era. If the CIA/NSA/FSB/China/Jeff Bezos' secretary want to spy on your DNS queries, they will still be able to do so anyway. They're taking advantage of the fact that normies and millenials don't give a fuck on anything regarding being in control of their goddamned devices because that involves, y'know, learning. And "learning IZ HARD, oh, the Kartrashians are on TV!!!".

    Seriously, D'OH is a very bad idea that comes straight from the road to Hell, paved with "good intentions".

    Licensed Pirate® since 2006, 100% Buttcoin™-free, enemy of All Things JavaScript™
    Posted on 19-09-12, 23:05
    Stirrer of Shit
    Post: #624 of 717
    Since: 01-26-19

    Last post: 1763 days
    Last view: 1761 days
    Posted by CaptainJistuce
    The Powerbook is a toy I traded a case of beer to a coworker for. I don't genuinely EXPECT it to still be supported, but the main thing keeping it off the net IS security theater, which affects more modern systems too.
    Computers which were bought by someone who no longer has the money to upgrade, computers which were handed off to the less-fortunate when someone else upgraded, computers which do everything they need to do fine except that someone decided that security theater requires them being banned from the internet.

    Well, I get it in theory. But I can't say I know of anyone actually using these extreme legacy devices. The poor people I know either use old Android phones with cracked screens and whatever, or old laptops with the "free" upgrade to Windows 10. To my knowledge, Windows 10 runs on pretty much anything that Vista does, to varying degrees of performance.
    The things you can do on the internet with a little pocket computer datatablet are not actually the same as the things you can do with a desktop or laptop computer, unless your use of computers begins and ends at "surfing". Also, vision-impaired people can't see them tiny screens. People with motor disabilities can't touch them tiny screens with remotely the necessary accuracy. "Poor people should just get a cheap smartphone" is not actually a solution.

    No, it's not a solution all right, but it is how most poor people I know go at it in practice. The things of value I can do on the Internet - sign contracts, access my bank, interact with the government, talk to people - them I could do with a smartphone too if I were feeling masochistic enough.
    Lots of young people have never used a computer in their lives and just use smartphones/tablets. They're blazing fast at it too, they probably get the same WPM as I do on a proper keyboard.

    I don't know just what level of poor we're talking about here, but something like a used Chromebook should hardly break the bank even for the most destitute of people. If we are talking about literal homeless people, then I don't think they have anywhere to store a laptop anyway - I'd think they use public libraries or something.
    And you don't just get to say "it's regrettable, but that's how it is" while proselytizing for the changes that MAKE it the way it is.
    It is only in the last few years that breaking changes to the internet have become a thing, and they are almost without exception done to give people a false sense of security.

    Well, how exactly have these things broken? I wouldn't think it's due to the security theatre. Moore's law is a far more probable explanation. If I want to log in to my bank, doing this in an old browser which doesn't support JavaScript is not possible either.

    Without DoH, we would still have the problem of "legacy devices are legacy for a reason," so it can hardly be blamed for this development. Perpetually freezing web standards at 1995 levels because of alleged poor people who are stuck on Windows 95 is absurd, although I personally would be pleased for other reasons if that were the case.
    Windows XP has 2.8% market share, which is more than Vista. Hell, it is more than ALL Linux(except Android).
    https://www.netmarketshare.com/operating-system-market-share.aspx?options=;{"filter"%3A{"%24and"%3A[{"deviceType"%3A{"%24in"%3A["Desktop%2Flaptop"]}}]}%2C"dateLabel"%3A"Trend"%2C"attributes"%3A"share"%2C"group"%3A"platformVersion"%2C"sort"%3A{"share"%3A-1}%2C"id"%3A"platformsDesktopVersions"%2C"dateInterval"%3A"Monthly"%2C"dateStart"%3A"2018-09"%2C"dateEnd"%3A"2019-08"%2C"segments"%3A"-1000"}

    Any argument against supporting Windows XP is also an argument against supporting any non-Windows OS(except Android).

    This includes Micky Mouse places like China and Africa though. If you just look at civilized places it's practically zero. The SHS for instance puts XP at <0.10% while Linux clocks in at 0.80%. Consider that Steam also has a lot of people from those places, and the real ratio probably turns out to be 20 to 1 or something like that.

    And it's indeed true supporting Linux makes no financial sense - if you want electronic identification here (which you do need unless signing physical papers and sending them back and forth by mail is your idea of fun) you need to own a non-Linux (except Android) device. I'd reckon it's only a matter of time before I can't even log in to my bank without pulling out my smartphone, and it's only because it's extremely expensive for them (like $0.1 per login expensive) that they bother handing out physical security tokens.

    I would also like to point out that Linux obeys the standards of the web and runs modern browsers, unlike Windows XP, and having your website support Linux often requires no additional effort - good luck running Ubuntu Warty in 2019.
    See also: enterprise usage, ISP backend upgrades.

    Pennies on the dollar.

    DNS intentionally provides a multi-tiered system where a local DNS server can override a remote one. It has ALWAYS been intended that you can specify your own name resolution.

    Hell, the original DNS implementation was user-side only. HOSTS.TXT, MOTHERFUCKERS!

    Yes, and SMTP was originally intended to be anonymous because that's how post offices worked. That didn't turn out too good and now we're layers and layers of bandaids in, with the end result being that you now have a few 'good' mail providers who authenticate you via cell phone and chuck all the rest's into the spam folder or even kill them silently. Far better then to rip off the bandaid and kill the archaic service that is DNS.
    "DNS can be censored, so we need to change the internet so the only way to censor the internet is through Google's blacklist"?

    Well, yes. I'd rather we got rid of both, but the net result from removing one source of censorship is always positive.

    Translation: Privacy doesn't exist.

    What do you mean? Tor is plenty private, and many websites which have trouble with clearnet already today find themselves with no other choice but to use it. If censorship/snooping continues it seems as if this development too should continue, but that hardly means privacy is dead.

    Let's go through a list of problems with regular HTTP over clearnet
    * ISPs can see your traffic
    * ISPs can see who you're connecting to
    * ISPs can edit your traffic
    * ISPs can block websites entirely
    * This also goes for whoever runs your network
    * DoS mitigation providers' consent is needed to run a website
    * * DoS mitigation providers with controversial customers lose peers
    * DNS providers can make it impossible to use said websites
    * ISPs or various other attackers can manipulate DNS

    HTTPS doesn't even fix half of these, although arguably the worst flaws.

    Now let's compare this to Tor
    * ISPs can only see that you're using Tor, if even that (see: bridges)
    * ISPs can't edit your traffic
    * ISPs can (maybe) block Tor entirely, but it's all or nothing and you know what's going on if your connection cuts out
    * DoS attacks on the network level are impossible
    * There is no such thing as DoS mitigation providers
    * There is no such thing as DNS providers
    * It is not possible to manipulate DNS as names are cryptographically verified

    It seems like a sensible solution to the problem to me.

    Posted by tomman
    - No OS supports D'OH natively: at this stage, user applications are supposed to BYOD'OH support.

    Good. Relying on the OS for cert store has caused all sorts of issues, far better if all applications statically link in DoH support.
    - There is also no support for D'OH on DHCP, unless someone comes up with a extension field and manages OS to support it.

    Good, ISPs should not handle DNS.
    - Deploy D'OH at home? You can do it, but you now have to either wait for your applications to add support to it, or the whole IT industry to get their act together and bring OS-wide support. Good luck getting Troo UNIX® Way nerds and systemd fanboys on board (the former will reject it because it's too complex, the latter will came with systemd-doh which will be buggy and create more defectors to the BSD camp, where I guess there will also be plenty of bikeshedding over the matter). Also: dealing with certificates. Yuck.

    This is a feature, not a bug. OS-wide resolvers cause all sorts of issues, whereas a tiny outbound TCP connection to port 443 is almost always OK.
    I agree that certificates are bad, we should use blockchain to do away with PKI.
    - Your legacy boxes are not welcome to the party.
    - Same as your bootloaders: suddenly you now have to get a full TLS stack implemented into your boot ROMs/firmware/BIOS/UEFIs/whatever. Yay wider attack surfaces! Security researches are gonna inflate their bank accounts even more with their fancy logo-and-website vulnerabilities!

    Why do my boot ROMs need networking at all? Updates?
    - The idea of D'OH is not to bring security (wasn't DNS-over-TLS the standards complaint way to do so?) or privacy AT ALL, but to strip you, the luser from being the owner of YOUR devices, because that's how IT rolls today, in the smartdevice era. If the CIA/NSA/FSB/China/Jeff Bezos' secretary want to spy on your DNS queries, they will still be able to do so anyway. They're taking advantage of the fact that normies and millenials don't give a fuck on anything regarding being in control of their goddamned devices because that involves, y'know, learning. And "learning IZ HARD, oh, the Kartrashians are on TV!!!".

    DNS-over-TLS is made to be easy to be blocked. Here's what Paul Vixie has to say on the matter:
    Posted by Paul Vixie
    DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH.

    Posted by Paul Vixie
    if your network operator is me in any form, then none of those bypasses [VPNs] will work, because i defend my control plane, which includes dns. i think the IETF was way wrong to standardize DoH since not all network operators are malicious -- my enterprise and home nets are examples

    Posted by Paul Vixie
    That's inverted. A network operators who defends their control plane may be more worried by outside actors than by it's users. Defensive tunneling from my house or work is not in your interest or mine. Don't do it. Esp not by default. Please.

    Posted by Paul Vixie
    Nope[, DoH is not about protection against untrusted local networks]. DoH will be the default setting for many BYOD, and will mindlessly bypass security policy. Not at all like DoT, which can be filtered by any network operators with ease, to force local resolver use. DoH is a big F.U. to ALL network operators.

    Does this sound like a man you trust with making your standards?
    I'm not going to call into questions Mr. Vixie's allegiances here, but I will say that if I were tasked with writing satire to make DoT proponents look bad, this is exactly what I would write.

    Financially, I think it's closer to that Google reasons that they gain next to nothing from ISPs/enterprise controlling DNS, while they lose out on some amount of ad money from people browsing the Internet less while at work.

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-09-13, 06:51
    Full mod

    Post: #340 of 443
    Since: 10-30-18

    Last post: 1101 days
    Last view: 172 days
    Traditionally, retrieving a web-page involves trusting a lot of people:

    - the browser vendor
    - the os vendor
    - other apps installed on the same PC
    - the local network admin
    - all the upstream ISPs between you and the website
    - all the governments with jurisdiction over all the above parties

    That's a lot of trusted parties, and everybody agrees the world would be a lot safer if we didn't have to trust as many of them. But eliminating one of them means trusting the others even more, and *all* of those parties have been untrustworthy at different times in different places.

    So when one person says "we should encrypt everything to protect ourselves from the local network admin" (the Firesheep attack/malicious wifi access points), another person says "But I'm my local network admin, and I want things to trust me so I don't have to trust upstream ISPs". And so on and so forth for every possible pair of parties in the above list. And none of those people are wrong, but also none of them are right.

    So far as I can see, there's a few ways this could go:

    1. status quo (chaos)
    2. "the needs of the many outweigh the needs of the few"
    3. educate everybody involved to the point where they can make an informed choice about what approach suits their personal threat model

    Given how much power browsers wield in the modern Internet, and how over-eager they are to wield that power responsibly, my bet is on #2 in the long-term, even despite the heavy inertia of our technology stack, and despite how much I'd prefer #3.

    The ending of the words is ALMSIVI.
    Posted on 19-09-13, 07:22
    Custom title here

    Post: #691 of 1164
    Since: 10-30-18

    Last post: 63 days
    Last view: 14 hours
    Posted by sureanem

    Well, I get it in theory. But I can't say I know of anyone actually using these extreme legacy devices. The poor people I know either use old Android phones with cracked screens and whatever, or old laptops with the "free" upgrade to Windows 10. To my knowledge, Windows 10 runs on pretty much anything that Vista does, to varying degrees of performance.

    And obviously, you know everyone.
    I DO know of people using XP machines. Also, Vista was not eligible for a free Win10 upgrade. This is why I have a machine running Vista today. Speaking of browsers vs old computers, I can't run Steam on the Vista box anymore because Chrome doesn't support Vista and Steam uses Chrome for much of the interface.

    And you don't just get to say "it's regrettable, but that's how it is" while proselytizing for the changes that MAKE it the way it is.
    It is only in the last few years that breaking changes to the internet have become a thing, and they are almost without exception done to give people a false sense of security.

    Well, how exactly have these things broken? I wouldn't think it's due to the security theatre. Moore's law is a far more probable explanation. If I want to log in to my bank, doing this in an old browser which doesn't support JavaScript is not possible either.

    Moore's law is not why internet development has moved away from backwards-compatibility and graceful failure and on into "require the latest of everything to do anything online".
    And exactly how old a browser do you need to get before you find one that doesn't support javascript? Seriously, that was invented by Netscape.

    Without DoH, we would still have the problem of "legacy devices are legacy for a reason," so it can hardly be blamed for this development.

    Legacy devices are "legacy" because they are no longer for sale. Sometimes not even that. RS-232 is a "legacy port" and it is still in widespread use today.
    Find me a genuine reason a device shouldn't be supported beyond "Oh my god, that is, like, soooooo old! Why don't they buy a new computer already?!?!"
    The point is that these machines are being artificially kicked off the internet because no one wants to compile a browser for them(solely due to laziness) and internet people no longer believe that compatibility is a good thing.


    This includes Micky Mouse places like China and Africa though. If you just look at civilized places it's practically zero. The SHS for instance puts XP at <0.10% while Linux clocks in at 0.80%. Consider that Steam also has a lot of people from those places, and the real ratio probably turns out to be 20 to 1 or something like that.

    Oh, it only hurts the blacks and yellows and barely touches real white people? Well that's okay, then!



    I would also like to point out that Linux obeys the standards of the web and runs modern browsers, unlike Windows XP, and having your website support Linux often requires no additional effort - good luck running Ubuntu Warty in 2019.

    You really don't understand the difference between a web browser and an operating system, do you? XP doesn't NEED to support web standards, because the BROWSER is responsible for that.



    DNS intentionally provides a multi-tiered system where a local DNS server can override a remote one. It has ALWAYS been intended that you can specify your own name resolution.

    Hell, the original DNS implementation was user-side only. HOSTS.TXT, MOTHERFUCKERS!

    Yes, and SMTP was originally intended to be anonymous because that's how post offices worked. That didn't turn out too good and now we're layers and layers of bandaids in, with the end result being that you now have a few 'good' mail providers who authenticate you via cell phone and chuck all the rest's into the spam folder or even kill them silently. Far better then to rip off the bandaid and kill the archaic service that is DNS.

    Spam filters that can't be disabled and eat far more real e-mails than they do spam. And are you seriously suggesting that e-mail accounts should require identity verification?


    Translation: Privacy doesn't exist.

    What do you mean? Tor is plenty private, and many websites which have trouble with clearnet already today find themselves with no other choice but to use it. If censorship/snooping continues it seems as if this development too should continue, but that hardly means privacy is dead.

    Right, keep telling yourself that a networking scheme designed by the US government in the twenty-first century is unmonitorable. Whatever helps you sleep.



    Let's go through a list of problems with regular HTTP over clearnet
    ...
    * This also goes for whoever runs your network

    That's me. And if I want to block a website, I think I'm allowed.
    Trufax, my hosts file contains one entry: "facebook.com 192.168.0.1"


    This is a feature, not a bug.

    This is a catchphrase, not an argument.
    Especially since tomman was calling it a flaw, not a bug.


    ...we should use blockchain...

    Said no sane person ever.


    DNS-over-TLS is made to be easy to be blocked. Here's what Paul Vixie has to say on the matter:
    Posted by Paul Vixie
    DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH.

    Posted by Paul Vixie
    if your network operator is me in any form, then none of those bypasses [VPNs] will work, because i defend my control plane, which includes dns. i think the IETF was way wrong to standardize DoH since not all network operators are malicious -- my enterprise and home nets are examples

    Posted by Paul Vixie
    That's inverted. A network operators who defends their control plane may be more worried by outside actors than by it's users. Defensive tunneling from my house or work is not in your interest or mine. Don't do it. Esp not by default. Please.

    Posted by Paul Vixie
    Nope[, DoH is not about protection against untrusted local networks]. DoH will be the default setting for many BYOD, and will mindlessly bypass security policy. Not at all like DoT, which can be filtered by any network operators with ease, to force local resolver use. DoH is a big F.U. to ALL network operators.

    Does this sound like a man you trust with making your standards?
    I'm not going to call into questions Mr. Vixie's allegiances here, but I will say that if I were tasked with writing satire to make DoT proponents look bad, this is exactly what I would write.

    I dunno, he sounds perfectly sane and reasonable to me. There are extremely valid reasons for blocking sites from a network. DoH IS a big F.U. to all network operators.

    --- In UTF-16, where available. ---
    Posted on 19-09-13, 07:33
    Off-Model

    Post: #394 of 599
    Since: 10-29-18

    Last post: 196 days
    Last view: 26 min.
    Posted by CaptainJistuce
    Trufax, my hosts file contains one entry: "facebook.com 192.168.0.1"
    What, not even "localhost 127.0.0.1"?
    Posted on 19-09-13, 09:20
    Custom title here

    Post: #692 of 1164
    Since: 10-30-18

    Last post: 63 days
    Last view: 14 hours
    Posted by Kawa
    Posted by CaptainJistuce
    Trufax, my hosts file contains one entry: "facebook.com 192.168.0.1"
    What, not even "localhost 127.0.0.1"?

    Fine, it contains one entry that has been hand-typed.

    --- In UTF-16, where available. ---
    Posted on 19-09-13, 12:11 (revision 1)
    Dinosaur

    Post: #539 of 1316
    Since: 10-30-18

    Last post: 3 hours
    Last view: 3 hours
    Who the fuck is Paul Vixie!?

    No, please don't answer that. I don't care at all.

    Also, that was yet another fine sureanem's "I don't care about anyone living in shitholes with limited access to tech, while I wait for the glorious triumph of buttcoins and the death of cash" spampost.

    Can you land on the REAL WORLD before posting your useless, baseless utopias?! And yes, "REAL WORLD" goes beyond that the four walls of your home.

    D'OH is a mistake, it is not an solution, nobody needs it, noone wants it, and will fail HARD.

    Licensed Pirate® since 2006, 100% Buttcoin™-free, enemy of All Things JavaScript™
    Posted on 19-09-13, 23:47
    Stirrer of Shit
    Post: #625 of 717
    Since: 01-26-19

    Last post: 1763 days
    Last view: 1761 days
    Posted by Screwtape
    Traditionally, retrieving a web-page involves trusting a lot of people:

    - the browser vendor
    - the os vendor
    - other apps installed on the same PC
    - the local network admin
    - all the upstream ISPs between you and the website
    - all the governments with jurisdiction over all the above parties

    That's a lot of trusted parties, and everybody agrees the world would be a lot safer if we didn't have to trust as many of them. But eliminating one of them means trusting the others even more, and *all* of those parties have been untrustworthy at different times in different places.

    Well, look at it from the opposite perspective here. Say we introduce an eight party, Bob here from in off the street, who gets as much power as all the other parties. Clearly this would be a bad move, and we'd be in a worse position. So I wouldn't think it's a matter of "is this party less trustworthy than the other ones," but rather that removing one means of control decreases the total amount of such interference.

    Case in point here, I can't think of any large-scale cases of the browser or OS outright tampering with pages. As for other applications, well just don't install them. #5 and #6 are obviously regrettable, but for them there are other technological solutions. (e.g. Tor)

    So far as I can see, there's a few ways this could go:

    1. status quo (chaos)
    2. "the needs of the many outweigh the needs of the few"
    3. educate everybody involved to the point where they can make an informed choice about what approach suits their personal threat model

    Well, #3 is what I believe in English you would call a chimera. As for the other two, I think your analysis is spot on.

    Posted by CaptainJistuce
    Posted by sureanem

    ... I can't say I know of anyone actually using these extreme legacy devices. ...

    And obviously, you know everyone.
    I DO know of people using XP machines. Also, Vista was not eligible for a free Win10 upgrade. This is why I have a machine running Vista today. Speaking of browsers vs old computers, I can't run Steam on the Vista box anymore because Chrome doesn't support Vista and Steam uses Chrome for much of the interface.

    And what are the odds of these people being computer enthusiasts vs. ghetto dwellers?
    You can look at the stats here - we are talking about something like 0.1% of the population. This is not a tenable position to take - far more than 0.1% of the population have the sort of issues DoH would solve. Nearly all countries of note have DNS level blocking (you have ten seconds to name one which doesn't). There's maybe a million XP users (excluding China et al), while the EU alone has a population of 513 million, or around 513 times more.

    Moore's law is not why internet development has moved away from backwards-compatibility and graceful failure and on into "require the latest of everything to do anything online".
    And exactly how old a browser do you need to get before you find one that doesn't support javascript? Seriously, that was invented by Netscape.

    Well, we are dealing with theoretical examples aren't we? I get the virtues of reverse compatibility, but there is something to be said for having a uniform platform to develop for. And while I would rather have this be something uniform and stable (say Windows 7 1080p 64-bit, no high dpi or other nonsense), in the event that this is not possible it is clearly preferable to assume that users are using a supported setup.

    Clearly, Moore's law is what's been driving the shift into slower and slower websites, although for security it cannot be blamed.

    Legacy devices are "legacy" because they are no longer for sale. Sometimes not even that. RS-232 is a "legacy port" and it is still in widespread use today.

    OK, s/legacy/systems so old nobody can be bothered to compile a browser for them/g.

    Find me a genuine reason a device shouldn't be supported beyond "Oh my god, that is, like, soooooo old! Why don't they buy a new computer already?!?!"

    The devices already are. Debian runs on pretty much everything, and Windows 10 has quite low system requirements (2GB RAM, 1GHz CPU, 800x600).
    I would argue the browser makers are in the wrong here - even at just 0.1%, it should be no tremendous effort to at least do half-baked support for Windows XP. Furthermore, nothing prevents them from making the required alterations and compiling Firefox for their machines themselves.

    To claim that websites shouldn't adopt new technology (insofar as it is good) because browser makers don't feel like supporting legacy users is an absurd argument.
    The point is that these machines are being artificially kicked off the internet because no one wants to compile a browser for them(solely due to laziness) and internet people no longer believe that compatibility is a good thing.

    Compatibility is unprofitable, so it's hardly a matter of belief.

    Oh, it only hurts the blacks and yellows and barely touches real white people? Well that's okay, then!

    If you try to make decisions based on statistics from those places you'll end up with completely lopsided results, unless you have a very special demographic target. My interactions with Chinese people living in China pretty much stretches to GitHub because of GFW or such, and I can count on one hand the amount of posts (1; a guy in I think Kenya) I have seen from users in Africa (excluding SA, their northern neighbor, and the Maghreb).

    If you're developing software for third world countries you should probably try to optimize around feature phones and such because they are mobile-majority, but this makes absolutely no sense in the West. It's not a moral judgement, just a question of efficiency.

    You really don't understand the difference between a web browser and an operating system, do you? XP doesn't NEED to support web standards, because the BROWSER is responsible for that.

    XP needs to support APIs, and it presumably fails to uphold that end of the bargain. Again, if your point is that browser makers shouldn't cut compatibility so easily, that would be reasonable, but they do, and to then argue that you should design around people using unsupported browsers is a bad idea.

    Spam filters that can't be disabled and eat far more real e-mails than they do spam. And are you seriously suggesting that e-mail accounts should require identity verification?

    No, they do right now already (in some countries you could go buy a SIM card+burner, but that's mostly of theoretical interest), but a Hashcash-like system would have solved it just fine. Obviously with the issue of reverse compatibility. If this is ripped off, a lot of security issues big enough to drive a truck through could be fixed properly instead of duct-taped over.

    Right, keep telling yourself that a networking scheme designed by the US government in the twenty-first century is unmonitorable. Whatever helps you sleep.

    That the US government made it is not all too relevant here - the purpose was to help their CIA spooks communicate easier with HQ, as well as to facilitate fomenting color revolutions in the second world. To try and put backdoors in it would have been like drilling holes in your gun in case someone else steals it - not exactly ideal.

    That's me [operating my network]. And if I want to block a website, I think I'm allowed.
    Trufax, my hosts file contains one entry: "facebook.com 192.168.0.1"

    You, and your ISP, and a few layers upstream. How can a browser know who is controlling them all?

    This is a catchphrase, not an argument.
    Especially since tomman was calling it a flaw, not a bug.

    Touché. I did give a rationale for my reasoning though.

    Said no sane person ever.

    It solves exactly all the problems DNS/PKI has, while introducing no new downsides. For currencies, volatility is a bit of a problem, but if DNS renewals go between $1 and $100 a year it's not really the end of the world.

    Also, blockchains do solve the problem of "with what do we replace briefcases of unmarked $20 bills in the 21st century," it just doesn't solve the similar but related problem of "how does Alice send money to Bob for legitimate transactions". I think this is a very important distinction ot make.

    I dunno, he sounds perfectly sane and reasonable to me. There are extremely valid reasons for blocking sites from a network. DoH IS a big F.U. to all network operators.

    Sure, but who exactly is a network operator? The clearest definition I can get is "some bozo you have to trust by virtue of being a captive audience" - it could be anything from you to your ISP to your work to your country. I am begrudgingly okay with trusting some of these, but hardly all of them in all cases unconditionally.

    Posted by tomman
    Also, that was yet another fine sureanem's "I don't care about anyone living in shitholes with limited access to tech, while I wait for the glorious triumph of buttcoins and the death of cash" spampost.

    The two have nothing to do with each other - cash will die along with its users, who aren't exactly on the bright side of the actuarial tables. I only use it for cash-only businesses and contractors who give you cash discounts, and pulling out physical money in public tends to get you funny looks.

    Bitcoins have already triumphed in the sense that I can send nearly unlimited amounts of money from point A to point B without much fuss. Many politically controversial persons who otherwise could not receive bank transfers rely on it every day. There is not much to wait for, other than the government to go all-in and regulate cash/crypto, after which this will not be possible anymore.

    DoH is not a computationally expensive technology - if we were discussing JavaScript madness you'd have a very good point, but opening up a SSL socket and sending some HTTP really does not break the bank for any computer made on this side of the Clinton administration.

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-09-14, 12:31
    Dinosaur

    Post: #541 of 1316
    Since: 10-30-18

    Last post: 3 hours
    Last view: 3 hours
    Whatever, dude. Keep your Reality Distortion Field at full blast, maybe someday, somebody will believe your crap.

    I'm not.


    ...back to Moz://a news: after all those years of sucking the Google teat, they've JUST figured how opensource projects used to earn their money honestly in the past. Nope, it wasn't donations, selling premium accounts, ads, or gratuitous CPU assraping.

    No, it's selling support to enterprise customers, a la Red Hat.
    https://news.slashdot.org/story/19/09/13/0917234/mozilla-launches-paid-premium-support-for-enterprise-customers

    As long as they don't become an Orrible® ("we're not rolling back this just-introduced regression because Some Big Customer needs it!"), I actually approve of this. Why bother monetizing the software if the money has always been on the SUPPORT!? If you don't want to pay, help yourself with the community resources. If you want quick bugfixes and don't want to commit developer resources in endless political fights ("CLOSED WONTFIX NOLONGERWELCOMEHERE"), you write a check.

    Licensed Pirate® since 2006, 100% Buttcoin™-free, enemy of All Things JavaScript™
    Posted on 19-09-14, 20:08
    Stirrer of Shit
    Post: #626 of 717
    Since: 01-26-19

    Last post: 1763 days
    Last view: 1761 days
    The real question is who runs Firefox for enterprise. The model worked well for Lua and SQLite - in Lua's case, they essentially said, "hey, I don't take donations, but I do run a consulting company - fork over the dough and I'll do real professional paid work on your issue of choice, or if you just want to donate tell me to pick one I feel like doing". As for SQLite, forking over money to get your very critical databases working properly seems like a fair bargain, especially when it's far cheaper and better than hiring a 'database guy' to work full-time. OTOH, they do sell proprietary extensions. Another issue is that they're extremely tiny and the examples seem to imply good for the users and scalable are mutually exclusive. I'd estimate annual turnover for SQLite at maybe $1m and Lua to about the same modulo cost of living, which is peanuts in comparison.

    But Firefox? Why would you want to run a browser that can pretty much only compete on privacy and other stuff which is decidedly irrelevant to business? If you don't care about that, then Chrome is superior: far better integration with Google Apps, better performance, and I think better enterprise integrations. Add in Google pulling "reverse integrations" with Firefox (as they say, there are no mistakes, just happy little accidents), and you don't end up with a browser that's exactly competitive.

    Also, Hr. Hipp (the SQLite guy) looks really badass in the image on his Wikipedia page, like the villain in an anime series or perhaps a Bond movie.


    My suggestion is that they try to find a non-hostile financier who has a vested interest in Firefox gaining market share against Google. I have yet to hear any good arguments for why they shouldn't. They have two strong bargaining chips here:
    * extreme amounts of cash for whoever takes the deal (although there is only really one possible buyer, so they better act fast before they're going at it from a position of weakness)
    * complete independence from antitrust rules and can do stuff that Chrome, being a direct subsidiary of Google, can't without getting curb-stomped by the regulator

    They could use this to secure privacy online (which would also be helpful to reinforce the second point) as well as a hefty paycheck ($1-5 billion at the bare minimum). Simply put, it would give them a very good club with which to bludgeon websites into submission, noblesse oblige style. They could even go for financial independence like the Nobel Foundation (lol who am I kidding). 75% savings rate gives 7 years, but if the cash flow cuts out halfway through they could probably cut expenses by 50% easy if they didn't have to earn money while doing so.

    In fine, let us recognize that the adoption of my advice will leave us each citizens of a free state, and as such arbiters of our own destiny, able to return good or bad offices with equal effect; while its rejection will make us dependent on others, and thus not only impotent to repel an insult, but on the most favourable supposition, friends to our direst enemies, and at feud with our natural friends.

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-09-14, 20:54
    A punch comes free with most major felinies

    Post: #396 of 599
    Since: 10-29-18

    Last post: 196 days
    Last view: 26 min.
    OBJECTION!

    However badass Mr. Hipp may or may not look on his Wikipedia page has no bearing on the quality of his product, or the paid services that may be available for it.
    Posted on 19-09-15, 07:48
    Post: #92 of 205
    Since: 11-24-18

    Last post: 156 days
    Last view: 27 days
    On the subject of TOR, it is amazing how many people actually believe it is safe and secure and then proceed to run some other shenanigans. Tor is only safe if you adhere to a very strict policy which includes never opening PDFs online, always rely on HTTPS (which is a very weak security) and so on. Breaking these rules makes you pretty much trackable in either case. Because of that a standard VPN solution is far more reliable in order to protect your anonymity.

    TOR is a great tool built for a single purpose; to anonymously blow the whistle or release information in a single burst. For this it is excellent.
    Posted on 19-09-15, 08:34
    Custom title here

    Post: #693 of 1164
    Since: 10-30-18

    Last post: 63 days
    Last view: 14 hours
    Posted by sureanem

    Also, Hr. Hipp (the SQLite guy) looks really badass in the image on his Wikipedia page, like the villain in an anime series or perhaps a Bond movie.
    He looks like Steve Jobs.
    ...
    Wait, that's what you said.




    Okay, but seriously... when is the tech industry gonna get over "Jobs wore black turtlenecks so we must too!"? Jobs was an asshole, are you gonna be one too just because he was... wait, don't answer that, I'm happier not knowing.

    --- In UTF-16, where available. ---
    Posted on 19-09-15, 08:39
    Stirrer of Shit
    Post: #627 of 717
    Since: 01-26-19

    Last post: 1763 days
    Last view: 1761 days
    Posted by wertigon
    On the subject of TOR, it is amazing how many people actually believe it is safe and secure and then proceed to run some other shenanigans. Tor is only safe if you adhere to a very strict policy which includes never opening PDFs online, always rely on HTTPS (which is a very weak security) and so on. Breaking these rules makes you pretty much trackable in either case. Because of that a standard VPN solution is far more reliable in order to protect your anonymity.

    TOR is a great tool built for a single purpose; to anonymously blow the whistle or release information in a single burst. For this it is excellent.

    This is FUD posted by the VPN companies, and not only this but also old FUD. For instance, opening pdf files in Tor Browser is as I recall it perfectly safe, so this must have been before pdf.js was ubiquitous. All the other stuff save for perhaps HTTPS is common sense. Maximizing the window leaves you open to a fingerprinting attack, but it's hardly instant deanonymization.

    More importantly, using Tor for onion browsing doesn't have these pitfalls. Everything goes end-to-end through the network, so all the exit node stuff is a non-issue.

    As for VPNs, they provide only extremely weak security: now the VPN provider can do active/passive MITM, and unlike the exit node, they know exactly who you are and where you're connecting from. Furthermore, there are a ton of technological issues with the whole idea of forwarding an entire interface. For instance, you can still be tracked through port numbers, and you cross-contaminate all your identities since the whole OS goes through it. VPN is good if you're an American using BitTorrent, and that's about it. It makes absolutely no effort to deal with linkability or media files, so it's hardly more secure or reliable than Tor. Just downloading TBB and using it is still going to be safer than using a VPN and your regular browser, no matter the mode of usage.

    There was a certain photograph about which you had a hallucination. You believed that you had actually held it in your hands. It was a photograph something like this.
    Posted on 19-09-15, 11:48
    Post: #275 of 426
    Since: 10-30-18

    Last post: 499 days
    Last view: 14 days
    >Maximizing the window leaves you open to a fingerprinting attack, but it's hardly instant deanonymization.

    Uh... what? How?

    AMD Ryzen 3700X | MSI Gamer Geforce 1070Ti 8GB | 16GB 3600MHz DDR4 RAM | ASUS Crosshair VIII Hero (WiFi) Motherboard | Windows 10 x64
    Posted on 19-09-15, 14:58
    Post: #93 of 205
    Since: 11-24-18

    Last post: 156 days
    Last view: 27 days
    This is FUD posted by the VPN companies, and not only this but also old FUD.


    I am a security professional, I know quite a few people working with this, and I have hacked quite a few of these very connections myself (for academic purposes only). Sorry, but it is not FUD. TOR is about as safe and anonymous to use through everyday usage as Bitcoin is.

    The basic gist of it is, anything you download that makes a http request outside the TOR browser may reveal your identity. It could be an installer, a video game, an excel document or a CAD file. A VPN is not quite as vulnerable to this, but neither option is perfect.

    Ignore the expert, though. After all, that is what you are good at. :)
    Posted on 19-09-15, 16:27
    Dinosaur

    Post: #544 of 1316
    Since: 10-30-18

    Last post: 3 hours
    Last view: 3 hours
    Posted by Nicholas Steel
    >Maximizing the window leaves you open to a fingerprinting attack, but it's hardly instant deanonymization.

    Uh... what? How?

    More plain FUD from the "security researches" that led to the premature death of the Battery API in Javascript because Teh Googles could use your battery level to sell products and services to you or some BS.

    Javascript is a unholy mess and can be used for evil, but this is waaaaaaaaaaaaaaaaaaay low in the scale of importance, but hey, it's clickbait.

    Licensed Pirate® since 2006, 100% Buttcoin™-free, enemy of All Things JavaScript™
    Pages: First Previous 14 15 16 17 18 19 20 21 22 23 24 Next Last
      Main » Discussion » Mozilla, *sigh*
      Yes, it's an ad.