MITM = Man In The Middle (or monkey in the middle)
Follow my chain of thinking here.
Maybe the web needs a protocol that is like Http, but encrypted, without attempting to prove the identity of the other end by using certificates.
This would let every web site use encryption without cost or jumping through any hoops.
But you wouldn't know for sure that you are really talking to the web site that you think you are talking to. For most web surfing this is okay. But when you're talking to your Bank, or to Amazon.com for example, you really do want to be sure who the other end is that you are talking to.
The weakness of this is that anyone, especially TLAs could easily execute a MITM attack. You think you're talking to Facebook, and your traffic really is encrypted, but you are really talking to a different server that in turn makes your requests to the real Facebook, and relays the replies from it.
Without certificates to prove identity, mere encryption gives a pretty weak assurance of privacy, and in fact creates an illusion of strong privacy.
But TLAs need only compromise one of the hundreds of Certificate Authorities. All they need is for some CA to give the TLA a signing certificate for, say, Google. Then they can do the MITM attack.
Back in the day when there were only about four CAs (certificate authorities), it was easy to trust them. Or at least easier. Today with hundreds, do you really trust every CA?
If you browse to Google, and the certificate is a genuine Google.com certificate, but it was issued by the certificate authority "Honest Achmed's Trusty Certificates of Tehran Iran", then what do you think? Do you really think Google bought it's certificate from Honest Achmed's?
Internet Browsers (FireFox, Chrome, Safari) and aspiring Internet Browsers (IE) have a list of certificates they trust.
The organizations that create browsers and wannabe browsers decide for themselves which root certificates they trust. Or more importantly which Certificate Authorities (CAs) they trust.
The requirements to get a certificate depend on the policies of the CA.
Of course, to get included in the trusted roots of the major browsers, and browser wannabe, a CA has to jump through all of the hoops that each organization has for inclusion in its browser. It's way more complex than this, but simply, these requirements ensure that browsers only trust certificates issued by CA's that you would want to trust.
In general, a certificate merely indicates that it really is for the domain name you typed into the address bar. For example, the certificate from Amazon.com ensures that (as long as you trust the root CA who signed it) this certificate really is from Amazon.com. The CA who signed it is certifying that the certificate wasn't just handed out willy nilly to just anyone off the street who wanted a certificate that says "Amazon.com".
Some CA's offer various levels of assurance of the identity of who the certificate is issued to. But at the most basic level, it is ensuring that the server that answered your SSL is one that holds the certificate.
Are school shootings really our number one concern? What about sexting? Wouldn't it be a better use of taxpayer resources to set up fake singray cell phone spoofers in all schools and residential areas near schools in order to find and prosecute kiddies who engage in sexting?
Oh, wait. Nevermind.
We don't have to give up on one for the other. We can spend money on both shooting detection systems and singray systems to find sexters.
And as a bonus, the singray systems can also find if kids say unkind things about teachers or school faculty so that they can be punished.
AT&T is basically saying that if they can't charge money to unfairly prioritize traffic that is already paid for, then they won't build out their network.
AT&T here is a free clue. You are supposed to build out your network and then charge what it costs to operate, plus a profit. That is also what everyone else is supposed to do. To compete in the market you can: 1. have better service than competitors by having a better network 2. have lower prices than competitors by reducing either or both the 'cost to operate' part or the 'profit' part 3. have better customer service than competitors by not using barely conscious drones to answer customer calls
If you can't out compete your competitors doing exactly this, then you don't deserve to be in business.
What they care about is that Google is making money like crazy, and they wish they had some of it. So they whine that Google isn't paying them to drive customers to their site.
Wrong. Plaintiffs with invalid patents DO NOT first prove infringement. That is the one thing that want to stay far away from. Ideally they want to also stay far away from a court room.
Now the USPTO can continue issuing invalid patents.
This saves huge taxpayer resources by easing the patent examination process. Just drop patent applications into a room full of cats with PATENT GRANTED stamps affixed to their feet.
You could not export research or know how about cryptography. New algorithms. Etc. But especially source code.
(Is source code to a computer program a munition? Really? Does smoking marijuana one time really turn you into a deranged insane monster?)
A point of discussion was: could you travel out of the country with a book? What about a book about cryptography which contained printed source code in its pages? Does our democracy believe in open borders and freedom of travel? Is the government censoring books? Or restricting the reading of books to citizens of the US but others should not be permitted to read certain books or study certain technical subjects?
Here is one other thing from memory. The author of Applied Cryptography wrote something prophetic. Remember he's writing this in the 1990's. It's on about page 99 or 100. (Sorry, this is purely from memory!) The author is discussing the restrictions on cryptography and expands on how the government could remove a lot of our freedoms. He speculates on how this could happen, for example, if there were a major attack, say, on New York. It's not that it was so difficult to see that a terrorist attack could happen in New York. But to recognize how our freedoms could start being removed for false security was insightful, IMO. And actually just a bit unbelievable at the time.
We noted in August that they had arrested the operator of an anti-censorship proxy service, almost entirely based on the say so of the entertainment industry.
Look, you're not following their chain of 'reasoning'. 1. Copyright IS Censorship. [Axiom] 2. Therefore an Anti-Censorship site is an Anti-Copyright site. [From step 1.] 3. Anti-Copyright == Piracy! (and Terrorism!). [Copyright maximalist sacred scrolls, ch.666 v.42] 4. Therefore an Anti-Copyright site is a Piracy site. [From step 3.] 5. Therefore an Anti-Censorship site is a Piracy site. [From step 2 followed by 4.] I rest my case.. The operators of an Anti-Censorship site should be subject to capital punishment. See how simple that was?
Since terrorism and piracy is involved [From step 3.] no expense should be spared. No laws, facts or common sense should stand in the way.
On the post: EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'
Re: Re: Browsers and Certificate Authorities
On the post: EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'
MITM attacks
Follow my chain of thinking here.
Maybe the web needs a protocol that is like Http, but encrypted, without attempting to prove the identity of the other end by using certificates.
This would let every web site use encryption without cost or jumping through any hoops.
But you wouldn't know for sure that you are really talking to the web site that you think you are talking to. For most web surfing this is okay. But when you're talking to your Bank, or to Amazon.com for example, you really do want to be sure who the other end is that you are talking to.
The weakness of this is that anyone, especially TLAs could easily execute a MITM attack. You think you're talking to Facebook, and your traffic really is encrypted, but you are really talking to a different server that in turn makes your requests to the real Facebook, and relays the replies from it.
Without certificates to prove identity, mere encryption gives a pretty weak assurance of privacy, and in fact creates an illusion of strong privacy.
But TLAs need only compromise one of the hundreds of Certificate Authorities. All they need is for some CA to give the TLA a signing certificate for, say, Google. Then they can do the MITM attack.
Back in the day when there were only about four CAs (certificate authorities), it was easy to trust them. Or at least easier. Today with hundreds, do you really trust every CA?
If you browse to Google, and the certificate is a genuine Google.com certificate, but it was issued by the certificate authority "Honest Achmed's Trusty Certificates of Tehran Iran", then what do you think? Do you really think Google bought it's certificate from Honest Achmed's?
On the post: EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'
Browsers and Certificate Authorities
The organizations that create browsers and wannabe browsers decide for themselves which root certificates they trust. Or more importantly which Certificate Authorities (CAs) they trust.
The requirements to get a certificate depend on the policies of the CA.
Of course, to get included in the trusted roots of the major browsers, and browser wannabe, a CA has to jump through all of the hoops that each organization has for inclusion in its browser. It's way more complex than this, but simply, these requirements ensure that browsers only trust certificates issued by CA's that you would want to trust.
In general, a certificate merely indicates that it really is for the domain name you typed into the address bar. For example, the certificate from Amazon.com ensures that (as long as you trust the root CA who signed it) this certificate really is from Amazon.com. The CA who signed it is certifying that the certificate wasn't just handed out willy nilly to just anyone off the street who wanted a certificate that says "Amazon.com".
Some CA's offer various levels of assurance of the identity of who the certificate is issued to. But at the most basic level, it is ensuring that the server that answered your SSL is one that holds the certificate.
On the post: Selling Fear: The First US School Installs A Shooting Detection System
Is this really the best use of taxpayer money?
Oh, wait. Nevermind.
We don't have to give up on one for the other. We can spend money on both shooting detection systems and singray systems to find sexters.
And as a bonus, the singray systems can also find if kids say unkind things about teachers or school faculty so that they can be punished.
OK, carry on.
On the post: UK's Home Secretary Says Terrorists Will Be The Real Winners If Country's Cell Coverage Dead Zones Are Fixed
Carry this to its logical conclusion
It's a sacrifice everyone should be proud to make.
(meanwhile terrorists communicate via other methods)
On the post: Roca Labs Issues Bogus DMCA Takedown Notices To Google To Try To Hide PissedConsumer Reviews
Fits Roca's pattern?
Could Roca get that penalty of perjury thing for misuse of the DMCA?
On the post: AT&T Pouts, Freezes Mostly Bogus 'Fiber To The Press Release' Deployments In Net Neutrality Bluff
AT&T just proved the need for Net Neutrality
AT&T here is a free clue. You are supposed to build out your network and then charge what it costs to operate, plus a profit. That is also what everyone else is supposed to do. To compete in the market you can:
1. have better service than competitors by having a better network
2. have lower prices than competitors by reducing either or both the 'cost to operate' part or the 'profit' part
3. have better customer service than competitors by not using barely conscious drones to answer customer calls
If you can't out compete your competitors doing exactly this, then you don't deserve to be in business.
On the post: Germany's Top Publisher Admits Its Web Traffic Plummeted Without Google; Wants Politicians To 'Take Action'
Re: They are profitable so they must be evil!
IBM is big too.
What they care about is that Google is making money like crazy, and they wish they had some of it. So they whine that Google isn't paying them to drive customers to their site.
On the post: Hillary Clinton Still Refuses To Make Her Views Clear On Surveillance, And That's A Problem
Her views are clear
On the post: Chicago Transit Cops Start Up Their Own Security Theater, Will Start Randomly Swabbing Bags For Explosive Residue
Remember this
It will happen.
On the post: Germany's Top Publisher Admits Its Web Traffic Plummeted Without Google; Wants Politicians To 'Take Action'
Re: Geez.
But think how much happier you would be if Google paid you, and was required to pay you, for sending users to your site and making you happy.
On the post: US Solicitor General, Don Verrilli, Tells Supreme Court That Of Course You Can Infringe On An Invalid Patent
Re:
On the post: US Solicitor General, Don Verrilli, Tells Supreme Court That Of Course You Can Infringe On An Invalid Patent
Fantastic news!
This saves huge taxpayer resources by easing the patent examination process. Just drop patent applications into a room full of cats with PATENT GRANTED stamps affixed to their feet.
On the post: HBO Decides It's Finally Time To Go It Alone
Re: Net Neutrality
I would just love to see them try. Or even actually do it. It would be a move worthy or Prenda. Or Righthaven.
Maybe Comcast should try blocking both HBO and Netflix. Redirect you to a protest page to support your local cable company.
On the post: Police Departments Skirting Public Accountability By Using Private Foundations To Obtain Controversial Surveillance Technology
Re:
> any and all donations to the police be posted
What! Are you trying to help the terrorists? Sensitive information like this needs to be kept private.
On the post: In A First, Commerce Department Fines Intel Subsidiary For Exporting Encryption
Re: Silver lining of sorts
On the post: In A First, Commerce Department Fines Intel Subsidiary For Exporting Encryption
Memories from the cryptowars
(Is source code to a computer program a munition? Really? Does smoking marijuana one time really turn you into a deranged insane monster?)
A point of discussion was: could you travel out of the country with a book? What about a book about cryptography which contained printed source code in its pages? Does our democracy believe in open borders and freedom of travel? Is the government censoring books? Or restricting the reading of books to citizens of the US but others should not be permitted to read certain books or study certain technical subjects?
Here is one other thing from memory. The author of Applied Cryptography wrote something prophetic. Remember he's writing this in the 1990's. It's on about page 99 or 100. (Sorry, this is purely from memory!) The author is discussing the restrictions on cryptography and expands on how the government could remove a lot of our freedoms. He speculates on how this could happen, for example, if there were a major attack, say, on New York. It's not that it was so difficult to see that a terrorist attack could happen in New York. But to recognize how our freedoms could start being removed for false security was insightful, IMO. And actually just a bit unbelievable at the time.
On the post: HBO Decides It's Finally Time To Go It Alone
The Future, Streaming, Cord Cutters -- Just A Reminder
Disney Chooses Netflix As Its Exclusive Distributor Beginning In 2016
From TechDirt's Christmas past. (Wed, Dec 5th 2012 2:51pm)
On the post: Police Departments Skirting Public Accountability By Using Private Foundations To Obtain Controversial Surveillance Technology
Re: Re: It should be simple
They need to figure out a way to avoid public accountability about which laws the police enforce!
Also, they need to 'work with' legislators to avoid public disclosure of what the laws actually are.
Having all this information in the public would only help the terrorists. And pirates.
On the post: City Of London Police Drove 200 Miles To Arrest And Jail 'Industrial' Level Pirate... Only To Have Case Fall Apart And All Charges Dropped
Some simple reasoning is required here
Look, you're not following their chain of 'reasoning'.
1. Copyright IS Censorship. [Axiom]
2. Therefore an Anti-Censorship site is an Anti-Copyright site. [From step 1.]
3. Anti-Copyright == Piracy! (and Terrorism!). [Copyright maximalist sacred scrolls, ch.666 v.42]
4. Therefore an Anti-Copyright site is a Piracy site. [From step 3.]
5. Therefore an Anti-Censorship site is a Piracy site. [From step 2 followed by 4.]
I rest my case.. The operators of an Anti-Censorship site should be subject to capital punishment. See how simple that was?
Since terrorism and piracy is involved [From step 3.] no expense should be spared. No laws, facts or common sense should stand in the way.
Next >>