Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Mozilla Is Working On a Firefox OS-powered Streaming Stick

Dagger2 Re:I've got a great idea! (89 comments)

I was assuming that the 32-bit plugin process could be a lightweight shim. I doubt it'd need 64-bit versions of all 54 MB of the dlls that Firefox ships with.

about a month ago
top

Mozilla Is Working On a Firefox OS-powered Streaming Stick

Dagger2 Re:I've got a great idea! (89 comments)

This sounds like an actual use for that stub installer that you serve by default to Windows users. Just have it pick which version to download.

about a month ago
top

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

Dagger2 Re:If only Windows supported IPv6 (250 comments)

By "full", I mean that it can do DNS. Windows not supporting RDNSS doesn't mean that you have to set the server manually; you can set it automatically.

I'm not really a fan of RDNSS; it puts host config into RAs with no clear guidelines as to which config options ought to be in them. (Why do we only put DNS info in there, and not all the other things you can configure?) But I'm not arguing that MS shouldn't support it, I'm just pointing out that Windows isn't so incapable that it has no way of setting DNS servers automatically.

(As an aside, Windows will also configure a default set of DNS servers if you have no other v6 servers configured, so if you're doing a v6-only network and you really don't want to run stateless DHCPv6 for some reason and the only thing you wanted to set was the DNS servers, you could just add fec0:0:0:ffff::{1,2,3} to your DNS server and Windows would work fine.)

about a month ago
top

Restored Bletchly Park Opens

Dagger2 Re:When nobody thought of privacy (51 comments)

Plus no difference at all between listening to everything you could in the 40s (comparatively not much) and recording what's useful, vs recording everything.

about a month and a half ago
top

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

Dagger2 Re:If only Windows supported IPv6 (250 comments)

You also said they can't transition to v6 because their own OS doesn't support it, which isn't true. It's supported full automatic configuration of v6 network details out of the box since Vista in 2006, which is a lot longer than most Linux distros have been doing it. I believe Debian only started doing that last year, and I'd be unsurprised if there were still major distros that didn't.

I wish I could find the discussions they must have had at the time about RAs... I assumed there would be mailing list archives or somesuch but I haven't managed to find anything. I guess the logic was that DNS info (or other host config) doesn't belong in RAs, because RAs are broadcasts sent by routers (plural, potentially) to announce network layout. That doesn't match up with the requirements for host config parameters, where you need a single authoritative source and you need the ability to receive machine IDs from clients so you can give out per-machine config settings.

(Of course we haven't really stuck with that logic, since people argued that they didn't want to run DHCPv6 just for DNS, so DNS info was added to RAs. Then other people argued they didn't want to run DHCPv6 just for DNS search domains, so that was added too. Where does it stop, I wonder...)

about a month and a half ago
top

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

Dagger2 Re:cloud networking (250 comments)

It's not that hard, but it's not that easy either. It's far simpler without NAT, where you just connect to the machine.

Also it suddenly gets very, very hard when your ISP puts you behind their own NAT, so you don't even have a "public IP" for your laptop to connect to.

about a month and a half ago
top

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

Dagger2 Re:Hoarders! (250 comments)

Um, no. We're running out of addresses because we don't have enough addresses.

(And to address some of the other misunderstandings: ARIN still have a v6 printing press, v6 doesn't magically expose everything to the entire WWW, you can still run a central firewall in v6 (just without NAT, thankfully) and your IPs won't require memorizing 128 bits unless you're dumb enough to pick an address that uses all 128 bits, in which case you don't get to complain about it).

about a month and a half ago
top

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

Dagger2 Re:Where is IPv7? (250 comments)

v6 doesn't require you to memorize 8 groups of 4 letters. You can put v6 addresses into /etc/hosts to avoid having to remember them... and if you find that syncing a huge /etc/hosts file around is a pain, then it also supports that newfangled "DNS" thing to save you the effort.

Plus you can set any bits in your allocation to zero, and your allocation should be at least /56 or so, which means the number of bits you actually have to remember is about the same as in the v4 case (where you have to remember a 32-bit RC1918 IP plus the 32-bit global IP), so it's not really any worse than the current situation.

about a month and a half ago
top

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

Dagger2 Re:There's already a solution for this that's not (250 comments)

That's an odd definition of "already", given that it came years and years after v4 was extended to 128 bits. Also the 128-bit version is actually big enough to handle the number of hosts we need it to handle, and it has far wider support and deployment than that 64-bit extension.

So really, there's no point in it.

about a month and a half ago
top

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

Dagger2 Re:"almost inexhaustible number" (250 comments)

No we won't. Anybody who thinks this doesn't understand how large 2^128 is.

(If you disagree with me, try to back it up with actual numbers.)

about a month and a half ago
top

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

Dagger2 Re:If only Windows supported IPv6 (250 comments)

Except it can, because it supports stateless DHCPv6 (unless you're on XP).

about a month and a half ago
top

Firefox 30 Available, Firebug 2.0 Released

Dagger2 Re:I wonder what version we'd actually be at... (270 comments)

Because it's now being aimed very explicitly at people too dumb to figure out how to use a browser, and they're deliberately dropping anything that requires any thought to figure out. That was not the case previously. Is it such an unreasonable stretch of the imagination that somebody that picked a browser that catered for users with a brain cell might be unhappy at being moved to a browser that alienates such users?

(Also there's an ongoing and very serious effort to trash system themes and go their own way. If you decided to install Camino, would you have been very happy at being silently moved to upstream Firefox?)

But hey, sure, the back button's a circle. Totally the problem.

about a month and a half ago
top

Firefox 30 Available, Firebug 2.0 Released

Dagger2 Re:Memory usage fixed? (270 comments)

Ah, that's unfortunate. It's been causing lots of random crashes in GC-related functions for some people, so disabling it could've been an easy fix. And as you say, it's unlikely your hardware went bad at exactly the time you upgraded (although it's possible for new versions of software to reveal existing problems).

The only other great idea I have, if you haven't tried it already, is to disable hardware acceleration. It's possible your previous drivers were blacklisted (disabling acceleration) and the new ones aren't, but ought to be for whatever reason (flaky GPU hardware being one possibility).

about a month and a half ago
top

Firefox 30 Available, Firebug 2.0 Released

Dagger2 Re:Please, please just stop... (270 comments)

Who will want to use a browser that the loyal fans seem to hate?

Well, exactly. And whose fault is it that loyal fans hate it?

about a month and a half ago
top

Firefox 30 Available, Firebug 2.0 Released

Dagger2 Re:I wonder what version we'd actually be at... (270 comments)

1.1.

Australis is such a big change in direction that the browser Mozilla currently releases as "Firefox" shouldn't be treated as a new version of the browser Mozilla used to release as Firefox, but rather as a fork. (Which, yes, implies that users shouldn't have been silently moved from one to the other -- that's something those users should've had to actively choose to do.)

about a month and a half ago
top

Firefox 30 Available, Firebug 2.0 Released

Dagger2 Re:Memory usage fixed? (270 comments)

Do you, by any chance, have HTTPS Everywhere installed?

If so you might want to try disabling it.

about a month and a half ago
top

Google Starts Blocking Extensions Not In the Chrome Web Store

Dagger2 Re:Firefox FTW! (225 comments)

In fairness, Mozilla's plan doesn't involve uploading to AMO, it involves uploading to a private repository of extensions. So rather than the entire public getting access to the extension, only Mozilla does.

It still has the potential to make developing, or at least testing, a pain in the neck though. Click through a prompt on every restart to stop programs from silently setting the pref that turns checking off? No thanks.

about 2 months ago
top

One Month Later: 300,000 Servers Remain Vulnerable To Heartbleed

Dagger2 Re:Let me expose my ignorance... (60 comments)

As I understand this, a vulnerable server can expose its private SSL key to an attacker. With this private key, I can decrypt all of its encrypted SSL traffic.

As already mentioned, it's anything in the server's memory. Or the client's, since Heartbleed affects clients too.

Now, as I understand this so far, having the private key is great, but I need to be able to MITM the connection to decrypt anything.

It depends whether the connection is using perfect forward secrecy or not. If it's using PFS, then you need an active MITM to grab the session keys, so you can't decrypt old captured traffic and you need to keep your MITM up for new traffic. If there's no PFS, then all traffic ever sent with a given SSL cert can be decrypted with access to that cert's private key. All you need is to passively sniff it, then store it for later on the off-chance you ever get (or crack) the key.

(I'm going to write a small essay on this, because it's important but very poorly documented on the web.)

Given that, you'd think PFS would be common, but according to this study it's only available on 60-70% of web servers (they don't give a precise number, just 60% that support DHE and 18% that support ECDHE, but those two sets overlap), of which 80% prefer to use cipher suites without PFS, so about half of webservers either don't support PFS or typically won't use it. Slashdot doesn't, for example. Neither does microsoft.com. I guess that's just the homepage, but then windowsupdate.microsoft.com doesn't use it either. It's not supported on outlook.com's web, IMAP, POP3, or SMTP servers. addons.mozilla.org and marketplace.firefox.com also join the club, but their main website and the Firefox update sites do PFS at least. I couldn't find a Google property that didn't do PFS.

And on top of that, of those sites that do use it, 99.3% use 1024-bit DH parameters, which essentially lowers the length of their RSA keys to 1024 bits (which affects the 80% of sites with 2048-bit or longer RSA keys).

If you want to make sure you're actually using PFS, and with decent DH parameters, you generally need to make sure to configure it. Apache does this for you automatically from 2.4.7 onwards (before that, it'll use PFS but only with 1024-bit DH parameters). A lot of other software requires being fed DH parameters manually -- for instance, Courier's IMAP/SMTP servers, ZNC, ircd-hybrid etc. (And when was the last time you configured DH parameters for a server?)

You can check if any given connection supports PFS by looking at the cipher suite in use. If it starts with DHE or ECDHE, it has PFS. (The "E" at the end stands for ephemeral; if it says DH, ECDH, or doesn't mention either of those, then there's no PFS). You can check with e.g. CipherFox in Firefox, or using the openssl command-line tools:

$ openssl s_client -connect www.debian.org:443 | grep Cipher
        Cipher : DHE-RSA-AES256-GCM-SHA384

If you point it at servers you use regularly, you'll probably be pretty depressed at the results. I know I was when I was making that list above...

about 3 months ago

Submissions

Dagger2 hasn't submitted any stories.

Journals

Dagger2 has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...