Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Firefox 29 Beta Arrives With UI Overhaul And CSS3 Variables

Richard_J_N Re:CSS variables? (256 comments)

Personally, I found that dynamically generating my CSS from PHP is the solution. It's easy to understand, easy to write, cross platform, and (using the etag trick), has good performance and bandwidth use.

So I have a bunch of rules like this:
echo "body{ height:100%; background: $colour_body_bg; font-family: $fontface_body; color: $colour_body_text}\n";
Even better, I can support slightly different versions of the stylesheet by linking to "style.php?style=theme_name".

Then, to handle performance and bandwidth, I use etags. The browser will always cache this document at least 10 minutes. After that, it will check for a newer version, but the server will usually reply with 304 (unchanged).
$last_modified_time = filemtime(__FILE__);
$etag = md5_file(__FILE__);
header("Last-Modified: ".gmdate("D, d M Y H:i:s", $last_modified_time)." GMT");
header("Etag: $etag");
if (@strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $last_modified_time ||
        trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag) {
        header("HTTP/1.1 304 Not Modified");
        exit;
}
header("Cache-Control: max-age=600");
header("Content-type: text/css");

about 4 months ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Richard_J_N Re:Why is this legal? (572 comments)

That would be ideal, but it requires elevated privileges (no idea why that should be). So I'd have to put it in a firefox extension.

I'm trying to protect normal users who may not be aware that their employer is MITMing them by providing them with a web browser which has been misconfigured into trusting the cert of an SSL proxy appliance.

about 5 months ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Richard_J_N Re:Why is this legal? (572 comments)

How does DNSSEC help?

I'd like (ideally) to write a php script that would detect when my users are on "compromised" machines, and warn them.
What I want is to write some javascript that would send back to the server what the client *thinks* is my certificate fingerprint.

about 5 months ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Richard_J_N Why is this legal? (572 comments)

As the operator of the webserver, I certainly don't consent, even if the employee had no choice..
Is there any way to detect this server-side?

about 5 months ago
top

Most Alarming: IETF Draft Proposes "Trusted Proxy" In HTTP/2.0

Richard_J_N Re:Hidden problems with proxies (177 comments)

Why? If the connection is being MITMd, then both sides need to be able to figure this out.
There was a long discussion on this (regrettably rejected by the browser vendor) to allow the SSL fingerprint to be obtained in JS. That would make it reasonably easy for the site operator to verify that the SSL cert hadn't been tampered with. (Of course, a really evil proxy can scan for the JS, but that game of whack-a-mole is usually easier for the good guys to win, at least sometimes).

about 5 months ago
top

Most Alarming: IETF Draft Proposes "Trusted Proxy" In HTTP/2.0

Richard_J_N Re:Hidden problems with proxies (177 comments)

As a website operator, I want to know if my content is being MITMd en route to the user. I know about the SSL fingerprint trick that lets a really technical user discover proxying, but I want to automate this process server-side, and stick up a big banner to say "Your employer is snooping on this connection, please log in from a trusted machine" (and then I'll prevent the user from logging in).

about 5 months ago
top

Ubuntu 14.04 Brings Back Menus In Application Windows

Richard_J_N Merge window buttons and menu bar? (255 comments)

I've never understood why we can't get the window-manager and the application to play nice, and share one bar. Usually, there's plenty of space horizontally, and too little vertically. So, why not have the combination of:
[icon] File Edit View History Bookmarks Tools Help ....... "The window title goes here" ....... _ [] X

about 5 months ago
top

Nokia Turns To Android To Regain Share In Emerging Markets

Richard_J_N Re:...and the high end? (146 comments)

Of course . but the consumer could then have their favourite OS and phone. For example, I might like a Nokia running Android, while somone else might prefer an S5 with Windows. (What I really want is an iPad with Lubuntu).

about 5 months ago
top

Nokia Turns To Android To Regain Share In Emerging Markets

Richard_J_N Re:...and the high end? (146 comments)

But a dual-boot phone, especially if it shipped with both would be widely liked, I think.

about 5 months ago
top

Nokia Turns To Android To Regain Share In Emerging Markets

Richard_J_N Re:...and the high end? (146 comments)

True, but how many consumers would like a phone that can run their choice of OS? I certainly would.
If necessary, I'd even pay for MS as long as I don't have to use it. (as with almost all laptops)

about 5 months ago
top

Nokia Turns To Android To Regain Share In Emerging Markets

Richard_J_N ...and the high end? (146 comments)

If I can get a high-end Lumia and have Android, that would be amazing.

about 5 months ago
top

California Bill Proposes Mandatory Kill-Switch On Phones and Tablets

Richard_J_N Just require decent service from the police. (341 comments)

I've found twice now that, on reporting stolen devices (to the UK police), even if we know exactly where they are (trackers, phone home etc), there's no way to get the police to react (promptly) to go and get it back. If the police would quickly go and retrieve stolen devices, the problem would vanish.

about 6 months ago
top

Adware Vendors Buying Chrome Extensions, Injecting Ads

Richard_J_N Is Firefox safer? (194 comments)

Specifically, can we assume that any extension loaded into Firefox via the official extensions repository, is open-source, and that someone from Mozilla is checking the extension before an update is released?

about 6 months ago
top

CyanogenMod Integrates Text Message Encryption

Richard_J_N Key distribution and metadata? (118 comments)

I looked at this, and there are 2 things I can't understand:

1. How does key distribution work? Even public-key crypto of this type doesn't necessarily work if there is a man in the middle.
2. How is metadata protected? For an SMS, often the timestamp and sender/recipient pairing is as revealing as the message content.

about 8 months ago
top

Ask Slashdot: Best FLOSS iTunes Replacement In 2013?

Richard_J_N iPad sync? (317 comments)

For Linux users, is there any way to replace the iTunes functionality to get music and photos onto an iDevice, and have it properly recognise the library?
I only use Linux, but have an iPad3. I have mediocre photo functionality[1] via a jailbreak, but am still stuck with only one folder and no sub-folders. As for getting music on there (especially .ogg), forget it.
[1] http://www.richardneill.org/stotbig#ipad

about 8 months ago
top

Ask Slashdot: Best FLOSS iTunes Replacement In 2013?

Richard_J_N Re:Clementine Player (317 comments)

I agree. Clementine just works, and stays out of your way otherwise. It responds quickly to external changes to the library (using inotify).
For me, my music collection is a set of well-ordered files/directories, each with a .m3u playlist and appropriate tags. (The Unix "everything is a file" approach works well here). Then the music player is just for playback, for playing them, and not for editing tags (use easytag), ripping CDs (a shell-script), nor for buying music (CD store).

about 8 months ago
top

Ask Slashdot: Has Gmail's SSL Certificate Changed, How Would We Know?

Richard_J_N Re:Getting the fingerprint in JS (233 comments)

If we're talking about the great firewall of china, you're right. BUT most corporate proxies run fairly standard software, and only update it every few months (if that). So, there's a pretty good chance of my getting the JS through the first time, and of the vendor taking a long time to work around it (if they ever do). Yes it's cat and mouse, but there are a lot of mice with different strategies, the cat isn't very quick, and as long as the mouse gets through once, it's enough to let the user know he's being snooped on.

about 10 months ago
top

Ask Slashdot: Has Gmail's SSL Certificate Changed, How Would We Know?

Richard_J_N Re:Getting the fingerprint in JS (233 comments)

Hashing it won't help - I want to inform the user that their data is being intercepted, not that it's being corrupted.

about 10 months ago
top

Ask Slashdot: Has Gmail's SSL Certificate Changed, How Would We Know?

Richard_J_N Getting the fingerprint in JS (233 comments)

I operate a webserver, and I'd like to protect my users against SSL proxying. At the moment, all I can do is tell them to check my key's fingerprint against what the browser shows. But I'd really like to do this in JS. Is there any way to use JS to get the fingerprint string (that I can see by clicking on the padlock icon)? Then I could send that back to the server (from JS), and check if it's been tampered.

(A really effective evil proxy would be able to defeat this, but most corporate proxys aren't going to be able to parse my own JS and work out precisely how to transparently defeat it).

about 10 months ago
top

Lord Blair Calls for Laws To Stop 'Principled' Leaking of State Secrets

Richard_J_N Re:Government vs terrorists (395 comments)

I think I'd go for the exact opposite argument: that public-interest should be a valid defense to breaking the official secrets act.

about a year ago

Submissions

Richard_J_N hasn't submitted any stories.

Journals

Richard_J_N has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...