Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
Posted on 20-01-24, 01:43 in FUCK hsts (revision 1)
Custom title here

Post: #821 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Posted by sureanem
How is this functioning as intended? You make some trivial mistake in the configuration and your site breaks. How can it ever be acceptable for a piece of software to disregard my explicit wishes?

That is LITERALLY the entire point of HSTS. If ANYTHING is wrong, the transaction CANNOT proceed. There are no fallbacks to less-secure encryption, no using known-incorrect credentials anyways JUST BECAUSE. Hence the name. HTTP Strict Transport Security.

It is like XHTML, only people like it because it is no harder to implement and makes Google happy, whereas XHTML is hard for them to implement because they suddenly have to actually know what they're doing and stop pasting broken code for the browser to sort out for them.



It is also notable that you've previously said that end users SHOULDN'T be able to override server-side decisions re: DNS. So why change now?

--- In UTF-16, where available. ---
Custom title here

Post: #822 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Or do you just want to give them a BFG and a lot of targets to kill with it?

--- In UTF-16, where available. ---
Custom title here

Post: #823 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Posted by tomman
If boomers are made by Toyota, we're in deep trouble then.

I've seen how much abuse can a Toyota withstand. Those things literally run FOREVER, yo.

Genom Corp.

They're still pretty damn tough, though maybe not Toyota-tough.

--- In UTF-16, where available. ---
Posted on 20-01-24, 03:42 in FUCK hsts
Custom title here

Post: #824 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Posted by sureanem

Posted by CaptainJistuce

That is LITERALLY the entire point of HSTS. If ANYTHING is wrong, the transaction CANNOT proceed. There are no fallbacks to less-secure encryption, no using known-incorrect credentials anyways JUST BECAUSE. Hence the name. HTTP Strict Transport Security.

Yeah but that doesn't make it any less of a stupid idea. Lighting a million dollars on fire is a stupid idea, but pointing out that the intent was to make a lot of money go up in smoke doesn't solve this problem.

Like, if the idea was that if you use HTTPS and get a warning you can click through it, but with HSTS you have to click through it really hard, or go to about:config or whatever, I wouldn't have a problem. Then we still preserve the user-agent property of the browser. It should follow my orders, not smugly tell me how it's a broken piece of shit by design.

The idea is that this is a transaction that absolutely needs to be secure. There needs to be as much assurance as possible there are no TLS downgrade attacks, no man-in-the-middle eavesdropping, no suspicious behavior at all. Any suspicious activity is immediate grounds for terminating the connection, because if the connection cannot be trusted, then no transaction should take place. Surely, someone as security-minded as you profess to be would be GRAVELY CONCERNED that there are HTTPS errors in the first place.


The problem is not "HSTS works as advertised", it is misuse of a good feature. Google is punishing EVERYONE for not enabling HTTPS when their website does not need HTTPS, then punishing them AGAIN for not enabling HSTS when their website does not need HSTS.


I'd also argue that browsers are moving towards preventing ANY overrides of HTTPS issues. They've already placed big scary doom warnings and hid the option to override so you have to click more buttons to show the option before you can begin the override. So place your flag not in "HSTS works as advertised", but at "all HTTPS transactions are moving towards being treated as if they were HSTS transactions"




And to be blunt, I question why HTTPS errors were ever allowed to be ignored at all. If you believe your connection needs to be secure, you should refuse to allow an insecure connection.
Were I writing the spec, I would require both ends of the transaction to terminate the connection if there was an HTTPS error. If the client software is out of spec and attempts to continue the transaction anyways, it doesn't matter because the server software slammed the door in their face. HSTS wouldn't even exist, because regular HTTPS would already do more.

--- In UTF-16, where available. ---
Posted on 20-01-24, 06:29 in FUCK hsts
Custom title here

Post: #825 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Sounds reasonable to me.

--- In UTF-16, where available. ---
Custom title here

Post: #826 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Posted by Screwtape
I remember having lots of fun once I read the BFG FAQ and discovered that the glowy green ball is not the primary method of dealing damage. Instead, it works like this:

1. The player fires the BFG in direction D, and a big glowy green ball emerges and slowly travels in that direction.

2. When the ball hits an obstacle, it explodes.

3. When the ball explodes, the gun fires a bunch of hitscan projectiles from WHEREVER THE PLAYER IS STANDING.

4. The hitscan projectiles are fired in a random cone around D, REGARDLESS OF WHERE THE PLAYER IS FACING.

So the trick is to find a long hallway beside a room with a lot of dog-fighting. Let's say you stand at the northern end of a long hallway, and fire the gun southward. You now have until the ball explodes to reposition yourself to the northern end of the room with the fighting in it. If you time it just right, you can sprint past and clear a room without even the courtesy of having to stop and aim.

Yeah, the BFG FAQ exposed the weapon code as ... kind of insane.

Apparently they originally wanted basically an overpowered plasma shotgun, but systems of the day couldn't render the effect without choking gameplay to an absolute crawl.
I'd wager the shipping code was an attempt to create a "room-clearing explosion" without the attendant player risk of an explosion that could clear out that much space. And then people stopped watching their projectiles hit targets and everything went wrong.

(A lot of Doom code assumes modern FPS tactics don't exist, for understandable reasons. Sidestepping makes at least one boss almost completely unable to hit you.)

--- In UTF-16, where available. ---
Posted on 20-01-24, 11:31 in FUCK hsts
Custom title here

Post: #827 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Posted by Nicholas Steel
Is it still limited to TrustedInstaller if you disable UAC?
Yes. Because what Kawa said.
TrustedInstaller is still the only account allowed to tamper with it, the file is not modifiable by administrators.
UAC just generates the gray-screen "are you SURE you want to change your display resolution" popups.


If I recall, it is possible to go in and add Administrator access rights to TrustedInstaller files and directories. THEN the file is touchable by administrators.
But that's a definite case of "not given enough rope to hang yourself, so you went out and bought more".

--- In UTF-16, where available. ---
Posted on 20-01-30, 07:09 in Mozilla, *sigh*
Custom title here

Post: #828 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
In fairness, ejecting it from MoCo proper seemed to be mostly be so that Firefox developers no longer had to care that their changes to Gecko might break Thunderbird.

--- In UTF-16, where available. ---
Posted on 20-02-01, 15:44 in Games You Played Today REVENGEANCE
Custom title here

Post: #829 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
I decided to play Sword Art Online: Fatal Bullet, presumably because I hate myself.

Two hours in, and... I can't actually tell you how it plays. I've been reading dialog and watching cutscenes almost the entire time. Spent thirty seconds shooting guys in the tutorial and then got railroaded into a fucking visual novel.


But I did become instant friends with the latest member of Kirito's harem(maybe I shoulda crafted a male, just to spare Asuna the trouble), and chat up a girl who's canonically dead. So that's something.




Trash game, but no worse than I deserved.

--- In UTF-16, where available. ---
Posted on 20-02-02, 05:38 in Games You Played Today REVENGEANCE
Custom title here

Post: #830 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
At least you bought something sold as a hidebound and backwards text-heavy RPG. Mine is ALLEGEDLY a shooter.

--- In UTF-16, where available. ---
Posted on 20-02-03, 03:11 in Games You Played Today REVENGEANCE
Custom title here

Post: #831 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
For what it is worth, after the two-hour wall o' text, Sword Art Online: Fatal Bullet becomes an entertaining, if not exactly great, semi-shooter.

--- In UTF-16, where available. ---
Posted on 20-02-04, 20:08 in Youtube
Custom title here

Post: #832 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Posted by tomman
Please tell me you people why do you insist in watching videos ON A WEB BROWSER, instead of a media player, as $DEITY intended...

So, in a scale of "0 to Javascript", how terrible is it? (can't review it myself for rather obvious reasons)
It is total Javascript.

--- In UTF-16, where available. ---
Posted on 20-02-05, 07:59 in Youtube
Custom title here

Post: #833 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Ladies and gentlemen, I present to you the problem.

Seriously, who pays for YouTube?

--- In UTF-16, where available. ---
Posted on 20-02-06, 06:08 in TAS (tool-assisted speedruns)
Custom title here

Post: #834 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Hit "mark forum read" up top on the thread list. That's what I did, and it fixed it. Known kBoard quirk.

--- In UTF-16, where available. ---
Posted on 20-02-07, 06:54 in I have yet to have never seen it all.
Custom title here

Post: #835 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Posted by creaothceann
byuu's changing names




--- In UTF-16, where available. ---
Posted on 20-02-19, 00:08 in What are you listening to right now?
Custom title here

Post: #836 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Pac-Man Fever (original album)

https://m.youtube.com/playlist?list=PL155E832DB2A9118B

--- In UTF-16, where available. ---
Posted on 20-02-19, 22:02 in I have yet to have never seen it all.
Custom title here

Post: #837 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Posted by tomman
Posted by Kawa
Posted by Nicholas Steel
Byuu's discord server is killing this forum >:O
And you're not helping.


> proprietary Javascript bloat

WHAT THE HELL IS WRONG WITH YOU GUYS!?!??!?!

I guess gotta get used to isolation, between my limited connectivity nowadays AND the fact people is migrating to really awful platforms.
Whatsapp, Discord, other proprietary "I AM A CELLPHONE" messaging shits... this is a sad decade for the Internet (and for my personal sanity).

...

Yeah. I set up a discord account recently because everyone on every IRC channel I'm in moved there, and it turns out I like people more than I hate Discord. :(

--- In UTF-16, where available. ---
Posted on 20-02-19, 22:18 in I have yet to have never seen it all. (revision 1)
Custom title here

Post: #838 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Posted by creaothceann
https://github.com/chrislgarry/Apollo-11/issues/3

That's glorious!

--- In UTF-16, where available. ---
Posted on 20-02-20, 06:58 in RIP Larry Tesler, father of copy/paste
Custom title here

Post: #839 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
http://www.vintagecomputing.com/index.php/archives/2759/larry-tesler-1945-2020

Not the most-sung computer visionary, but an important one nonetheless.

--- In UTF-16, where available. ---
Posted on 20-02-20, 07:14 in RIP Larry Tesler, father of copy/paste
Custom title here

Post: #840 of 1164
Since: 10-30-18

Last post: 72 days
Last view: 19 hours
Well, he had help. If Al Gore hadn't invented the internet, you couldn't copy from Wikipedia and paste into Word.

Also: ROWFUL.

--- In UTF-16, where available. ---
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
    Main » CaptainJistuce » List of posts
    [Your ad here? Why not!]