CaptainJistuce |
Posted on 20-01-24, 01:43 in FUCK hsts (revision 1)
|
Custom title here
Post: #821 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Posted by sureanem That is LITERALLY the entire point of HSTS. If ANYTHING is wrong, the transaction CANNOT proceed. There are no fallbacks to less-secure encryption, no using known-incorrect credentials anyways JUST BECAUSE. Hence the name. HTTP Strict Transport Security. It is like XHTML, only people like it because it is no harder to implement and makes Google happy, whereas XHTML is hard for them to implement because they suddenly have to actually know what they're doing and stop pasting broken code for the browser to sort out for them. It is also notable that you've previously said that end users SHOULDN'T be able to override server-side decisions re: DNS. So why change now? --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-01-24, 01:43 in Anyone interested in giving some Doom mapping idea's/advice?
|
Custom title here
Post: #822 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Or do you just want to give them a BFG and a lot of targets to kill with it? --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-01-24, 01:44 in Monocultures in Linux and browsers (formerly "Windows 10")
|
Custom title here
Post: #823 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Posted by tomman Genom Corp. They're still pretty damn tough, though maybe not Toyota-tough. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-01-24, 03:42 in FUCK hsts
|
Custom title here
Post: #824 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Posted by sureanem The idea is that this is a transaction that absolutely needs to be secure. There needs to be as much assurance as possible there are no TLS downgrade attacks, no man-in-the-middle eavesdropping, no suspicious behavior at all. Any suspicious activity is immediate grounds for terminating the connection, because if the connection cannot be trusted, then no transaction should take place. Surely, someone as security-minded as you profess to be would be GRAVELY CONCERNED that there are HTTPS errors in the first place. The problem is not "HSTS works as advertised", it is misuse of a good feature. Google is punishing EVERYONE for not enabling HTTPS when their website does not need HTTPS, then punishing them AGAIN for not enabling HSTS when their website does not need HSTS. I'd also argue that browsers are moving towards preventing ANY overrides of HTTPS issues. They've already placed big scary doom warnings and hid the option to override so you have to click more buttons to show the option before you can begin the override. So place your flag not in "HSTS works as advertised", but at "all HTTPS transactions are moving towards being treated as if they were HSTS transactions" And to be blunt, I question why HTTPS errors were ever allowed to be ignored at all. If you believe your connection needs to be secure, you should refuse to allow an insecure connection. Were I writing the spec, I would require both ends of the transaction to terminate the connection if there was an HTTPS error. If the client software is out of spec and attempts to continue the transaction anyways, it doesn't matter because the server software slammed the door in their face. HSTS wouldn't even exist, because regular HTTPS would already do more. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-01-24, 06:29 in FUCK hsts
|
Custom title here
Post: #825 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Sounds reasonable to me. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-01-24, 09:48 in Anyone interested in giving some Doom mapping idea's/advice?
|
Custom title here
Post: #826 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Posted by Screwtape Yeah, the BFG FAQ exposed the weapon code as ... kind of insane. Apparently they originally wanted basically an overpowered plasma shotgun, but systems of the day couldn't render the effect without choking gameplay to an absolute crawl. I'd wager the shipping code was an attempt to create a "room-clearing explosion" without the attendant player risk of an explosion that could clear out that much space. And then people stopped watching their projectiles hit targets and everything went wrong. (A lot of Doom code assumes modern FPS tactics don't exist, for understandable reasons. Sidestepping makes at least one boss almost completely unable to hit you.) --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-01-24, 11:31 in FUCK hsts
|
Custom title here
Post: #827 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Posted by Nicholas SteelYes. Because what Kawa said. TrustedInstaller is still the only account allowed to tamper with it, the file is not modifiable by administrators. UAC just generates the gray-screen "are you SURE you want to change your display resolution" popups. If I recall, it is possible to go in and add Administrator access rights to TrustedInstaller files and directories. THEN the file is touchable by administrators. But that's a definite case of "not given enough rope to hang yourself, so you went out and bought more". --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-01-30, 07:09 in Mozilla, *sigh*
|
Custom title here
Post: #828 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
In fairness, ejecting it from MoCo proper seemed to be mostly be so that Firefox developers no longer had to care that their changes to Gecko might break Thunderbird. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-01, 15:44 in Games You Played Today REVENGEANCE
|
Custom title here
Post: #829 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
I decided to play Sword Art Online: Fatal Bullet, presumably because I hate myself. Two hours in, and... I can't actually tell you how it plays. I've been reading dialog and watching cutscenes almost the entire time. Spent thirty seconds shooting guys in the tutorial and then got railroaded into a fucking visual novel. But I did become Trash game, but no worse than I deserved. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-02, 05:38 in Games You Played Today REVENGEANCE
|
Custom title here
Post: #830 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
At least you bought something sold as a hidebound and backwards text-heavy RPG. Mine is ALLEGEDLY a shooter. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-03, 03:11 in Games You Played Today REVENGEANCE
|
Custom title here
Post: #831 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
For what it is worth, after the two-hour wall o' text, Sword Art Online: Fatal Bullet becomes an entertaining, if not exactly great, semi-shooter. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-04, 20:08 in Youtube
|
Custom title here
Post: #832 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Posted by tommanIt is total Javascript. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-05, 07:59 in Youtube
|
Custom title here
Post: #833 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Ladies and gentlemen, I present to you the problem. Seriously, who pays for YouTube? --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-06, 06:08 in TAS (tool-assisted speedruns)
|
Custom title here
Post: #834 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Hit "mark forum read" up top on the thread list. That's what I did, and it fixed it. Known kBoard quirk. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-07, 06:54 in I have yet to have never seen it all.
|
Custom title here
Post: #835 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Posted by creaothceann --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-19, 00:08 in What are you listening to right now?
|
Custom title here
Post: #836 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Pac-Man Fever (original album) https://m.youtube.com/playlist?list=PL155E832DB2A9118B --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-19, 22:02 in I have yet to have never seen it all.
|
Custom title here
Post: #837 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Posted by tommanYeah. I set up a discord account recently because everyone on every IRC channel I'm in moved there, and it turns out I like people more than I hate Discord. :( --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-19, 22:18 in I have yet to have never seen it all. (revision 1)
|
Custom title here
Post: #838 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Posted by creaothceannThat's glorious! --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-20, 06:58 in RIP Larry Tesler, father of copy/paste
|
Custom title here
Post: #839 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
http://www.vintagecomputing.com/index.php/archives/2759/larry-tesler-1945-2020 Not the most-sung computer visionary, but an important one nonetheless. --- In UTF-16, where available. --- |
CaptainJistuce |
Posted on 20-02-20, 07:14 in RIP Larry Tesler, father of copy/paste
|
Custom title here
Post: #840 of 1164 Since: 10-30-18 Last post: 72 days Last view: 19 hours |
Well, he had help. If Al Gore hadn't invented the internet, you couldn't copy from Wikipedia and paste into Word. Also: ROWFUL. --- In UTF-16, where available. --- |