Connecting to a web page should not be consent to allow the operators of that web page to make my computer/phone do whatever they want on the net. It certainly should not be consent to delegate that power to others, either via a embedded link or a MITM attack.
Advocate the other direction: more freedom, including the freedom to say "thank you, browser, for being locked down by default, but I trust this website and I am okay with everything it wants to do".
Instead of locking the web down, let's give users the freedom to put on or remove as many locks as they want to live with. And letting make mistakes with that, too: you don't make things better by taking away important life lessons, either.
The problem doesn't have to be one of education if it is tackled as a legitimate UI/UX problem and served by a WC3 that supports the needs of end users over corporate partners.
As for the DoS aspect, maybe it's time to do a CORS preflight on ALL cross-origin requests, including images. (Webfonts, for whatever reason, already require a CORS preflight. Probably because Adobe is on the W3C and they sell a service where certain origins can legally use certain fonts from their servers.
I hate it when user security features get turned into subsidies for large corporations, but here we are.)
Of course, if you have broken TLS I guess you can just forge the CORS response.
"Hey Tim Apple/Microsoft/Google, if you want to do business in China you have to put our CA on your devices/software...".
At least Firefox would still be free from that. And Apple already has China-specific iOS, so they'd just activate the bad CA on Chinese devices...
But that is literally what web users want.
Everything you named is a fine opinion, but runs contrary to the wishes of the vast majority of millions and millions and millions and millions of web users.
No it absolutely does not.
Pretty sure that most people just want to be able to visit a website without it causing problems to their computer or to others.
And even if you do want to take silence for consent, the fact that the vast majority of millions of millions of web users do not install an extension to route around Google AMP indicates that they do not want the operators of the web page to do whatever they want, they want to run a restricted subset of what the web designer might imagine. AMP is extremely popular among web users; approximately 100% of Google users use it. (The more defensible argument, of course, is that users don't really want AMP, at which point the question of what users really do want gets back on the table.)
Also, users did vote with their feet against downloading EXEs from the internet - which can actually do whatever the developer wants - and using JS on the web platform, which can make unrestricted GET requests (even if it can't see the responses), sure, but can't do anything near "whatever." It stands to reason that users would gladly accept even more restrictions on the execution platform.
For the kinds of places that AMP is used, I would suspect so.
> Also, users did vote with their feet against downloading EXEs from the internet
So....this CAN happen???
> users would gladly accept even more restrictions on the execution platform.
The recent popularity of clipboard permissions, geolocation permissions, notification permissions, etc. would suggest otherwise.
What makes you so sure that web users care so much about the uptime of lihkg.com ?
What popularity? Do you have data that users tend to click "yes" on such permission prompts?
> What makes you so sure that web users care so much about the uptime of lihkg.com ?
I'm not sure I understand what you're asking or what you're responding to.
lihkg.com being down is the negative consequence of this code running, right?
You can see unintentional examples of this happening. Small sites get taken down occasionally when larger sites directly link to images or videos hosted there.
Come on now. Of course those devices can use TLS - they just can't do so in the capricious constraints imposed by the system of "certificate authorities". It's not a fundamental limitation of the technology.
If we were using something like noise protocol, nobody would be saying that tiny devices are incapable of proper security at the transport layer. There's just no clear way to assess the validity of a self-signed cert in the browser given today's political constraints.
The CA/Browser Forum allows certs up to 27 months - do routers sit on store shelves for 27 months before being configured? Do they even sit for 12 months? (Once they're online, they can renew their cert, possibly with the help of the vendor who can track the private key or something.)
Furthermore, this would require either not being able to change the IP for your device (bad) or sending information about the layout of your network to the vendor (I wouldn't trust them with that info).
Very few people care about this and the effort of maintaining a custom DNS and a CA certificate system (which, by the way, would need to be subjected to rigorous security testing) just isn't worth it.
Lastly, what's the point? Adding a little padlock isn't worth it if anyone can get a certificate for the router ip anyway. How do you ensure that the router connecting to your IP really has the mac address it claims? It only takes one person to get root on their router to invalidate the entire security system and given how somehow router vendors are still shipping command injection vulnerabilities, I wouldn't assume that they can prevent that as much as they'd like.
What I want is the option to give a router my own security certificate instead of the self signed one. Let me use my own CA or let me mess around with letsencrypt, split-horizon DNS and Selenium scripts if that's what I need. Consumers don't care about TLS on their router and this would be the cheapest option to solve it for prosumers.
Browsers and the people who sit on these committees are understandably more focused on their own use cases, but there really does need to be a viable certificate solution for small embedded devices, preferably works with mDNS too. I'm not going to hold my breath, but until this happens any/all IOT devices will remain largely insecure. Big co's (like my employer) can develop and deploy a custom solution, most companies cannot.
The immediate solution that occurs to me is installing a private CA, possibly one with name constraints for the vendor, because private CAs aren't held to the same rules about validity. I'm curious why this doesn't work - is it just that the tooling needed to make it happen isn't polished enough for small vendors?
I'm guessing that internet of things devices are, by their name, on the internet and can talk to a CA. Yes, this will require some way to give them a real domain name, but you could either give them names on the vendor's site or encourage people to get a domain name for themselves.
Vendor.com can then look at the opaque blob forwarded from their hardware and decide if they want to deligate trust to it.
(You cannot special-case "This server is untraceable", else a repressive government could blackhole that server and trigger the relaxed validation rules.)
I wouldn't go as far as calling it «capricious constraints imposed by the system of "certificate authorities"» but at the same time, I agree that it's not a fundamental limitation of the technology.
Better protocols could be developed to allow a browser to trust a server without (all) the limitations of the current system.
- let companies register a wild card domain in the .local (or a newlocal) namespace: .acme.local
- designate the acme company with the ability to issue certs that never expire for any name in ".acme.local" but the browser will refuse to use certs signed with that key for anything outside "*.acme.local"
- the acme company can now make equipment that the users browser can connect to over an encrypted channel with zero config on the user's part
- the equipment can live off the internet indefinitely
- if the acme company is breached, and their signing key is stolen, the attackers can only use that key to impersonate acme company, it doesn't allow them to impersonate any other domains
- the browser manufacturers don't care about this use case so its never gonna happen
- the cert on the device never expires... and can never be replaced automatically somehow. I think the only workaround is acme could enable users to load their own certs if they are so inclined, but that shouldn't be required.
How would you prevent this? What constitutes an "attack", and how would you make sure you're not interfering with non-malicious use cases?
For china need some way to handle that whole commerical-military-party all one entity.
I absolutely believe you, and wrote a document how to make improvement.
> Code from non-TLS pages should not be able to run at all.
Whether or not it is TLS is irrelevant. Either way the user may wish to put their own code, and either way the server operator can change things whether or not is what the user intends. (TLS does prevent spies from adding code, but not all unwanted code is from spies.)
> Instead of locking the web down, let's give users the freedom to put on or remove as many locks as they want to live with.
I agree. Furthermore, allow the user to override any behaviour they want to do, too.
Allow the user to examine and copy the script (possibly with modifications); if the script changes (whether due to MITM or due to the author altering it or due to some other company purchasing them), it no longer runs unless the user approves the new one, too. Extensions that only allow free software to run don't help either; just because it is free software does not necessarily mean it is a program the user wants their computer to execute. Or, maybe the user wants to execute a modified version instead!
An outbound browser firewall could helps also.
Hyperlinks generally don't open themselves. There is an obvious exception -- img tags -- and I think it's worth considering whether they should be allowed to have the behavior they do. As far as I see, img tags load themselves so that, if you're editing HTML by hand, you don't have to deal with binary image data in the middle of what was supposed to be a clean text file. That may not be the right tradeoff.
 The img model got extended to other external resource loads, like script and css. But both of those frequently do appear as part of the same HTML that uses them. Image data can, but usually doesn't.
Also, external script loads are such an obvious problem that we got the Content-Security-Policy just to deal with it.
But to answer your question more directly, yes they clearly know what they are suggesting.
> These attacks would not be successful if the following resources were served over HTTPS instead of HTTP:
> http://push.zhanzhang.baidu.com/push.js; or
It also assumes that the end users ("victims") here don't trust any Chinese certificate authority.
Highly unlikely, or else the suggestion would be to just ban http all-together. Http without the ability to load resources from other domains would break the majority of sites.
The evil empire and culture will try and try to harm liberty and human rights. If it is not so important you would not see many of hkers like me instead of posting in here and other places, but in concentration camp as northern Turks up north.
There is plenty of historical precedent for this: spammers' IP ranges would be blackholed to send a message to their ISPs that such behavior wasn't tolerated. That the Chinese authorities decide to play this game at the nation state level should not give them a free pass, but should result in a nation state level response.
The criminal co-opting of networks and nodes on those networks is not speech by any definition.
I'm either misunderstanding what you're saying, or it doesn't make sense. If a bunch of people take signs (with legitimate messages, free speech) and hang them off a bridge over the highway (causing accidents), then those people go jail. The fact that their message is free speech is irrelevant. The source of the message is being punished/jailed, not the message.
Am I mis-representing your statement?
To put it another way: if someone steals my car and uses it to rob a bank, even if that car is now evidence in a criminal investigation, it's still my car. The police have every right to confiscate it from the thief—it's not their car—but that doesn't mean that it suddenly belongs to them; it belongs to me. In both this case and the above case, I have a right to not be unduly punished for the actions of an unrelated third party (by having my website taken down; or by having my car permanently confiscated, respectively.)
The context here is very similar to a story that was on HN just yesterday (https://news.ycombinator.com/item?id=21671579). Banning a site from the internet for happening to be MITMed by China is very similar in its ethical implications to banning a site from the Internet for happening to have a domain-name that fits a pattern used by a botnet.
At this point we really need to start doing the "You wanted a Great Firewall? Enjoy. You now have no connection."
Removing China from the internet would also likely cause things that phone home to China to break. That would actually create some consumer awareness to boot.
Not my problem. Figure out a better way than getting in bed with fascist countries and then complaining when the inevitable door swings shut due to rightful backlash.
I think we generally overestimate the hurt on the outside and underestimate the hurt on the inside considering the massive trade imbalance that China enjoys with the rest of the world.
Personally I have already pi-holed entire .cn and other domains.
UN sanctions are not imposed on bad state actors. They are imposed on weak state actors. UN sanctions have never been imposed on the US, China, Russia, Britain and France easily the worst state actors globally - the biggest weapons sellers and the cause of instability all over the world. They also are the 5 permanent security council members with veto power.
> I think we generally overestimate the hurt on the outside and underestimate the hurt on the inside considering the massive trade imbalance that China enjoys with the rest of the world.
China doesn't enjoy a trade imbalance with the "rest of the world". The enjoy it with the US primarily. They are net importers of Japan, South Korea, Saudi Arabia, Brazil, etc.
Germany, Japan, South Korea, etc also enjoy trade imbalance with the "rest of the world". Do you support sanctioning them?
> Personally I have already pi-holed entire .cn and other domains.
That doesn't do much if you really think about it. It's not like chinese individual, company or government are barred from owning everything from coms to orgs.
That is a great point and I agree with it.
However, the way I look at it, a state sponsored attack like this is no different from a country firing missiles or shells on another country from over the border. And as such, such attacks should not go unpunished and there need to be consequences. In addition, the countries being attached have a right and a moral duty to protect themselves.
The mechanisms of such I leave to those with the power to make it happen.
And yes, blocking .cn doesn't do much, but it does some.
We could potentially have sanctions that require Google to block commercial sites in China. That would definitely get their attention without massive financial implications on the economy.
This type of behavior CAN NOT be allowed to continue.
I’m sure this will garner plenty of whataboutism regarding how the west is imperfect (never minding that I didn’t say “the west”)...
There’s a limit to how much leverage any one side has on a sovereign countries policies (and how much they actually enforce them when they agree).
There’s also the question of the benefits of having China at all in these deals, some concessions and a growing dependence on western markets from initial deals is better than no deals.
Plus a wealthier China is good for the world and the billion people coming out of poverty, getting educated, and slowly becoming an advanced economy.
I’m not advocating for anyone controlling sovereign Chinese policies. They can continue their awful anti-humanitarian policies, fraud, IP theft, etc. I just don’t want my country aiding and abetting it. At very least I want my fellow citizens to be able to make informed purchasing decisions.
And I’m all for lifting people out of poverty, but I’d rather do it in a country with some minimum base line respect for human rights and integrity, and where my purchasing dollars don’t end up propping up some dictatorial system that bullies other countries.
And we’re I a citizen of the UK in this tortured analogy (with my contemporary morals and all that), I wouldn’t want my money supporting that.
> Any country will have hiccups throughout its development.
Right, but we don’t have to support those “hiccups”. Anyway, China had 60 million hiccups in the last century. They’re all out of hiccup passes.
> It's convenient but counterproductive to categorize every argument against yours as "whatabouttism".
Not every argument, only the ones that start with suggest I can’t criticize China until <other countries that I presumably support> are completely without blame. Such as yours.
The reality of China is that they need the global economy as much as the global economy needs them. No one entity can really pick up their ball and go home, as much as China would probably love to.
The first step could be sending CORS preflight, then requiring it, then just not allowing cross origin to different domains (but allow sub-/sibling- domains).
uBlock recently found an approach for blocking cnamed origins: https://github.com/gorhill/uBlock/commit/3a564c199260a857f3d...
Unfortunately (from my perspective) that'll do nothing to stop third party ad tracking but you can't have everything, I suppose.
Your defense idea might stop layer 7 attacks, but not lower level ones.
So in case of known malware like this being served from within a geographic region... is there any way to filter this out at scale? Or is that computationally infeasible at scale, so it would have to be built into the browser or something?
The article also doesn't make clear -- is this DDoS coming exclusively from outside of China? Or is it injecting the same malicious code inside of China as well, and they're just not bothering to distinguish between requests coming from inside or outside the country? (In which case, the DDoS will continue regardless, just not with the rest of the world's help.)
Considering that the halting problem is undecidable, it's impossible to filter out the malicious scripts with complete certainty. The best you can do is use blacklists/heuristics which lead to an arms race.
>So in case of known malware like this being served from within a geographic region... is there any way to filter this out at scale? Or is that computationally infeasible at scale, so it would have to be built into the browser or something?
foreign ISPs can block port80 or http requests from coming into china. sure, it's going to break a lot of sites, but it's relatively simple for any site to get unblocked - all they need to do is set up letsencrypt.
This doesn't mean that you can't prove a big subset of scripts safe.
> The best you can do is use blacklists/heuristics which lead to an arms race.
You can also allow the scripts that automatically prove safe, plus other popular scripts you decide to explicitly allow, plus other scripts that are low-rate enough that you don't believe them to be a concern.
Any ISP could force unencrypted traffic through a deep packet inspection system that looked for this kind of malicious behavior. That would be widely seen as a betrayal of the "big dumb pipe" expectation.
The computation itself is not infeasible at scale. But any ISP attempting this would see swift and brutal political pushback and almost certainly lose customers over it.
Do they just not care?
Some day soon a war will not be started with an assassins bullet but with a tool like this. I wonder when we start looking at them the same way?
The audience is other Asian and African states. The message is "we can act with impunity". The US will probably do some tit-for-tat exchange, but the US scope to do anything is limited due to the potential for impact on US businesses.
They're also directing lasers at helicopter pilots, which is much closer to a actual war than mere bits.
The cannon doesn't have to work all the time, just once effectively, and possibly even accidentally.
After the meeting, Franz wanted to travel to the hospital to visit the civilians who'd been wounded by the errant grenade. En route, his driver, confused, took the same route from the morning procession. When they realized what was happening, they told him to turn around and get the out if there. When the driver stopped to turn around, they were ~1 block from the site of the first assassination attempt. One if the co-conspirators (who had lost his nerve the first time, and had been milling around and hoping that Franz would come back by), was standing where the car came to a stop. Two shots killed Fran's Ferdinand and his wife.
Fun fact about this--Franz Ferdinand's death was not the cause of the Great War in the way that people tend to think it was. The assassination caused the war in the sense that it was a convenient excuse for a war that the Austro-Hungarians already wanted, but not because (Austro-Hungarian Emperor) Franz Joseph wanted revenge or anything like that. In fact, Franz Joseph's secretary later said that he "almost seemed grateful" that Ferdinand (whose marriage was so problematic that he had been forced to proactively abdicate on behalf of his children) was out of the way.
0 - Peace
1 - Trade War
2 - Financial War
3 - Electronic War
4 - Shooting War
Note that 1 & 2 are different types of Economic war, and could be grouped together. The steps occur in order, but steps can be skipped.
From a US-centric point of view, North Korea and Iran seem to be at #3. China & Russia are at a limited version of #2.
Chinese/HK seem to be at #3 with each other.Given how invisible Electronic War can be, it's possible that they are deep in #3. It's also possible that #4 might be initially fought with HK Police forces as a proxy. Think of that as "4a".
"Countries that trade with each other don't make war with each other."
As we isolate countries and disrupt trade we definitely are increasing the risk of conflict.
I'm pretty sure this was the prevailing thinking prior to World War 1. A large scale conflict would be so damaging on a human and economic level that most assumed the people in power would find away to stop a massive war from breaking out. Well, they were right about the first assumption, but very wrong about the second.
There's plenty of good things from a moral perspective about power being diffused away from a hyperpower hegemon, but stability and peace have never been among the side effects.
Nobody really cares, except for those directly involved. Sad but true, nobody will ever go to war for that, for foreign citizens.
> I want my cheap plastic consumer devices!!
People do actually want that. And their cheap shoes and clothes and...
Foxconn's suicide rate is lower than China's, along with all 50 US states. They just employ a gargantuan amount of people (400k). I don't know much about the working conditions there, so I don't have a position, but it doesn't look like there's evidence to suggest that the working conditions have anything to do with the fact that some of their employees committed suicide.
To put it another way, there's roughly as much evidence of this as there is that working in a factory in Nigeria causes sickle cell anemia.
Page 25 (but see also page 23) https://assets.publishing.service.gov.uk/government/uploads/...
Fencing off tall buildings is a useful short-term suicide prevention measure.
It's impossible to prove causality, but Europe has never seen longer and more widespread peace than the last 70 years.
But then you go on to claim that war among countries on the Western side was prevented by memories of war and not the EEC, without any reasoning as to why. I don't buy it. The first World War was already terrible, yet these countries were at each others' throats only a few decades later.
Tons of CPP members are getting rich off the economy which includes a lot of trade and foreign debt.
There’s plenty of correlation here.
Here's what Otto Mallery said though:
"If soldiers are not to cross international boundaries, goods must do so. Unless the Shackles can be dropped from trade, bombs will be dropped from the sky."
This was a common argument as to why WWI couldn't happen, countries were far too economically dependent, everyone would be ruined.
Except it did happen, and everyone was ruined.
At worst, it was an affirmation repeated, as with most affirmations, in the hopes that the repetition would make it true, which it doesn't, and for the usual reason, that it generally wasn't.
How many major wars in the last 100 years were preceded by trade wars or electronic wars (I don't know what a financial war is, trade embargoes? - embargoes are not trade wars)? Perhaps my view is a bit us-centric (there have been many small wars in africa that I don't know the history of), but I don't think that us conflict participation in Iraq, Yemen, Libya, Grenada, Vietnam, Korea, WWII, or WWI were preceded by those sorts of policies. To find a trade war that preceded a war I think you might have to go to the US fighting in central america (banana wars), or maybe the civil war.
Meanwhile the US has engaged in trade wars with plenty of countries it hasn't fought with, dominantly europe (via the banana trade wars, not to be confused with banana wars, e.g.), and Japan.
"Peace" is built from war's stalemates. As the most violent (and therefore effective) means become ineffective, combatants shift towards less effective means, to the point that the war (which is still ongoing) continues through diplomacy and trade.
Hence, "war is diplomacy by other means."
Diplomacy and trade are means of gaining an advantage in the underlying (now "cold") warfare. They're maneuvers to defeat the existing stalemate. If either side is able to obtain an economic (or other advantage) sufficient to defeat their opponent in a more violent form of warfare, then they will return to violence because that is the basal state of nature.
The worst thing you could ever have in trade / diplomacy is a good working relationship that isn't balanced and equal. A trade failure is itself a stalemate which can strengthen peace, so long as it occurs before too great of an advantage is gained any group.
As the grandparent said - steps can be skipped. Since 3 is a relatively new medium for offensive actions, I suspect there are not a lot of well-known examples around. Would be interesting to see if any currently active conflicts were preceded by DoS (not necessarily Distributed, could be just a "cable cut" from outside), and how long before it escalated to active conflict.
The whole point of the cannon is that you can leverage the bandwidth of other countries. The CCP already controls the telecoms in China. They don't need to hijack Chinese computers for DDoS attacks when they can directly DDoS from their ISP's backbone.
The reason England and France got into the war is because of Germany's expansionist policies and not because of moral reasons at the time.
What Hitler did was terrible, but that's not the reason we had a war. "Germany (or Japan) might invade us next" is what was really in everyone's mind.
That's 2+ years after the start of WW2.
As WW2 progressed the Nazis attempted to ship the jews elsewhere. Sadly countries refused to accept these refugees.
Nazis then started to pile up Jews into Ghettos. Note that these Ghettos are almost identical to the Uyghur's current situation.
As the Ghettos started to fill up, the Nazis needed a plan on what to do as the ghettos started to reach capacity. Their decision is known as the "Final Solution" or death camps.
Hitler was elected under the pretense that he represented socialism that was friendlier to the middle class and workers. This way people could get their socialist improvements to the economy (which was shit due to bad world-wide economy and war reparations) while still having defense against the the sort of upheaval and murderous destruction that the Reds represented.
The take-home lesson of WW2 shouldn't be that 'The other side was evil and we won'. Because the entire Eastern half of Europe and most of Asia was submitted to governments that were incredibly evil due to the Soviet victory.
WW2's lessons are meaningless without WW1. They really are effectively the same war. The treaty of Versailles and the humiliation of the German civilian government are directly responsible for the rise of power of the Fascism in Germany.
The take-home lesson of the 20th century wars is that massive murder and atrocities are only possible because people obey their governments. That 'The people' cannot discern true evil running the state until it's far too late.
Because evil doesn't show up saying "Elect me because I want to gas the Jews". They gain power by promising what you want. By telling you what you want to hear. And once they gain power then it is the average person's willingness to obey authority and carry out orders is what turns shoe makers, engineers, and doctors into mass murderers.
Which is the sort of thing that is happening in many parts of China.
Always remember that in Vichy France when they rounded up the Jews for the holocaust it wasn't the Germans troops that went around arresting them. It was the French police that rounded up people to be put on those trains. It was under the order's of the French politicians. This problem of obeying governments is not something that is limited by national borders.
_in a mass_; all together; as a group:
I can tell because that's how it already went down with the Tibetans and Uhgyrs. Because the CCP has already committed a multiple of genocides including their planned mass famines in 1960 that killed tens of millions of their own citizens.
I wouldn't have felt the need to make my comment if the original comment was modified with "early Holocaust" rather equating it to the entire thing which inherently includes and is often more synonymous with the death camps.
Also what China is doing is not in the magnitude of the Nazis.
I am not saying any of this to defend China. I just want these things clear because this is the type of rhetoric that is often used by Holocaust deniers.
If I again compare with the US as an example even if people don't like that. You have had many hundred if not thousands of suicide bombers that have stated that they sacrifice their life to strike against targets because of US imperialistic ways. Imagine the circumstances that lead to that.
The guy who just wants to be left alone is constantly pushed into a corner by the guy that wants to control and manipulate people and those are the two types of people in the world. The American revolution was filled with guys that just wanted to be left alone. Congress is now filled with guys that want to control and manipulate. They are naturally attracted to power. It will take them pushing the US citizen who wants to be left alone (AKA the silent majority) into the corner before anything changes.
>The problem is you have two types of people, you have the guy that sees his kid get blown up and is like F'it I am going to detonate myself. I get it, I could be that guy under the right circumstances. The problem is the world is just as full of people ready and willing to exploit that guy and that is what happens. The situation is a lot more complicated than the American imperialist kills babies meme. The problem is though when you go after the other guys, who need going after, some good people get killed and it creates a newly exploitable class based on that anger and resentment.
That is also the exact motivation that China uses for its re-education camps. It is because of terrorism that they need to go after.
It's clearly not exactly the same as the Holocaust. But it's disingenuous to say it's nothing like the Holocaust either, because there are a lot of similarities.
Are they death camps yet? Well, perhaps not. But there are none the less a hell of lot dehumanization. There are reports of forced abortions, rapes, medical experiments, and other tortures.
To be clear, the US internment of the Japanese is a horrendous stain, but it clearly is far less evil than these camps.
 that is, one brutally murdered innocent child of innocent parents is not really different than some other brutally murdered innocent child of innocent parents.
I'm comparing our oil grab under various guises, vs Chinas attempts at unification.
When both are causing murder, why is oil better than submission?
We need to weane ourself off a dependency on China for cheap goods. We need to decide that we value human life over a cheap phone.
China gets away with what it does because it feeds our need for shiney new trinkets. Frankly, it's disgusting. The world could stand up to China and say it doesn't want it as a trading partner. Maybe that wouldn't even help, but do we really want to be doing trade with a country that operates like China does?
Where are our values?
It's like saying that police aren't a solution to murder - what we really need is to stop killing each other.
That hypothetical president who cared about e.g. Tibet or the Uighurs couldn't have expected any popular intellectual support for that effort, however, since our popular intellectuals act largely to feather their own nests with Panglossian tributes to how wonderful TPP could have been.
One shouldn’t mistake a seeming return to the status quo as proof that the status quo is just as strong.
and in case I'm totally wrong, what mitigations are feasible? More trade war such as by compelling ISP's to null-route Chinese businesses like Baidu.com as a form of sanction?
When I signed up, they emailed me to welcome me to the site (they actually require manual authorization of users by an admin, which is... refreshing, but uncommon). The email ended by stating that if I lost my password, they could "recover it" and send it back to me.
I raised a thread about it in one of their off-topic sections, and got harassed - "How secure do you need your browsing to be?" (And hey, I mean, I was asking them to do more work)
But it stands out that most of the public doesn't know, and doesn't care to know. Even a site that's populated by people with net worths and/or incomes that average in the six-to-seven figure range, that they probably signed up for with the same email address and password that they use for their bank and brokerage accounts.
HTTP should come with a warning. Furthermore, it would be fan-fucking-tastic if there was some generalizable way to (automatically) audit a website's security practice. Like, a crawler that just runs standard OWASP-style attack-vector checks, and sends an email to the site's owners when one succeeds. And then put that data into a database and warn users (with a browser plugin) when they are creating credentials for sites with bad security.
Next day, I can't login. I use the "forgot password" link. They send me and email, and it has my password in it! Bad, right?
That isn't all. My password, they said, was "password1". They silently stripped out the special character.
I just about flipped a table at how security-shallow people who build websites can be.
If it seemed like they were doing a hash then compare, I would wonder if they are using the legacy unix crypt that truncates passwords at 8 characters.
And if they did strip it out, that is bad. That's the point.
e.g. Don't assume the email address is owned by the person making the claim. You can sign up for an account with an email and if it's not verified or the verification is mis-clicked or phished into being clicked the original account owner would never know the difference.
Still, at least with OpenID Connect you know your password isn't sitting in plain text.
Perhaps explain to them that many people (unwisely) reuse passwords for many sites... possibly including their banking.
This "dilution is the solution to pollution" argument is the excuse the FAA uses for forcing everyone to use leaded avgas. This should be more of a scandal. The FAA is basically helping maintain a harmful oil company monopoly at the expense of the world.
This is not just about recreational aircraft. For example, 45% of the Canadian commercial fleet is piston engine based. Incidentally, Canada was involved in a test program with the FAA for leaded fuel replacements. The FAA recently dropped out of that program.
We're talking about China, so that's probably not going to work: Chinese users are using Chinese browsers  to access Chinese websites. I don't think Chinese browser-makers and website operators are going to take action against their government like that.
It would mitigate attacks from inside China against outside entities, which for somebody not based in China is all I want.
> [Nicholas] Weaver said the attacks from the Great Cannon don’t succeed when people are browsing Chinese sites with a Web address that begins with "https://", meaning that regular Internet users can limit their exposure to these attacks by insisting that all Internet communications are routed over "https" versus unencrypted "http://" connections in their browsers. A number of third-party browser plug-ins — such as https-everywhere — can help people accomplish this goal.
> But Bill Marczak, a research fellow with Citizen Lab, said relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-everywhere will still serve regular unencrypted content when Web sites refuse to or don’t offer the same content over an encrypted connection. What’s more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources.
> and in case I'm totally wrong, what mitigations are feasible? More trade war such as by compelling ISP's to null-route Chinese businesses like Baidu.com as a form of sanction?
Probably something like this, but I'm afraid of where that would lead.
Then they can view the traffic even going to and from foreign sites who would not comply with an order to share private keys and no safe browsing blacklist (like that would be accessible from inside the regime anyway) will help you.
Addressed here: https://news.ycombinator.com/item?id=21721843
>Shit, they can require vendors include a hardware backdoor, especially since so much of that hardware is produced domestically.
If they're only doing it for local computers, the consequences/response is the same as the previous paragraph.
If they're doing it for foreign computers on a mass scale required for a DDoS attack, if discovered will torpedo their entire electronics sector. All the "ban huawei" politicians will have a field day with that.
If I'm understanding other comments correctly, browser vendors installing HTTPSEverywhere cuts down the potential for this Great Cannon attack from 7.7 billion users to 1.4 billion. An 80% reduction seems significant.
> In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if the private key of the server is compromised. Forward secrecy protects past sessions against future compromises of secret keys.
There's still the risk of MITM identity spoofing of course.
Ultimately, if an attacker has all your keys and controls all your traffic, there's nothing left that distinguishes the attacker from you. No security is possible in that scenario.
These attacks would not be successful if the following resources were served over HTTPS instead of HTTP:
You may want to consider blocking these URLs when not sent over HTTPS."
sudo echo -e "\n\n# Null route the Great Cannon:\n0.0.0.0 baidu.com\n0.0.0.0 qihucdn.com\n" | tee /etc/hosts
thanks (I admit didn't test it because I use `python3 ./updateHostsFile.py` to take care of /etc/hosts)
A slightly less broad measure that's just as effective would be to block unencrypted http traffic from entering China. Want to get unblocked? Get letsencrypt.
A even better (but slightly greyhat) route would be to inject HSTS headers with the maximum expiry date. This will cause any visitor's browsers to get "infected" with an unskippable warning, forcing them to upgrade no matter what.
Browsers are already moving to explicitly label HTTP sites as "not secure"