Is supported on more platforms, has more developers, more jobs, more OSS projects, is more widely used (Tiobe 2024). Performance was historically better, but c# caught up.
Reified generics, value types, LINQ are just a few things that you would miss when going to Java. Also Java and .NET are both big, that's not a real argument here. Not that I would trust Tiobe index too much, but as of 2025 September C# is right behind Java at 5th place.
My experience was that .NET programs were typically more tunable for greater perf than Java for many years now even if it didn't come free out of the box which generally is what matters with performance. The ability to optimise further what needs to be optimised means that generally you are faster for your business domain than the alternative - with Java code it generally is harder and/or less ergonomic to do this.
For example just having value types and reified generics as a combination meant you could write generic code against value types which usually meant for hot algorithmic loops or certain data structures a big win w.r.t memory and CPU consumption. For example for a collection type critical to an app I wrote many years ago the use of value types would almost half the memory footprint compared to the best Java one I could find, and was somewhat faster with less cache misses. The Java alternative wasn't an amateur one either but they couldn't get the perf out of it even with significant effort.
It also last time I checked doesn't have a value decimal type for financial math which IMO can be a significant performance loss for financial/money based systems. Anything with math, and lots of processing/data structures for example I would find .NET significantly faster after doing the optimisation work. If I had to choose the 2 targets these days I would find .NET in general an easier target w.r.t performance. Of course perf isn't everything depending on the domain.
LLMs are learning in a very similar way humans are learning. So if humans can read a text (or view a video), learn from it and then use the knowledge to produce something, so can LLMs?
Copyright laws have quite strict rules on what constitutes a copy, and this was tested in courts many times. This rules also apply to works produced by LLMs.
That's a load of hogwash. Humans are only allowed to learn from books they buy or loan from libraries. We can't download books en masse from the interwebz just because we want to learn something. We're also not allowed to read stuff on websites and then regurgitate it verbatim pretending we made it. We can't even make songs that are vaguely similar to songs thag other people have made, even if they've been dead for a good while.
You must be using a dynamic language with a heavy framework? Rails maybe?
I code in Go mainly (also Java and Rust) and never experienced what you describe: simple addition of a field to a struct does nothing if not used in code. And the use is simply checked by compiler.
However, I did work alongside a Rails team which had major gripes with this. They called it brittle tests: whenever they made a simple change (like adding a field), half of their tests would fail. This really lowered devs' confidence in their codebase and slowed the changes to a halt.
If I come to your house, destroy your door, steal your mom's dinner for 4 ppl, are we both cheating?
How about we compare with something actually worth comparing for? For example switching channels when there's the ad break, or turning the sound off, etc.
When I download something, I'm not "stealing it". When I block an ad, I'm not stealing either. I didn't remove 10$ from Google's bank account that was there before.
I signed a contract with my local power company, which I would be breaking if I did not pay them. I signed no such contract with Internet Historian.
That said, I appreciate it when content creators provide alternative ways to support them. I support dozens of creators with monthly donations and I occasionally buy merchandise when they're selling something I'm interested in. Just don't waste my time with ads.
Ah the old "physical objects work the same as digital copies" argument. Yes I would download a car. You can still drive yours. I was trying to pay you for use of the car but you insisted I drive around your deadbeat family and pay for the drive through that I don't eat.
This a a very different situation. Stores are selling products or services, and they explicitly put prices on the products.
Content available freely online is much different, as there is no price and at best the hope is that the consumer sees an ad or sponsorship and that the content creator has accurate analytics as to how many saw the ads.
Your analogy would be more akin to someone stealing access to paywalled content somehow. In that case a price was put on the content and someone took if anyway, much like shoplifting.
I'm not saying that ad blocking isn't stealing, there could be a case for that especially if T&Cs specifically require that ads aren't skipped, blocked, or avoided.
My only point there was that shoplifting and ad blocking are very different things. Stores don't make their products freely available to anyone willing to walk past enough ads along the way.
If you are concerned by this proposals, then you should check out current CAs trusted by your browser - all those CAs can issue rogue certificates trusted by your browser, that can be used in MITM attack.
For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA
The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they:
1. have ability to capture IP traffic (requires cooperation with ISP)
2. have ability to generate rogue certificate via cooperation with CA
> 2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.
Thats reassuring but, not knowing much about this, I have a couple of questions:
1. Is this proactively monitored for? And how? And by whom?
2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?
> 2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?
Symantec hadn't even issued MitM certs - they were just grossly incompetent. Distrusting them was very painful, but necessary to uphold the integrity of the CA system, and demonstrated conclusively that there is no such thing as a too-big-to-fail CA.
It looks like the Symantec distrusting was done with the cooperation of Symantec, which agreed to wind things down and transfer clients to a new provider in an orderly fashion?
If you're a domain owner monitoring your own domains, a certificate is suspicious if it was not issued by one of the CAs that you use (e.g. you use Let's Encrypt, but you see a certificate for your domain in CT that was issued by Certinomis). If you keep an inventory of all of your certificates, then you can also cross-reference certificates from CT against your inventory, and flag any certificate that isn't in your inventory.
If you're a security researcher monitoring other people's domains, you have to rely on heuristics - e.g. if a domain has a long history of getting certs from a major US CA, and then suddenly a tiny European CA issues them a certificate, that's pretty suspicious. When I found the example.com certificate misissued by Symantec, I though it was suspicious because it was also valid for subdomains like products.example.com and support.example.com, which don't make sense for a domain that's reserved for documentation purposes. ICANN operates example.com, so I emailed their security team to confirm that they did not authorize the certificate.
The system works best if domain owners are monitoring their own domains, because only they know for sure if a certificate is authorized or not.
In some very prominent countries there are laws with extreme consequences which not only prevent companies from contesting and not complying, but even prevent them ever disclosing such requests.
True, but then they will be found out and distrusted. So basically they'll lose business because of the government of the country they are established in.
That's your smoking gun? CAs that issued certificates for example.com and test.com? You genuinely believe that the only possibility here is a vast conspiracy to defraud and steal?
> You genuinely believe that the only possibility here is a vast conspiracy to defraud and steal?
Care to point out where I said that?
example.com and test.com are real domains, and their owners did not authorize those certificates to be issued, so issuing them was a serious breach of the trust which CAs are expected to uphold. Furthermore, the discovery of these certificates led to investigations which turned up additional issues which are documented in detail here:
> 2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?
Pretty much every browser distrusted the root certificate from Spain's FNMT-RCM for a decade, so I think the answer's yes.
It's not like Beijing CA can issue a rogue certifcate and suddenly a malicious actor would be able to decrypt all your internet traffic. You would have to connect to a service that uses those certificates in the first place.
An interesting experiment would be to log all certificates used by the sites you normally use, say for a month, and then look at the list for anything shady. I have no ideia if an extension exists that would allow such and experiment, but the resulting list would be much more useful.
No, that's not needed at all. If the malicious actor can man-in-the-middle traffic to victimsite.com (say using a BGP hijack), they can serve HTTPS traffic to the end user from their MITM server, secured with a certificate issued to "victimsite.com" that is issued by their own CA, and the MITM can then in turn communicate to the real victimsite.com using HTTPS secured by the real site's certificate, signed by its own CA.
Now, there are CAA DNS records, which serve the purpose of restricting the CAs that can sign a particular domain, which would of course be ignored by the malicious actor, but _could_ be checked by the end user's browser. But to the best of my knowledge, no browser does that.
But if your own government tells your own isp to reroute just your traffic over some MITM proxy, it's only you there to notice, and most probably, you won't.
You are correct that no browser is looking at CAA records, because it would be wrong to do so. CAA records don't retroactively revoke certificates that have already been issued. Their only purpose is for CAs to check them before issuing a certificate.
In the case of mainland China, it’s easy for the Party 1) issue a malicious certificate and 2) redirect your Internet traffic to MITM box. They do 2) for all the time when blackholing Internet traffic.
With certificate logs there is a chance, I don’t know how high, to catch 1).
You lose nothing, gain nothing. It's hard for china to reroute your traffic, and even if they did, what can they do to you after that?
It's your own government that can actually do something bad to you.
(unless you're doing some really really nasty stuff, and china wants to eliminate you for those reasons, and is willing to create a large international incident because of that).
>and even if they did, what can they do to you after that?
An example of what China can do is they can have their workers put pressure on you. Often this pressure is soft, nothing as direct as 'do X or we hurt you with Y'. And often the request, at least at the start, is for something legal and only a bit unethical if even that. A little information to help win a contract, maybe a way to advertise to you why you should go with their vendor for a product, maybe just asking you if a specific coworker seems to have any interest in some odd topic or passing you a resume of someone who seems a good fit for the job. If they can they'll push for more with increasing levels of silver and lead, and if not, they use what they did get to pressure elsewhere.
Unless it's gotten better, it's super easy for China.. My traffic to EU World of Warcraft servers got hijacked all the time. I don't know if it was malicious or just incompetent Chinese ISPs, but you feel that extra latency when it goes through China.
But this wasn't a bgp redirect, this was blizzard doing something... if chinese telcos acted as if they were blizzard telcos, there would be bgp filters and a lot of outrage in a matter of minutes. This is not a small deal.
I think this is a matter of assumption. For communication through mainland China, one should assume that all internet traffic is actively surveilled with probably way easier methods than CAs. On the other hand, this assumption is definitely not as true in the EU, nor do I think the Chinese government forces Firefox to trust CAs by law (talking about irony)….
The browser/CA forum’s requirement to log all issuances into the CT log takes care of this; the EU mandate hardly has such requirements while still mandating the inclusion of root certs. The approach of the browser/CA forum vs EIDAS cannot be equated for this reason.
Yes it does but we also have satellites mapping those shifts so it could be accounted for. The big question is are those fine grained enough to resolve the errors in modern INSs.
Wouldn't that then require communication with those satellites to receive the shift/drift info? Doesn't that eradicate the point of a navigational system without reliance on GPS/satellites?
Or is the drift is so minor that this quantum navigation system can operate for up to 6 months without sufficient core drift alignment calculation?
reply