Hacker Newsnew | comments | show | ask | jobs | submit | login

Indeed. Hopefully browser vendors will consider this certificate for explicit blacklisting using their proprietary channels. (I've already asked.)

reply


Done in Chrome with CRLSet 2140.

reply


Does anyone know if there is a way to blacklist a certificate on a windows 8.1 machine? To me, managing certificates between the os, IE, Chrome and Firefox is a bit of a joke in 2015. Besides blacklisting, I would love to know of script that will output the certificates that the PC has trusted but are not trusted by Verisign.

reply


Both Internet Explorer and Chrome use the system's certificate store. So you "only" have to manage the os and Firefox.

reply


No. Certificate Transparency [1] might eventually make it possible, but it's still early days. A much wider adoption is needed.

[1] http://www.certificate-transparency.org/

reply


If you're going to change your messages after posting them, at least disclose that you did so. Some of the replies don't make sense with the new content you added.

reply


I don't think it's that easy. My book on Amazon currently has one 5-star review that's just one word and two 5-star reviews with two words each. I am the author and the publisher, and I know for a fact that these reviews are not fake. But they probably come across as fake. I think that there some people who just want to share their opinion of a book without making an effort to write a good review.

Personally, I'd prefer to have only reviews backed up with an explanation. If a book is good, tell me why. If it isn't good, I'd like to know why you think it isn't. That's the only way to make the next edition better.

-----


I have noticed an increase of reviews that typically contain a subject of "<Number> Stars", and either no review body, or a very short review body, such as "good book".

I too hate reviews like that, but I think it's due to Amazon nagging customers to leave reviews for things that are purchased on the Kindle. I am beginning to suspect they have an app or form somewhere where you tap the number of stars and write your review in a text block.

-----


The Kindle prompts to "Rate this book" when you reach the end of an e-book. It doesn't give you the option to enter a review, but only select the number of stars.

-----


They definitely do! I get follow up e-mails for most of my Amazon purchases which direct me to just such a form.

-----


There is. MyBatis, which is a minimal ORM that aims to keep you as close to SQL as possible, has support for dynamic SQL: https://mybatis.github.io/mybatis-3/dynamic-sql.html

Edit [responding to moe, below]: that's a matter of taste. I prefer to have my SQL _outside_ my code. If I have to write a little XML to make it happen, so be it. Additionally, unlike your example, a strict separation of SQL and data ensures SQL injection is not possible. That's also a worthy goal.

-----


MyBatis

Does MyBatis have an API similar to what I outlined above?

Because the page that you link to shows a horror that I can't even begin to describe:

  <select id="findActiveBlogWithTitleLike"
       resultType="Blog">
    SELECT * FROM BLOG
    WHERE state = ‘ACTIVE’
    <if test="title != null">
      AND title like #{title}
    </if>
  </select>
SQL mixed with proprietary XML soup? Talk about combining the worst from all worlds...

-----


Get rid of the XML and you have a good start, I'd say.

-----


I think the most important lesson from the last couple of years is that all our security protocols must come with adversarial testing suites -- from inception. Clearly, there's a long way between designing a secure protocol (I am not saying that SSL and TLS were properly designed) and implementing one.

-----


I think the NSA's clandestine backdooring of hardware, software and standards, in contradiction of their charter, shows that the processes and organizations producing and shipping those protocols, software and hardware also need adversarial testing.

-----


Yeah I would have hoped that tests involving skipped or out of order protocol flows would have been part of their normal functional testing.

I remember reading a while back about NASA's testing procedures and they have a team who's sole job is finding bugs in the code produced by the other development teams. It seems like that structure should be adopted for these security critical projects. Ideally the open source community is supposed to help out with the reviews, but in reality it needs to be someone's whole job.

-----


Well, actually you can, but only as part of Bulletproof SSL and TLS. OpenSSL Cookbook is Bulletproof chapters 11 and 12, plus SSL/TLS Deployment Best Practices (another guide I wrote) in the appendix.

Or, you can simply print it yourself. At 94 pages, it's easily doable.

-----


Where can I buy Bulletproof SSL and TLS?

-----


You can get it directly from me (Feisty Duck is my small publishing business) here: https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ This is the best option, because you get all digital formats (PDF, EPUB, and Kindle; there's no DRM), unlimited digital updates of the same edition, and a paperback if you want it.

You can also buy it in paperback from Amazon and other online stores, but you can get the digital formats only from Feisty Duck. That said, it's possible to upgrade your paperback for a small free.

-----


Just as an aside: the SSL Labs test is slow on purpose -- that's how we stay under the radar and avoid too many complaints from server operators. That said, it's a common complaint and I intend to optimize some operations in the next major version.

-----


My book, Bulletproof SSL and TLS, is available at 50% with the coupon BLACKFRIDAY: https://www.feistyduck.com/books/bulletproof-ssl-and-tls/bla...

Please note that the discount on the bundle (paperback and digital formats) is about 48%, due to the coupon limitations of Shopify. For full disclosure: we currently have a small discount for everyone, and the coupon adds 40% on top of that.

-----


I built a similar single-source publishing workflow to publish my books, but it's based around DocBook. I am very happy with DocBook because it has all the features I need for technical publishing (styling, indexing, cross-references, etc). For writing I use OxygenXML, which allows me to edit text without working with XML directly and -- crucially -- supports change tracking that makes working with editors/copyeditors a breeze.

To get good results from FOP you really need to dig deep into the XSL stylesheets. The amount of customisation work is usually not that big, but the problem is that you need to learn a lot about the stylesheets to know how to make the changes. If you don't already know XSLT the learning curve can be steep. The change-build-test process is very slow, especially when you're essentially guessing where to make the changes. (Which, for me, happened most of the time.)

I was happy with FOP, but eventually moved to a commercial product: 1) I wanted to use OpenType fonts, which generally offer better quality and support a wide range of languages, 2) full support for ligatures, 3) better handling of SVG illustrations (FOP's integration with Batik is clunky and makes it very difficult to use the same fonts as the main document), and 4) better indexes.

-----

More

Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: