It's for kids!
1639 posts • joined 11 May 2007
Yes, but the example code just uses a load of different prefixes on the same domain. Then you just use script to access each sub domain in turn using http and if the browser uses https instead then you know that bit is set.
Ok, it's not very clear from the article but as far as I can tell it's to do with using the fact that a single site is HSTS enabled as a bit and storing an identifier by hitting lots of sites.
So (I think) the idea is you set up 8 domains for example (to hold a byte). Hit each in turn with a url containing a flag to ask the server to respond with "HSTS enabled" to store a 1 or "HSTS disabled" to store a 0. Then later the code attempts to read those sites again without the flag and using http. The server responds indicating whether the connection was https or not and you can reconstruct your byte with that information!
Yeah, as Google responded "defeating such fingerprinting is likely not practical without fundamental changes to how the Web works". For once I agree with Google. Gah!!!
So reading up on this on Wikipedia and others I see that HSTS is effectively an https only header that tells a browser to i) communicate with the domain using only https for a specific time and ii) interpret any secure transport errors as meaning it should stop communication immediately. The header is ignored on http requests and shouldn't be sent.
So in normal use there is a potential for MITM attacks during your first contact with an HSTS site as the redirect to https happens with the usual 301. Once you connect with https you get the special header and your browser knows to always communicate to the domain using https, making further MITM attacks very difficult.
No where in that is there any requirement for this information to be shared with any other domain, or any advantage to doing so. I don't see anywhere in there a requirement for a magic number between the domain and the browser. What this generates is a private list of sites and durations that the individual browser uses to force https on certain sites.
So how did this become a tracking issue?
Sorry, that explanation doesn't really help.
What is the "it" you're referring to?
The article says:
>> His point is that an HSTS “pin” is set for each HTTPS-redirected site you use, it's unique to user and site, and it's readable from your browser settings by any site <<
That looks like a domain issue, specifically "it's readable from your browser settings by any site". Is the article wrong? What am I missing?
Exactly! Isn't the issue here about boundaries not protocols? Why can other sites see a domain specific secret?
No, it doesn't. What you're talking about is to do with your attitude to artists and whether you think they're cool or not. Artists change over time and success can definitely change them, but it's much more complex than "successful = bad, underground = good". Step away from that and just start listening to the music. Maybe you'll find there are successful acts you actually enjoy listening to, even though they're trying to make music other people like. Some times when an artist tries to make music people like they succeed!!
Forsooth, good sirrah, for surely that is an impossible task. But nevertheless, one can listen to said track and dislike it without expounding on it's vagaries in the comment section beneath. If one does indeed post in such a manner, then one should not take offence if a gentle ribbing ensues....
Why do people insist on listening to music that you don't like? Fucking idiots.
And what do you use when you need to get over yourself? I assume lifting gear is required....
Purchase it now and you are buying it, those who got it from KickStarter were funding it's development in return for a copy of the game. If you can't tell the difference then maybe you shouldn't be on kickstarter.
So everyone who disagrees with you is insane? Seems unlikely....
Am I? Of course I must be, what other reason could there possibly be to criticise Google?
And we're sure the monkeys in control of Google will be better why? Because they don't even have to scrape through an election to get in power? As long as they make money, that must be good for the country?
It's fine to spend your money for the results you want, but be honest about it, don't pretend it's for the greater good.
Well, that's ok then, convenience trumps monopolistic abuse every time.
You talking to us or your testicles?
>>So investing in the future of the country by providing training and research facilities <<
Is that what they're doing? You sure they're not just investing in the future of their own company? Wouldn't someone who wanted to invest in the country be a bit less desperate to avoid paying tax?
Oooh, you are gonna get SUCH a downvoting for that!
Instant downvote. Just sayin'.
Sweet! Make users carry signs!!
(Signage? What is it with the desire to use a fancier sounding word? They're signs, not "signage"!)
You better mean that as "slowing" and not "mentally disabled". As a term of abuse it's unacceptable. Rein it in.
Of course they shouldn't. Those are three groups of people we can definitely trust to behave themselves correctly at all times.
It would be good to see Mr. Pointy back in action!
Not every youtube "how to unlock your phone" video is genuine....
Yeah, like a shotgun is handy for shooting yourself in the face. Those two are starting to make the endless re-runs of "Two Pints of Lager" seem bearable...
The main reasons I prefer it is that it's better at autocomplete (sharp seems to lose this ability at the drop of a hat and wants recompiling before getting it back) and better at showing errors (vb tends to flag up the line that causes the issue, sharp often flags all the references to the bad line as well, making a simple job in B much trickier in sharp). Doesn't stop me working in sharp, but it does make me wonder why B is still better at these specific things....
Sharp does late binding better! (Didn't think I'd ever be typing that....)
Yes, for now. They could change that, but that would be them ignoring the "only share this with friends" flag. That would be creepy. Allowing me to search posts you've already shared with me is not creepy in any way.
I'm not standing up for facebook, I don't use it, but the daily mail style knee jerk headlines and typical ill thought out responses posted here get on my tits.
OOOh, creepy! Except, not at all creepy as people have to share stuff with you for you to be able to search it.
That is some top quality sarcasm! Nice!
According to the article:
we bypassed GAE whitelisting of JRE classes / achieved complete Java VM security sandbox escape (17 full sandbox bypass PoC codes exploiting 22 issues in total);
we achieved native code execution (ability to issue arbitrary library / system calls);
Sounds like a security fail.
Ah, of course! I knew Google couldn't be responsible for this!
No, they're wrong when they try to shut us down AND when they work with us!
The only safe way is to go back in time and nuke them from orbit in 1990!
...is fine for Youtube. Bizarre how little the law has to do with it.
I'd say the capability to upgrade without the need to sideload or do a factory reset would get it a little closer to perfection....
Trevor, seriously, get some help.
Remember opening the Yellow Pages and seeing all those other Yellow Pages services promoted over the competition?
No, me neither, because it didn't happen with Yellow Pages but is a fundamental part of this discussion about google... Reality.
Yes, I know. Only a moron would think the fact that their search is good means that they should be able to finagle themselves up the results list when they have a product to sell.
You didn't address my point, which was that there is a conflict of interest between the best search results for the user (ie. most relevant) and for google (ie. promotes their other products). Care to engage on that?
They're returned with prominence in the search results. Is it the excellence of their services that put them at the top of the list? Is it Google pretending to do just a search while shoe horning in ads for their own services that results in their services prominence?
Surely anyone can see there is a potential for a conflict of interest here. It's not tricky.
Google don't just return 1 result per search. They could easily put some business promotion results in with the actual search results.
Google's central business plan MUST be to continue to work for its customers, the advertisers that provide it's revenue. Meaning it has to keep it's users onside enough to be a valuable advertising base, no more than that.
I'm not suggesting that all Google do is promote themselves, they do a ton of stuff I use and appreciate, but I'm not so enamoured with them that I'll pretend there's no conflict of interest when users search for a service that Google and it's competitors both provide.
Indeed, but there's a difference between discriminating based on the words I type in the search box and discriminating based on your business plan. To conflate the two, or to make out that the first naturally leads to the second, is ridiculous.
however the drinker likes it!! I don't like mine cold but I definitely don't want it watered down thanks.
The three options are "Sleep", "Shut down" or "Restart", there is no hybrid sleep menu choice.
>> In Windows 8, the default shutdown behavior puts the system into hybrid shutdown <<
But you can go to power options and turn off "fast start-up" to change this so you may well have disabled it. My Laptop boots in 6 seconds with fast start on, and 12 without. If you're managing 2 seconds for a real boot you have a very fast pc... Have you tried it from a reboot without updates to see if it's still 2 seconds?
No, it really doesn't shut down when it does that, it's in what I believe they call a "hybrid sleep" mode. If you want to see how fast it boots from cold you have to hit restart, then you get a genuine reboot.
I'm not slagging it off, I like this behaviour, means it comes on quicker, but it's misleading of MS to not make it clear that this is different behaviour to all previous versions of windows.
Easy, because Google said so!
Can I have that back now please? Not sure how you got it in the first place....
He didn't THINK OF THE CHILDREN!!!!
But it's a non-issue, not a none issue, so it has an extra "e" and a missing "-".
Thank fuck for that!
The last bastion of the patronising and pompous, apparently....
Complications are not "unknowns".
I'm not saying it's not complex, I'm sure it's ridiculously complex, but the complexities aren't secret.