6 posts • joined Friday 22nd July 2011 14:54 GMT
While disabling RC4 is a good idea in theory, in practice it's impossible when running Windows Server boxes that are not 2008+. Windows Server 2003, while still in extended support until July 2015, only supports TLS1.0 which has a small number of ciphers; RC4 is the only cipher it does support that doesn't use CBC, so turning it off isn't an option if you need to run SSL. All the Windows 2003 CBC ciphers are worse than RC4 given how BEAST demonstrated their inherent weakness, and various patches and KB articles released shortly after BEAST resulted in the two RC4 ciphers (TLS_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_SHA) being the only two left available. For some companies upgrading all their servers to Windows 2008/2012 right now just isn't a realistic option. If the charts at http://w3techs.com/technologies/details/ws-microsoftiis/all/all represent a realistic spread of IIS versions, then 42% of websites running Windows are on 2003/IIS6 (which represents around 6% of all websites in the survey), which is still a significant number of servers worldwide. Given Microsoft is supporting Windows Server 2003 for almost 2 more years, and that they're urging RC4 to be disabled, where is their announcement about a patch for 2003 to add TLS 1.2 support? After all, this would constitute a security risk, and therefore require a security fix, wouldn't it?
Ah, now I've read a few more articles I see what Visa are planning - aggregating offline purchases in an "area" with the types of purchases made (which would still have to assume that a purchase at Tesco would be for groceries rather than a new TV, for instance) and then the advertisers would use geo-location (most likely by IP address as they'll be little else to go on without any personal data) to figure out which area you're in and show ads ... so if you live in an area with a large number of people buying things at Pet City then you'll end up with pet related ads. Short term looks like it'll be a utter waste of time for advertisers; geo-location is often a mess, my home IP comes up as being around 200 miles from where I live, and my work one about the same distance from where I work ... and ads based on aggregated data will be irrelevant for most browsers as the ads will be based on offline sales, not online, which likely has a wildly different purchasing demographic (I buy food in Tesco but never online, for instance, so online ads for food wouldn't give me a sudden impulse to buy food online).
Maybe it's not April, but Visa/Mastercard will be having the last laugh with this.
Without a major overhaul of the payment network protocols this isn't going to be feasible. I've implemented 3 different payment systems over the past few years, and while one had the option to include a description of what was being purchased I've never seen a reason to include it. All that Visa/Mastercard would see would be a merchant reference, the card details, and an amount - how are they ever going to figure out what has been purchased? Amazon (or Tesco, or any other retailer selling a wide variety of items),will likely have 1 merchant services account for all transactions, so if you spend £10 with them there's no way to identify what that £10 was spent on - it could be books, DVDs, shampoo, food, toys, paint, anything!
So, we're back to the first line - a major overhaul of the payment network and forcing all retailers to specify merchandise category codes in transactions. Considering that the payment network doesn't even handle addresses (only address numerics are passed around as the system doesn't support non-numeric values) there's little chance of adding a system to handle these codes in the forseeable future, and even then a significantly smaller chance of retailers implementing these codes as that would require major changes to all commerce platforms.
Is it April already?
SSL certificates use 2048 bit keys (at least that's recommended minimum in certificate requests for general use) but the actual SSL/TLS data encryption is still only 256-bit or 128-bit for the major ciphers in use. Take Google.com for example - right now it has 256-bit encryption using AES256-SHA, 168-bit encryption using DES-CBC3-SHA, and all the other ciphers are 128-bit. Certificate key size is not the same as the encryption key size.
... double tray BD player required??
@Blake, you could have picked up the SW DVDs that contained two discs per film, one with the special edition and one with the original theatrical cut - the latter not being anamorphic and only 2.0 audio, but much better than a VHS conversion.
As to LotR, I was looking forward to the BD extendeds because I'm a lazy git and don't want to have to switch discs halfway through the films like I do with the extended DVDs. But thanks to the inclusion of 4 commentaries on each film they've been split across 2 discs each again. I don't give a stuff about commentaries; I'd be much happier with the extended movies on 3 BDs without the duplicated discs from the DVD releases (I've got those already too from the collectors DVD sets as well as Minas Morgul and the King's crown that were available for a limited time from Sideshow with the order form in Return of the King).