I need to renew my driver's license. I noticed I can pay online, which would save me a lot of time, so I happily entered the Ministry of Transportation website. I did not end up renewing my license.
Even if I ignore the hideous design and the terrible UX, the thing that bothered me the most was that the connection was not encrypted, no TLS, only plain text HTTP.
Obviously I'm not going to type my ID number, license number, date of birth and credit card number over plain text HTTP, so I poked around a bit. The first thing I tried was to just change http to https, to see if they have TLS, but firefox gave me the "connection reset" error.
I searched and found their security FAQ page claims they have SSL, so I fiddled around a bit and discovered that they use SSLv3 with the RC4 cipher, which is, of course, well known to be easily decipherable and insecure (Firefox gave me the connection reset error because I installed the Mozilla extension to block SSLv3, but newer versions of Firefox will block it by default).
I decided to try and poke a bit more, so I set the minimum SSL version to SSLv3 in my browser just for few minutes, only to discover they use an untrusted certificate.
Now, it might be that if I type my ID number, license number and date of birth I'll get transferred to a 3rd party credit card processing page which has a trusted certificate and proper TLS, but I didn't try - ID number, date of birth and license number are not things I'm going to type over an insecure connection for obvious reason.
Now instead of conveniently renewing my license from the comfort of my own computer, I need to go to a mall which is not accessible by public transportation and use an automated machine (which I don't know if I can trust) or go stand in line at the bank.
So, as you can imagine, I'm a bit angry.
I would like to know their answer, may be we can make them understand that this is an important matter to at least some of us by making a system that will do all the work securely and show that people use it, in time, they might understand the importance (worked on other occations, with the train if I'm not mistaken)
Also phones are devices in which you use your voice to talk with other people, which is already terrifying even without the security flaws
They have a patch that would prevent it from happening. They won't merge it because "it should never happen".
But bugs exist in every piece of software. Software breaks frequently. The least you can do is when it breaks, make sure it breaks gracefully.
Dumping hundreds of megabytes of text into my system log is not considering handling things gracefully. It means my system log would be harder to navigate and read, it means my log will bloat faster than it should.
Also consider this: the data dumped into the log is contents from PDF files all over the system. That's not just ebooks! sensitive medical/financial documents, legal document, paychecks, and other types of documents you'd want to keep private would be dumped into the log. This means every time there's a problem and I need to post my log, I need to validate bits of my documents didn't find their way into the log. This means that on a multi-user system any user who has access to the system log would have access to everyone's PDF files.
This is not OK. And besides, if you have a bug in something making a query, you really don't need the full text of Discworld to debug it, right? So why not limit the output?
The Humble Music Bundle (pay what you want and help charity)
Pay whatever you want to get albums from Christopher Tin, They Might Be Giants, Jonathan Coulton, MC Frontalot, Hitoshi Sakimoto, and OK Go
Ladies and gentlemen, set your alarms! | Raspberry Pi
Raspberry Pi. An ARM GNU/Linux box for $25. Take a byte! Main menu. Skip to primary content. Skip to secondary content. Home · About us · Co
Re: [Regression w/ patch] Media commit causes user space to misbahave (w...
On Sun, Dec 23, 2012 at 6:08 AM, Mauro Carvalho Chehab wrote: > > Are you saying that pulseaudio is entering on some weird loop if the > ret