Re: Is that possible to port nodejs with gecko javascript engine?

2015-05-16 Thread voracity 
On Sunday, May 17, 2015 at 4:06:49 AM UTC+10, Yonggang Luo wrote:
 I've found Microsoft already done that.

Are you referring to what's mentioned here: 
http://www.theinquirer.net/inquirer/news/2408531/microsoft-confirms-it-will-make-nodejs-play-nice-with-window-10-because-iot
 ?

Has Mozilla joined the Node.js Foundation? Or have plans to? I think that would 
be a prudent thing to do at this point, given the foundation may end up having 
a significant influence on how JavaScript and its ecosystem evolves.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to deprecate: Insecure HTTP

2015-04-23 Thread voracity 
Just out of curiosity, is there an equivalent of:

python -m SimpleHTTPServer

in the TLS world currently, or is any progress being made towards that?
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: http-schemed URLs and HTTP/2 over unauthenticated TLS

2014-11-19 Thread voracity 
On Wednesday, November 19, 2014 11:12:42 PM UTC+11, Gervase Markham wrote:
 https://letsencrypt.org/ .

When I first saw Let's Encrypt (the very next day after my post) I got excited, 
but when I read how it works, I got even more excited. There's still things it 
doesn't (seem to) solve (localhost/intranet apps and possibly 
internet-of-things as well as CA centralisation), but coupled with good TOFU, 
it covers most of the things that matter to the little people of the web.

I still object to carrot-sticking people to use https. We don't carrot-stick 
people to use open source, even though many of the key arguments for doing so 
would be quite similar.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: http-schemed URLs and HTTP/2 over unauthenticated TLS (was: Re: WebCrypto for http:// origins)

2014-11-17 Thread voracity 
On Friday, November 14, 2014 6:25:43 PM UTC+11, Henri Sivonen wrote:
 This is obvious to everyone reading this mailing list. My concern is
 that if the distinction between http and https gets fuzzier, people
 who want encryption but who want to avoid ever having to pay a penny
 to a CA will think that http+OE is close enough to https that they
 deploy http+OE when if http+OE didn't exist, they'd hold their nose,
 pay a few dollars to a CA and deploy https with a publicly trusted
 cert (now that there's more awareness of the need for encryption).

Could I just interject at this point (while apologising for my general rudeness 
and lack of technical security knowledge).

The issue isn't that people are cheapskates, and will lose 'a few dollars'. The 
issue is that transaction costs http://en.wikipedia.org/wiki/Transaction_cost 
can be crippling.

Another problem is that the whole CA system is equivalent to a walled-garden, 
in which a small set of 'trusted' individuals (ultimately) restrict or permit 
what everyone else can see. It hasn't caused problems in the history of the 
internet so far, because a non-centralised alternative exists. (An alternative 
that is substantially more popular *precisely* *because* of transaction costs 
and independence.) This means it's currently a difficult environment for a few 
mega-CAs (and governments) to exercise any power. A CA-only internet changes 
that environment radically.

I'm unsurprised that Google doesn't think this is an issue. If they do 
something that (largely invisibly but substantially) increases the internet's 
http://en.wikipedia.org/wiki/Barriers_to_entry , it reduces diversity on the 
internet, but otherwise doesn't affect Google very much. (Actually, it may do, 
since it will make glorified hosting services like Facebook much more popular 
still over independent websites.) However, there is a special onus on Mozilla 
to think through *all* the social implications of what it does. Security is 
*never* pure win; there is *always* a trade off that society has to make, and I 
don't see this being considered properly here.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform