You probably didn't notice, but he went through and updated each page to work on mobile devices. It's amazing how much effort and love he puts into this site: https://www.seat61.com/mobile-version.htm
It seems pretty clear that there is a reason why they got the leaks - they paid attention:
> Obermayer told me that his source for the Panama Papers, whom he refers to as John Doe, had tried to get the attention of several large international outlets, including a U.S. paper, before he got in touch with him. “The leaker didn’t say, ‘Here’s the biggest leak in history, are you interested?’ ” Obermayer said. The first documents that John Doe offered him were not journalistically compelling, at first glance. But Obermayer recognized that they had come from Mossack Fonseca, which he knew operated in extreme secrecy. “I thought, If somebody has obtained data from inside Mossack Fonseca, this could be really interesting,” he said. Knowing the implications of the firm’s name, Obermayer speculated, may have been why he ended up with the Panama Papers.
On the contrary, because I bought the Nexus 6P from the Google Store, they replaced it with a Pixel XL for free. The Google experience is terrible through a third party, but their Google 'direct' experience is pretty darn fantastic.
I can't fathom why the place where the device was purchased would matter if it's a Google phone. Apple manages to support iPhones whether you purchase them from an Apple store or in a back alley for bitcoins.
I know this is semantics, but it's fair. Apple doesn't manufacture anything, they design products and contract out the manufacturing to Foxconn. Basically the same as Google contracting out manufacturing to Huwei, only I think with the Nexus products it was more of a design collaboration than with the Pixel line.
Apple is the manufacturer that is honoring the manufacturer's warranty (and/or additional warranty options). Google is not the manufacturer of the Nexus 5X/6P, that's Huawei. So if you didn't buy from them, they send you to the manufacturer, like most retailers would after the initial return window, even if you did buy it from them.
I agree that it's bad for Google's image to operate that way, stick their name on a phone and then shrug their shoulders and tell you to talk to the real manufacturer. But that distinction is why Apple supports most iPhones no questions asked, and Google wants to know that you bought it from them. They're a glorified retailer licensing out their brand to Huawei.
I get it, but it's essentially Google wanting to have their cake (marketing to customers: "It's a Google phone! Pure Google all the way, baby!") and eat it, too (product support: "Uhhh, yeah, we uh, we don't make this thing, it's all Huawei, we're just a humble retailer."). I agree that it's absolutely bad for Google's image to operate this way, as you can see from the comments in this thread. People aren't mad at the OEMs Google paid to manufacture their devices, they're mad at Google.
> the OEMs Google paid to manufacture their devices
I'm not 100% sure, but I don't think that's how it was. LG's Nexus devices were manufactured by LG for LG, etc. The "Google" part of a Nexus phone is the software and some collaboration in the design.
It's really hit or miss. I've had to escalate to get my son's Pixel replaced twice now.
The replacement they sent has the wide-spread microphone issue out of the box, and I just haven't had the gumption to deal with yet another support experience.
I've had great luck so far with my Pixel XL and love it - one of the best phones I've ever owned. But the Pixel I bought along with it has been by far the most unreliable piece of hardware I've bought in a decade. It's really soured my opinion of Google, even though so far they have (grudgingly) replaced the item.
I'm dreading replacing it for the third time, as I know they will refer to their 2 replacements limit in their warranty contract. Zero of those replacements were anything but known hardware issues on the handset itself thousands of others have reported on-line.
I had the same great experience when my Nexus 5X had a boot loop. I have Google Fi and bought the phone through them. My phone died and next day I had a new phone. Great online experience too.
Symantec is surely testing the patience of Google/Mozilla now. Illegitimate revocation seems almost on the same level as illegitimate issuance of certificates. Imagine the impact on an HPKP site.
It's not. A CA can revoke only certificates that they themselves issued, so the harm that a CA can do through inappropriate revocations is limited to its own customers and their users. If a CA gets a reputation for doing this, its customers can simply take their business elsewhere (this may be costly and inconvenient, but it's always an option, though in the HPKP case it requires them to have planned ahead). This gives CAs a clear incentive not to revoke certificates inappropriately, so the system works.
By contrast, illegitimate issuance by a CA that browsers trust is a threat to everyone's security. Furthermore, the parties directly harmed—the owners of the domains of the illegitimate certificates and their users—typically have no relationship at all with the offending CA, and consequently no direct recourse against it. That's why browser vendors—the only parties that CAs truly have to answer to—have to get involved in such cases.
I wondered where Apple and Microsoft were in this whole thing and I found this from one of the Chromium trust discussions:
"Assessing the compatibility risk with both Edge and Safari is difficult, because neither Microsoft nor Apple communicate publicly about their changes in trust prior to enacting them."
Why or why not would you want to withhold this kind of information?
To some degree, I believe Microsoft and Apple want to avoid any risk of being seen to collude with other vendors to essentially destroy the business of another company.
Both have company cultures built upon secrecy as the base value, I believe. "Why would you want to withhold this kind of information?" then answers with "Because you want to withhold any information, except on a need-to-know basis."
You should always have a plan if your key is compromised. It's recommended to announce two keys via HPKP: primary and backup key. If your primary key failed, you can always issue another certificate with backup key and change HPKP.
I think that it's even possible to issue another certificate with different CA using old private key. I'm not sure if all CA communicate with each other about revoked keys.
>You should always have a plan if your key is compromised.
But the point here is that there was no compromise. None at all, the author simply forged the whole thing and submitted it as part of a legitimate bundle for added plausibility in case there was a human in the loop (which there shouldn't be, and anyway that part could be trivially forged too, just register a bunch of domains over time, get certs for them, then leak the actual legitimate private keys on purpose). So having a primary/backup/backup backup/backup backup backup/backup^n is all useless in this scenario because only the public component was necessary to make a fake sufficient to fool Symantec's incompetent systems.
It's not just recommended, it's required. HPKP can certainly lock you out of your own site if done wrong but there are safeguards against that. A shockingly high number of sites that try to use HPKP don't actually do anything at all because every browser out there ignores their HPKP headers because they're malformed in some way.
That you would even consider trying HPKP without running the SSLLabs server test or Hardenize against it (which would identify these defects) is also shocking in itself.
I don't see why the impact on a site using HPKP would be different than for any other site. In both cases the site would have to install a new cert.
The only difference with the HPKP site is that they'd need to make sure their new cert uses the same key as the old one. (Or they could use a backup key/cert, which I'd expect them to have anyway if they're using HPKP.)
You'd think so given that Symantec believes the key is compromised, but that's actually not the case. I actually saw a fairly interesting discussion about this over on the mozilla.dev.security.policy mailing list just the other day: https://groups.google.com/forum/#!topic/mozilla.dev.security...
Right. If you read the rest of the thread though you'll see that that's because they're not actually required to check. (Or at least, it's certainly arguable that they're not.) Any other CA could have done the same thing and that would be considered perfectly acceptable behavior per the Baseline Requirements.
Doesn't the max-age parameter[1] restrict a browser from accepting only those previously specified keys for a certain time frame? Therefor newly issued certificates should throw a warning. Otherwise it would be trivial for a MitM'ed sever to deliver their own key hash via a HPKP header. Or am I incorrectly understanding the value of the pinned hash?
You're correct about the header. The part you're missing is that it's entirely possible for the site operator to get a new, unrevoked certificate that uses the same underlying private key issued to themselves by a different (or even the same) CA. Such a certificate would be accepted just fine by browsers which have that key pinned. HPKP pins public keys, not individual certificates.
Agreed. This headline makes it sound like they're cheating in exams, but this is take-home assignments we're talking about. If wolfram alpha wasn't available, they'd be asking friends or posting in maths forums. Wolfram alpha is simply more efficient at this job but all take-home assignments have this problem inherently.
Students just need to be aware that they should learn from solutions provided by wolfram alpha (there's nothing wrong with that), otherwise they're going to flunk the closed-book exams anyway.
Exactly: Why is homework considered something that can be "cheated" on anyway? The whole purpose is to get practice and learn the material.
Just make the tests challenging-the ones who actually did their homework will pass. The ones who didn't won't.
Wolfram Alpha helped me many times-sometimes you're simply stuck on a problem and no one is there to help. But like anything, you can use it to cheat and not do work, or you can use it to help you learn more.
