Well, to be more specific, "modern internet/web". Most of the applications that ran on a Windows XP computers still run on a Windows XP computer without hiccups, unless they do a lot of network connectivity for the functionality.
And no one can even give a concrete answer why root certificates need expiration dates. It's just because reasons.
IMO the whole PKI thing is a terrible idea to begin with. It would make much more sense to tie the trust in TLS to DNS somehow, since the certificates themselves depend on domains anyway. Then you would only have a single root of trust, and that would be your DNS provider (or the root servers). And nothing will expire ever again.
The instant we bound encrypted connections with identity we failed. And decades later we're still living with the mistake.
I'm completely serious when we need to abandon the ID verification part of certificates. That's an entirely separate problem from encryption protocol. An encryption protocol needs absolutely no expiration date, it's useful until it's broken, and no one can predict that. Identity should be verified in a separate path.
Do certificate revocation lists need to keep including certificates that have long since expired? I don't see why root certificates need to expire as long as the certificates signed by those roots all have reasonable expiration windows, unless someone is doing something strange about trusting formerly-valid certificates, or not checking root certificates against revocation lists.
Root certificates need expiration dates for the same reason that LetsEncrypt certs need an expiration date: risk of cert compromise and forgery increases over time.
Over a long enough timeline, there will be vulns discovered in so much of the software that guards the CA certs in RAM
> risk of cert compromise and forgery increases over time.
And what if the certificate is compromised before it expires? Right, there's a revocation mechanism for that. So why expire them then if they can be revoked anyway IF they get compromised?
The reason why domain TLS certificates expire is that domains can change owners. It makes sense that it should not be possible for someone to buy a domain for one year, get a non-expiring TLS certificate issued for it, and then have the ability to MitM its traffic if it ever gets bought by someone else later.
Domain certificates are sent as part of the connection handshake, so them expiring is unnoticeable for the end users. However, root certificates rely on the OS getting updates forever, which is unsustainable. Some systems lack the ability to install user-provided root CAs altogether, and some (Android) do allow it but treat them as second-class.
Because the most dangerous secret is one that has been compromised and you don’t know it. This sets a time limit for their usefulness. Sometimes the stories about terrible default choices that are insecure sink in and architects choose a better path.
Also, details about the certs and the standards for them change over time. This makes it easier for the browser venders (via the CA forum) to force cert providers to update over time.
Of course they do, they have to. But it's okay for things that are sent to you over the network to expire. It's not okay for things built into your potentially abandoned OS to expire.
The headline makes it sound uniquely sinister, but most of what's described here is just the modern adtech stack doing what it's been doing for a decade. The real tension is that advertisers want attribution, sites want revenue, and users want privacy and the current system optimizes almost entirely for the first two
The modern adtech stack is uniquely sinister, especially compared to its antecedents in society. TikTok is not only one of a select few big tech companies that dominate it, but (according to the article), it's becoming increasingly invasive "in unusual ways compared to its competitors".
(I have no idea whether that second part is true, as most of the article seems to be spent explaining the concept of the tracking pixel for non-technical readers.)
You point to the market but these market giants gain a lot of their stature from the free and open work done by others. The market is not the decider of the value of utility. If it was we'd not hear about donation campaigns for FOSS. We wouldn't hear stories of how there's a single developer working on critical software on nights and weekends. We wouldn't hear about yet another FFMPEG wrapper making millions while trying to demand free work from FFMPEG. We wouldn't hear that stuff because the market would be compensating them.
While there are some things where there is no alternative, you can get pretty far with FOSS, if you know where to look. I'm not trying to say people shouldn't be paid, but I am saying that just pointing to the market is too simplistic of an answer.
Framed another way: The market rejects the product at the price it would cost to provide, so companies have turned to addictive designs, skeevy tracking, and information asymmetry/user ignorance to recoup their investment.
> users need to act for themselves and optimize their own privacy.
> You need coordination if you want to see the balance changed.
Which is, actually, what the BBC author of TFA is doing, by writing an article as a user, to inform other users so they too can act to protect their privacy.
Seems like industry insiders passing responsibility for their bad practices on to consumers really means they want consumers to stay divided.
> Which is, actually, what the BBC author of TFA is doing, by writing an article as a user, to inform other users so they too can act to protect their privacy.
No. The author only singles out TikTok.
Looks like a paid piece.
> Seems like industry insiders passing responsibility for their bad practices on to consumers really means they want consumers to stay divided.
I think this is why they also encourage the old trope of "It's not just <X>".
It's a truth, but used in a way that makes people feel powerless. Like the war is already lost. It makes people apathetic, because it makes people overwhelmed. It causes the evangelists to quiet themselves as they become exhausted. It normalizes the behavior. It just becomes another one of the many things we're powerless to fight against, so why even try.
I'm not accusing the OP of doing this, but I do want to point out that it is a strategy being used. Not misinformation, not disinformation, but malinformation. Truths used in a specific way, often lacking context. It is the same way people dog whistle, hiding their true intent in normalized speech (it's not a dog whistle if everyone can hear it, that's just a whistle).
what does coordination mean, exactly? is the expectation that a small group of users will band together and somehow lobby more effectively than FAANGs?
Coordination means a movement or organization with some kind of actual leadership and alignment. It could be an advocacy group, union, political organization. There has to be something, likely several somethings, for people to throw their lot in with. Otherwise people with grievances will just simmer and complain impotently.
It can start small, but group membership will eventually have to be large if you want to outgun FAANG. We do have numbers on our side though, they're just scattered.
> users need to act for themselves and optimize their own privacy.
In some sense I agree, but I also think you've oversimplified things.
Even when you're highly technically skilled it can be extremely difficult to impossible to regain the level of privacy the average person had just 50 years ago (probably even just 20). This is a bar too high. One should not need years or decades of expertise to take back what is a broad/universal desire.
It comes down to consent. The users aren't technologically sophisticated enough to know how their data is being weaponized against them. Let's be honest here, even on places like HN we often see claims about "ads don't affect me" and "I don't care if they want to sell me a better product". As if 1) you aren't affected, 2) it doesn't matter if your friends/family/peers are affected, and 3) that ads are just there to sell you products and exclusively ones that make your life better. How the information is being leveraged is too abstract for most people and it takes time to process it.
The advertisers literally take advantage of this fact.
But where I do agree is that we need to make our voices heard. The barrier is too high for most to achieve. "Install a pihole" may be acceptable on HN[0] but not for the broader public and certainly is far from being a strong defense alone[1].
Where I do agree is that we as developers need to make these tools easier to use and help lead those conversations and help educate people.
But if you are saying the solution is "git gud, protect yourself" then I think you are on the wrong side and even harming yourself. Unfortunately internet privacy is like vaccinations, we require herd immunity. Without those around you protecting their privacy, your privacy is at risk. It is not a personal decision, it is a social one.
[0] And is the average HN user actually going to implement encrypted DNS and know how to pick better DNS servers? Or are we just going to argue about the trustworthyness of 1.1.1.1 vs 9.9.9.9? Are we even going to talk about things like 1.1.1.2 or base.dns.mullvad.net? These are still the basics!
[1] How many people know you need to change your browser settings? That your browser is likely picking a DNS server for you.
> The headline makes it sound uniquely sinister, but [it's not]
Does this matter?
TikTok is one of the, if not the, most popular apps in the US and the world[0]. It makes sense to talk about the biggest offenders.
You're right that the problems are more systemic and TikTok is far from alone, but at the end of the day, if this is the gateway to having the broader conversation, I would not dismiss it[4]. Laws that reduce the harm that TikTok is doing applies much more broadly than to TikTok. That is a win for us. It is difficult to write laws to specifically target a single company, and whenever that happens they serve as leverage to go after others too.
Treating TikTok as the face does not absolve others of their actions. It may shift focus off of others, but frankly, we're living in a time where focus is incredibly difficult to achieve.
I don't think you're wrong, but we've been trying to have the more nuanced conversation for over a decade and it doesn't catch people. So I'm personally okay with targeting an extremely popular platform like TikTok or Meta and using them as the gateway to the more nuanced conversations. IME if you just start by talking about "Surveillance Capitalism" it is common for people's eyes glaze over or they throw up their arms as the problem seems so large it is insurmountable. IME being more specific, talking about specific companies and specific actions[5] is the right gateway. It enables the deeper conversations without overloading people. Remember, you've had years to process all this and they're still new. Give them time.
--
[0] In the US looks like >136M adult users[1], which looks to be about half of all adult Americans[2], or 66% of Americans between 18 and 65[3]
[3] Intended as upper bound as certainty there are some seniors on TikTok.
[4] Unfortunately I think it is easy for bad actors to use whataboutism and that while I don't think you're doing this, bad actors try to snake in through claims like yours. Using the legitimacy of your claim to control the conversation and shift focus (the same way dog whistles are only intended to be heard by dogs).
[5] DO NOT start with the most egregious, as that's too abstract and leads people to believe you're a conspiracy nut. Same shit as when talking about Snowden, it doesn't matter if you can show them the evidence, the claims appear more like that out of a movie than reality and it doesn't feel like we live in the dystopia where we see this kind of tech on screen.
Pandas being one of those species. I feel as if pandas would go extinct if zoos weren't there.
technically panda's cuteness is the reason why it hasn't really gotten extinct. Dogs/Cats have also mastered the cuteness stat. I wonder if for animals, evolution might now lean towards cuteness.
I am also thinking what counts as cute in the first place? Is there any scientific consensus around cuteness that animals can develop?
Well, "[Raja] was the first elephant ever born at the Saint Louis Zoo and is considered a St. Louis legend. Male Asian elephant Raja, born amid fanfare nearly 31 years ago on Dec. 27, 1992, has three daughters at the Zoo..."
reply