This Great Barrington Declaration is more restrictive than current laws in my Eastern European country.
For example, it says "Retired people living at home should have groceries and other essentials delivered to their home. When possible, they should meet family members outside" but in my country there is no such lockdown for any age group.
It says "Young low-risk adults should work normally, rather than from home" but in my country employers aren't required to stop allowing young people to work from home (before 2020 working from home without breaking laws was basically impossible in my country).
A large phase 3 trial in Brazil showed that two doses, administered at an interval of 14 days, had an efficacy of 51% against symptomatic SARS-CoV-2 infection, 100% against severe COVID-19, and 100% against hospitalization starting 14 days after receiving the second dose.
Pfizer and Moderna vaccines aren't easily available outside of "first world" countries because of vaccine nationalism.
The largest ISP in Kazakhstan believes that it should be able to intercept all TLS traffic on their network: https://bits.blogs.nytimes.com/2015/12/03/kazakhstan-moves-t.... Because there are no technical differences between your TLS interception and what Kazakhtelecom is doing and no legal differences in most non-Western countries, I believe that all software should be changed to make TLS interception as hard as possible.
There is absolutely a significant legal and moral difference between national interceptions like Kazakhstan does and the ones we do protecting children you are guardians of or protecting company secrets and integrity.
In the latter case ideally (and possibly legally required) you'd have acceptance of potential interception a condition of employment.
I can create "773c7d.13445a.acme.invalid" in almost all shared hosting control panels I have access to.
When I send an HTTP request with Host: 773c7d.13445a.acme.invalid, the server responds with a file from ~/domains/773c7d.13445a.acme.invalid/public_html or a similar directory available through my FTP account.
When I connect using openssl s_client ... -servername 773c7d.13445a.acme.invalid, the server sends a certificate configured for 773c7d.13445a.acme.invalid in my control panel.
Is this a problem for Let's Encrypt? Doesn't Let's Encrypt's verification require creating files with random names in http://example.com/.well-known/acme-challenge where example.com is the certificate's common name?
> Doesn't Let's Encrypt's verification require creating files with random names in http://example.com/.well-known/acme-challenge where example.com is the certificate's common name?
Are you asking whether this is an issue for the http-01 challenge?
If so, the answer is no, because if you wanted to use this to obtain a cert for some domain you don't own, the DNS reponse for that domain would have to already point to the shared hosting server you're configuring. (Which would imply there's already another customer using that domain.)
If you can serve content from another customer's domain who is on the same shared host as you, that's a serious security vulnerability with the hosting platform without respect to whether or not Let's Encrypt exists.
> Is this a problem for Let's Encrypt? Doesn't Let's Encrypt's verification require creating files with random names in http://example.com/.well-known/acme-challenge where example.com is the certificate's common name?
That applies to the http-01 challenge. The tls-sni-01 challenge works solely based on the returned certificate. If the SAN value in the certificate matches the SNI value sent by the validation server, the challenge succeeds.
Would you mind sharing which control panel you tested this with?
DirectAdmin, the most popular webhosting control panel in my country.
In my opinion this is not a bug because when I need to test a website, I often create an invalid hostname on the server and add the server's IP address to my computer's /etc/hosts. When I need HTTPS, I upload a certificate for the test hostname signed by my private CA.
Thanks. I signed up for the first shared web hosting provider I could find that uses DirectAdmin and was able to reproduce this. I'll bring this up in the relevant thread on mozilla.dev.security.policy, this is definitely concerning.
When I click on "Investing in operations" or "Updating our policies", I see US-formatted dates such as "August 28, 2017", so foreign probably means non-US.
DCTCP is designed for.. data center networks. You have first party control and can ensure ECN works end to end on your equipment.
BBR is designed for the "hostile internet" where you can't rely on ECN marking, and basically tons of people are willingly and unwillingly plotting against you.. middle boxes that do policing and shaping and just plain bizarre things, routers that clear options, other worse/unfair congestion controls, extreme variation in buffer sizes, etc
The BBR whitepaper gave examples of improvements on high-capacity backhaul links (e.g. a 10Gbps WAN) and lower-speed, last-mile connections to end users.
All traffic to/from some IP addresses is blocked, additionally all Chinese DNS servers respond with random A records when the domain name is banned, for example:
$ host facebook.com 202.97.0.6
facebook.com A 8.7.198.45
$ host facebook.com 202.97.0.6
facebook.com A 243.185.187.39
$ host facebook.com 202.97.0.6
facebook.com A 243.185.187.39
$ host facebook.com 202.97.0.6
facebook.com A 46.82.174.68
$ host facebook.com 202.97.0.6
facebook.com A 59.24.3.173
For example, it says "Retired people living at home should have groceries and other essentials delivered to their home. When possible, they should meet family members outside" but in my country there is no such lockdown for any age group.
It says "Young low-risk adults should work normally, rather than from home" but in my country employers aren't required to stop allowing young people to work from home (before 2020 working from home without breaking laws was basically impossible in my country).