I recall one of the main arguments against Encrypted server name indication (ESNI) is that it would only be effective for the giant https proxy services like Cloudflare, that the idea of IP certs was floated as a solution but dismissed as a pipe dream. With IP address certificates, now every server can participate in ESNI, not just the giants. If it becomes common enough for clients to assume that all web servers have an IP cert and attempt to use ESNI on every connection, it could be a boon for privacy across the internet.
4. Send ESNI, get separate cert for www.secret.com, validate that
... and the threat you're mitigating is presumably that you don't want to disclose the name "www.secret.com" unless you're convinced you're talking to the legitimate 1.2.3.4, so that some adversary can't spoof the IP traffic to and from 1.2.3.4, and thereby learn who's making connections to www.secret.com. Is that correct?
But the DNS resolution step is still unprotected. So, two broad cases:
1. Your adversary can subvert DNS. In this case IP certificates add no value, because they can just point you to 5.6.7.8, and you'll happily disclose "www.secret.com" to them. And you have no other path to communicate any information about what keys to trust.
2. Your adversary cannot subvert DNS. But if you can rely on DNS, then you can use it as a channel for key information; you include a key to encrypt the ESNI for "www.secret.com" in a DNS record. Even if the adversary can spoof the actual IP traffic to and from 1.2.3.4, it won't do any good because it won't have the private key corresponding to that ESNI key in the DNS. And those keys are already standardized.
So what adversary is stopped by IP certificates who isn't already stopped by the ESNI key records in the DNS?
Sure, I agree, the next increment in privacy comes with using DoT/DoH (in fact some browsers require this to use ESNI at all). Probably throw in DNSSEC next. Having IP certs is just one more (small) step in that direction.
> you include a key to encrypt the ESNI for "www.secret.com" in a DNS record
I've never heard of this, is this a thing that exists today? (edited to remove unnecessary comment)
>I've never heard of this, is this a thing that exists today? Are you arguing against one small step in a series of improvements by using a nonexistent hypothetical as evidence that the small step is unnecessary?
> Another Internet Draft incorporates a parameter for transmitting the ECH public keys via HTTPS and SVCB DNS record types, shortening the handshake process.[24][25]
The point is in not showing the watching adversary any DNS names at all. You do DoH, you do the IP cert, you enter TLS before naming any names. The www.secret.com is never visible in plaintext.
Only helpful if the IP itself is not incriminating or revealing, that is, it's an IP from a large pool like Cloudflare, GCP, AWS, etc.
To my mind, it's much more interesting to verify that an address like 1.1.1.1 or 8.8.8.8 is what it purports to be, but running UDP DNS over TLS is still likely not practical, and DoH already exists, so I don't see how helpful is it here.
Plenty of other responses with good use cases, but I didn’t see NTS mentioned.
If you want to use NTS, but can’t get an IP cert, then you are left requiring DNS before you can get a trusted time. If DNS is down- then you can’t get the time. A common issue with DNSSEC is having the wrong time- causing validation failures. If you have DNSSEC enforced and have the wrong time- but NTS depends on DNS, then you are out of luck with no way to recover. Having IP as part of your cert allows trusted time without the DNS requirement, which can then fix your broken DNSSEC enforcement.
Essentially: keep some minimum values for time. Then do a single HTTPS request, ignore the validation of the certificate's date to start with, but use the Date header to later validate it against minimum / maximum. This has the advantage it's still a HTTPS request, so can't be MiTM'd and depending on implementation it can validate the time quite well (even if the device has run out of power it can have saved a recent timestamp on disk, so with regular use of the device an old certificate won't be valid, keeping the main useful property of certificates having validity periods).
I don't believe it does this, but you could do this without DNS as 8.8.8.8, etc already have IP address certificates:
It would need a custom tool though, as curl only has --insecure, not a way to avoid just the notBefore / notAfter validation of the cert.
(This is not the only thing to use this technique, OpenBSD's ntpd has a way to contrain time based on HTTP headers: https://man.openbsd.org/ntpd.conf#CONSTRAINTS -- the default ntpd.conf ships with Quad9 configured via IP address.)
Oh this is a good point! Looking at my DNSSEC domain (hosted by CloudFlare) on https://dnssec-debugger.verisignlabs.com - the Inception Time and Expiration Time seems to be valid for... 3.5 days? This isn't something I look at much, but I assume that is up to the implementation. The new shortlived cert is valid for 6 days. So, from a very rough look, I expect X.509 certificate is going to be less time sensitive then DNSSEC - but only by a few days. Also, very likely to depend on implementation details. This is a great point.
this seems possible to avoid as an issue without needing IP certs by having the configuration supply both an IP and a hostname, with the hostname used for the TLS validation.
Yes, that is absolutely possible, but doesn't mean that will be the default. I commented recently [0] about Ubuntu's decision to have only NTS enabled (via domain) by default on 25.10. It begs the question how system time can be set if the initial time is outside of the cert's validity time-frame. I didn't look, but perhaps Chrony would still use the local network's published NTP servers.
Sometimes you want to have valid certs while your dns is undergoing major redesign. For instance to keep your dashboards available, or to be triple sure no old automation will fail due to dns issues.
In other cases dns is just not needed at all. You might prefer simplicity, independence from dns propagation, so you will have your, say, Cockpit exposed instantly on a test env.
Identify a service directly by its crypto key. When you configure something else to connect to it, treat the IP address as a hint, not the primary identifier for what it's talking to. Standard idiom.
... and before you tell me that that's infeasible because you'd have to modify software, go do a survey of all the code out there, and see how much of it supports IP address certificates. If you're moving around the parts of some big complex system, it's pretty much guaranteed that many of those parts are going to choke if you just blindly go and stick IP addresses in https:// URLs.
And if you're fixing the software anyway, then it's not sane to "fix" it to attach identity to something you're going to want to change all the time, like an IP address. Especially if they're global addresses (which are the only ones any Let's Encrypt or any other public CA is ever going to certify) in the IPv4 space (which is the only one any "enterprise" ever seems willing to use).
The BSD networking stack treats an IP addr as a valid hostname for hostname resolution. As such, every phone, tablet, and computer able to do TLS by hostname can do it by IP. Try it out! Self-sign an IP certificate and try it on your local net. If you put it in the trust store, it’ll validate just fine. The only barrier to adoption was CAs refusing to issue IP certificates at large.
Noot quite. DNS hostnames and IP addresses are encoded differently in X.509 certs: one is the dNSName option of the GeneralName choice type in the subjectAltName extension[1], the other is the iPAddress option. (And before you ask, tagging a stringified IP address quad as a dNSName is misissuance per the CA/Browser Forum Baseline Requirements[2] and liable to get your CA kicked from certificate stores. Ambiguous encodings are dangerous.) So some explicit support from the TLS library is indeed required. But I’m indeed not aware of many apps having problems with IP address certs.
Um, the BSD networking stack I'm familiar with doesn't include TLS or X.509 validation at all. The question isn't what you get from gethostbyname. It's what you get when you hand that to your X.509 validator.
> go do a survey of all the code out there, and see how much of it supports IP address certificates.
I've been doing that for years on onprem (~60% old "enterprise/legacy" ~40% modern stuff) and never seen anything that doesn't support it. YMMV, but if all I work with supports it, I won't complain in vain.
> those parts are going to choke if you just blindly go and stick IP addresses in https:// URLs.
I did many times, seems that legacy heavens were always kind to me in this regard.
> something you're going to want to change all the time, like an IP address
That's a personal assumption as well. If your architectures change IPs all the time, OK. Ones I worked with didn't. Always had plenty of components with IPs that didn't changed in a decade or two. Even my two previous local ISPs I had gave me "dynamic public IP" and kept them for many years. For some companies changing an ip of their main firewalls/load balancers or VPN servers is unthinkable.
Even on my last project on Public Cloud, the first thing I did was to make sure public IPs won't be dynamic (will survive recreation of services) so I don't have to deal with consequences of my corporate client endpoints and proxies flushing DNS caches randomly. (don't ask me why, but even huge companies still use proxies on a large scale. Good luck with figuring out when such proxy invalidates your DNS record).
> in the IPv4 space
IPv6 is here. Your printer and light bulb will want a cert as well.
It might be interesting for "opportunistic" DoTLS towards authdns servers, which might listen on the DoTLS port with a cert containing a SAN that matches the public IP of the authdns server. (You can do this now with authdns server hostnames, but there could be many varied names for one public authdns IP, and this kinda ties things together more-clearly and directly).
It might also he useful to hide the SNI in HTTPS requests. With the current status of ESNI/ECH you need some kind of proxy domain, but for small servers that only host a few sites, every domain may be identifiable (as opposed to, say, a generic Cloudflare certificate or a generic Azure certificate).
One use-case is connecting to a DoT (DNS-over-TLS) server directly rather than using a hostname. If you make a TLS connection to an IP address via OpenSSL, it will verify the IP SAN and fail if it's not there.
Sad but true. Anyone wanting to learn more about how dysfunctional the UK's justice system is after years of underfunding should read Secret Barrister[1]. For comfortable technology folks who seldom brush with the law it's eye-opening stuff.
Holy crap, thanks for sharing this. It's the first time a conversational AI has impressed me. I can just about find the edges (short memory, relentlessly positive) but in the space of an hour it's given reasonably good advice on social situations, answered questions about how it works and even recommended some great niche bands based on my existing tastes. Just as you said, its knowledge seems to be extremely broad.
There's a contrast between Pi and the kind of chatbot discussed in the article. When we talk to Pi we don't expect it to do anything for us - it just gives advice and makes suggestions that we can take or leave. The resulting stream of tokens matches our expectations enough to satisfy us.
A chatbot on a company's website however, probably we are talking to that because we want something to happen. "Please fix my account", "my last bill was wrong" etc. As the chatbot isn't integrated with the company's processes it can't actually change the state of the outside world and so talking to it will be a frustrating experience. I wonder if this will improve if/when chatbots get better integrated with systems? Will companies even dare to do this for real?
Slightly offtopic but anyone with a dark sense of humour would do well to check out Chris Morris's stuff - I get a feeling most younger Brits haven't heard of it. Day Today and Brass Eye, both still funny, are wonderful time capsules satirising Britain as it was thirty years ago.
But IMO his finest work was Blue Jam - the radio comedy not the TV incarnation, hour-long episodes of low-key music and surreal sketches. Absolutely brilliant even today. Archive.org has a copy at https://archive.org/details/chrismorris_bluejam. Best enjoyed late at night.
Trigger warning: basically everything. The BBC would never get away with broadcasting it now.
Blue Jam is amazing, but it was the TV version of it: Jam, that really blew me away. Dark as anything, surreal, challenging, spectacular use of language, amazing use of music, and video editing techniques … incredible.
I remember when it was originally aired, it would be on around 10pm. Then repeated around 4am, but with the visuals just bouncing around inside a small square (like a ‘Pong’ ball). Each episode they would mess with the visuals in a different way. Definitely will never see anything like that on Tv again.
Probably my favourite sketch (which is also on Blue Jam) [1], but there are so many [2][3][4][5]. Even the intros [6] were disturbing, and set you up for what was coming in the next 30 minutes.
Wow some seriously strange/funny/interesting stuff... Laughed my ass off at "Thick People as a Service"
American here. Reminds me heavily of Monty Python. I didn't realize there were other shows in such a similar vein. Will def checkout Jam / Blue Jam. Can you recommend any other shows I might not be aware of?
Look Around You [0] is little known even in the UK, but I think a lot of HN readers might love it. It's a surreal but perfectly observed parody of the 80s/90s educational videos we used to watch in school science classes.
One that I absolutely loved, but which rarely comes up, is Mr Don & Mr George by two Scottish comedians Moray Hunter and Jack Docherty. I think there was only one series, but it has a beautifully gentle, slightly surreal, slightly slapstick humour.
Edit: And for a much more brutal sense of humour, I don't think any political comedy has bettered The Thick Of It.
I recommended Still Game to an American colleague and he found it hilarious even though I thought it would be a bit crude at times for an older gentleman. I guess the fact they're pensioners themselves softens the humour a bit.
They were Edinburgh's answer to Glasgow's Naked Video (Gregor Fisher, Elaine C. Smith, Andy Gray, Helen Lederer, etc.) although the welsh John Sparkes was in both, and had is own spin-off series, Barry Welsh is Coming
Love Big Train, some seriously good sketches. Here's some more of my favourites (outside of the ones you've already mentioned).
Unfortunately my favourite sketch, 'Cake Factory', isn't on Youtube any more. That was where I first realised how brilliant Simon Pegg was as a comedy actor.
I’d recommend anything by Julia Davis, who was in the ‘thick people’ sketch. Her comedies are pitch black and very good, including Nighty Night and Hunderby.
For a sketch show I’d recommend Big Train - it went slightly under the radar, but has an absolutely incredible lineup of talent.
Slightly different, but Charlie Brooker (of Black Mirror fame) had a series called Screenwipe, which lampooned the tropes of television in the mid 2000s. It was pretty funny, and quite dark in places.
Here's a great parody of Jam by Adam and Joe. I enjoyed Jam but when it misfired this was exactly how ridiculous it came across - https://m.youtube.com/watch?v=0t0Ocau-CUg
My housemates and I used to do Jam nights where we’d binge the whole series in one sitting, usually the Jaaaam version that was even more woozy and disorienting.
Ended up in some very strange headspaces at about 2am.
We should also remember On The Hour, the original radio precursor to The Day Today, though I think the TV series is more important.
My own favourite Chris Morris production is probably his Radio 1 series with the painfully embarrassing improvised tasks he'd set his hapless roving man on the scene.
I think that was also the one that got him temporarily banned from the Beeb for implying - but not outright stating - that Michael Heseltine (very senior British politician at the time) had died from a heart attack.
Edit: Ah, here. Typically facetious interview with "close personal friend, colleague and bass player of the Jam, Bruce Foxton"
> "The Ukraine declared its own independent laws of physics. Under the new legislation only natural-born Ukrainians were granted the right to have density, speed was calculated to equal boiling-point over height and friction was abolished, which caused increased mortality around hills, but meant that Ukrainians could glide over hundreds of miles with just one push. Meanwhile in Kiev over three hundred protesters were injured in gravity riots."
BBC probably wouldn't broadcast Blue Jam today, but only because it would get such limited audience. It's niche and of its time.
Similar shows today would include the Skewer, and to be honest I would rank that as more legally dangerous to run, it skirts libel laws much more closely.
And especially the relevant interviews: the movies are the artistic depictions, but the real world facts that made it important to produce them - the rationale and the exposition of salient research material that became the movie - are explained by Chris Morris in talks.
I never knew what to think of Four Lions. It's a hugely politically charged topic (suicide bombers, islamist terrorism, particularly perpetrated by UK residents/nationals). I watched it 10 years ago so perhaps I misremember it, but it didn't feel to me that the movie had any particular political agenda, it was just making fun of a band of clumsy terrorists.
It picks up a political agenda near the end when it shows the authorities to be clueless, and suspecting entirely the wrong people, but more generally the film has political origins.
When 7/7 happened, we saw the CCTV footage; Yorkshiremen getting on a train at Luton. Three of the four bombers were from Leeds, they were born in the UK, what on earth possessed them to go to London and try blowing it up? Fanciful notions of being a mujahideen? Some disconnect of belonging to the UK when they were clearly brought up fully within it?
I'm pretty sure Morris said he made the film to answer that question.
Monkey Dust series 2 (broadcast 2003, two years prior to the attack) had a similar examination with its Abdul and Shafiq sketches. Their friend Omar preaching to them about jihad but their lives mainly revolving around what's on telly and their mum feeding them turkey twizzlers. https://www.youtube.com/watch?v=rhxQT1d1AvE
The key point that Four Lions makes is that the terrorists are not the highly devoted, strict followers of Islam that they claim to be. They are bored, directionless clowns and the devout want nothing to do with them. This is highlighted in the ringleader Omar's relationship with his brother - Omar and his wife tease and mock his brother for his strict adherence to Islamic customs. The devout brother tries to persuade Omar to abandon his terrorist plans, but is later targeted by the security services because they too assume that it's the strict, devout muslims that are behind it all.
Not the key point, I would say, but an important point.
It returns to OP's missing that the movie may have «any particular political agenda»:
there is a political point, which is "outcasts in search of an identity conflictually with their environment may have a political agenda, which causes a political problem". Disregarding such problem implies potential tragedy.
Edit (wrote in a rush): hence, that if there is a risk, quite worth of assessment, you'd better see things flatly, for what they are.
A sort of "favorite" of mine is this speech by an anthropologist about muslim extremists.. indeed you can apply it to white supremacist terrorists too, they join up to the cause for a feeling of belonging and purpose: https://www.youtube.com/watch?v=qlbirlSA-dc
I thought of it as satirising the picture painted by the security services of terrorist groups as Mission Impossible-type bad guys who were amazingly organised and professional, so they needed loads of money for counter terrorism. Don't get me wrong, I do value (some of) the work of the security services, but I think this kind of portrayal too easily allows people to ignore the fact that "terrorists" are often just directionless people drawn into that kind of world almost by accident. The Day Shall Come, released nine years later, expands on that idea.
I am not sure you can get that message from the movie. In the end it does show them as dangerous, murdurous criminals. It doesn't take a PhD or lots of means to kill a large number of people. Which is also the difficult challenge posed to those security services.
I didn't (intentionally) say they didn't end up as dangerous, murderous criminals. I said that they were directionless people - they weren't criminal masterminds in a glamorous world of high-tech equiment and fast cars, they were tragic characters who got sucked into a farcial which saw someone blow themselves up in a shopping precinct while dressed as a chicken. It's a fundamentally humanising film which hints at the reasons people join those kinds of organisations, which are much less high-tech and organised than the security services (intentionally or otherwise) paint them as.
Nobody is talking about a «political agenda» - art as a lucid portrait exposing salient traits is not involved in that -, and it was not simply «making fun».
The very fact that you write «a band of» suggests you are not seeing the universality of the depicted. It is not like the long dream in Mulholland Drive, that changes and deforms a reality: it is meant to be a description through a satirical lens. And it's not "wacky break": it's "Wackyland".
The right-winged that converts himself after studying the texts of the opponents with the original intent of deprecating them; the special radicalism of the converted "local"; the actual nature of the largely misunderstood special culture hosted in the alien lands; the tone based on constant references to actual events (those who hid weapons in a park and found them stolen; those who hid them in a playground and found the children playing with them; those who filled a boat with them and it sank...); the social and internal states, flow and dynamics of the involved... The causal relation leading to the "necessary conclusions". All of this is a portrait - an analysis.
And statements such as "I have hit them, so they must be the bad ones" are fed to the police - not the protagonists. «Clumsy» who? And the interrogator in the "extra-territorial" container, that seems to be imported directly from Joel and Ethan Cohen - «clumsy» who? No, not just "the protagonists".
Maybe, as suggested, you could check a few of the interviews that Chris Morris gave.
It was also written about complex cultural issues in ethnic minorities by people who weren't from those minorities. I am a big fan of Morris, but there is something inauthentic (edit: I originally wrote "slightly patronising" but I think the film was made in very good faith) about that. Also there are no shortage of voices from those communities represented, so why should it be left to a bunch of people removed from them to tell their story?
If you like Chris Morris, then you might also like Victor Lewis Smith who had a similar sense of humour. (I'm not going to get into an argument about whether one influenced the other. There was apparently a bit of bad blood.) He (VLS) died recently and the BBC did a retrospective: https://www.bbc.co.uk/programmes/m001kgd2
I remember staying up late as a kid, so I could listen to Blue Jam! Such amazing sounds! I seem to recall it was annoyingly late tho, like 2am or such.
> The cabin crew suggested we all go out and club it. I had no option. It was that or one of their B&Bs. I figured it'd be safer on the streets. For the first time ever I saw the Scotch in their natural habitat, and it weren't pretty. I'd seen them huddling in stations before, being loud but… this time I was surrounded. Everywhere I went it felt like they were watching me; fish-white flesh puckered by the Highland breeze; tight eyes peering out for fresh meat; screechy, booze-soaked voices hollering out for a taxi to take 'em halfway up the road to the next all-night watering hole. A shatter of glass; a round of applause; a sixteen-year-old mother of three vomiting in an open sewer, bairns looking on, chewing on potato cakes. I ain’t never going back… not never.
I'm a big fan of Monkey Dust, but due to legal complications with the music copyrights, they were only able to release the first season on DVD. Pirating is the only way too watch seasons 2 and 3.
The kind of thing they ‘got away with’ was cutting in shots of black and brown people doing their cultural dances with shots unrelated Brits with a laugh track backing.
Amazon has had a print-on-demand service [1] for a while so the real question is whether major publishers have been signing deals to use it. Maybe from their perspective it's worthwhile for older books, to avoid maintaining lots of slow-moving inventory?
I think this is right. Some book stores in the US even have print-on-demand machines inside the shop. See https://www.ondemandbooks.com/ for more info about the printers.
Most publishers make good money on their backlists, with a slow trickle of sales across a huge number of titles. Amazon and other stores don't always want to stock these titles because they take up a lot of shelf space.
Publishers may not want to put them into book stores because they may be returned if unsold, and the return process is costly. So print-on-demand (POD) makes sense for both parties.
Amazon has been running a pretty big POD operation for years for its Kindle Direct Publishing arm, so they have the infrastructure to print books for others as well. And yes, depending on the machine, the covers may not look quite as nice as the covers from offset printers.
> I think this is right. Some book stores in the US even have print-on-demand machines inside the shop. See https://www.ondemandbooks.com/ for more info about the printers.
diamondap -- I see that you're an author yourself, do you know much about how the industry functions on the publisher side? I'm trying to learn more about the space (both out of personal curiosity as I've been working on a book myself and because the more I learn the more I'm interested in building something in the industry).
If you're willing to chat, happy to ping you through your website!
Edit: I see on your personal website you also have a publishing co, would love to get your insight
Yes - speaking with ex-colleagues now at AWS this sort of thing is exactly what happens. Finite resource is warehouse space, so use that on the popular inventory and allow publishers to POD.
I wouldn't say so. The story needs this context to make sense and outside a war, where else would one need to rebuild large bridges under fire. As a technical achievement it certainly is something to be proud of.
Minidisc lover here - I bought my first MZ-R50 in 1998 and a quarter of a century later I still occasionally use it.
With secondhand players getting expensive now what are the odds of somebody bringing out a new one? I'd pay good money for something that's backwards compatible, has the same chunky metallic look and feel and comes with a few new features.
