undefined | Better HN

0 pointsKMag8y ago0 comments

Well, either it shouldn't have stopped working, or it never should have worked in the first place. It's arguable that no signed software should run without the code signature being timestamped/signed by a trusted timestamp server. Otherwise, simple developer laziness causes 99% of software to stop running a couple years after being published.

On the other hand, maybe this is really a lazy feature. It's probably a good idea for the system to disallow both incoming and outgoing network traffic to any program written in a non-memory-safe language that hasn't been signed in the past couple of years. The lazy version of this feature is just not to run any program not signed in the past couple of years.

Edit: Requiring a timestamped signature on the signature also makes it pretty easy to add auditing functionality to the timestamp server whereby the publisher can detect unauthorized signatures due to their private key being leaked/stolen by criminals or governments. If the timestamp server's logs show a signature by your key that you don't recognize, then something has gone wrong. On the attacker's side, they need to either steal the timestamp server's private key or publish their malicious signatures for scrutiny.

0 comments

Piskvorrr8y ago

Wonderful, let's just autokill all abandoned software out of laziness. I can think of multiple programs that I use which haven't been updated in years, sometimes because there is nobody to develop them (project was cancelled/company ceased to exist/sole developer got fed up and quit/whatever). What are my options? Get a crappier but new alternative, or nothing - just because someone thinks "old == bad" (Meanwhile, new and drool-proof programs tend to exhibit the same bugs of old, despite having been sprinkled with magic memory-safe dust and blessed by current signature)

nikanj8y ago

My browser refuses to connect to a large number of websites, because they're still following the SSL best practices from last week. Apparently this is the reality we've decided to live in.

djpr8y ago

Firefox and Chrome give me that warning page, but I just click on "Advanced" and it will let me continue to the website. At least for me, it's just a huge warning to be careful but I still have ultimate control.

1 more reply

wang_li8y ago

If the license that is presented to the user for acceptance doesn't include specific termination dates, or as is common in most consumer software specifically states the license is non-terminating, then any product that stops because a certificate expires is a flat out violation of the agreement and every single user should promptly sue the publisher for 100% of their money back plus any damages. And, in my opinion, this sort of thing is not accidental, so it should penetrate the corporate veil that protects individuals from liability.

j / k navigate · click thread line to collapse