06 Jan

Mike’s Lookout – SPDY of the Future Might Blow Your Mind Today

Despite its coolness, there is an aspect of SPDY that doesn’t get much press yet (because nobody is doing it). Kudos for Amazon’s Kindle Fire for inspiring me to write about it. I spent a fair amount of time running network traces of the Kindle Fire, and I honestly don’t know quite what they’re doing yet. I hope to learn more about it soon. But based on what I’ve seen so far, it’s clear to me that they’re taking SPDY far beyond where Chrome or Firefox can.

The big drawback of the previous picture of SPDY is that it requires sites to individually switch to SPDY. This is advantageous from a migration point of view, but it means it will take a long time to roll out everywhere. But, if you’re willing to use a SPDY gateway for all of your traffic, a new door opens. Could mobile operators and carriers do this today? You bet!

Check out the next picture of a SPDY browser with a SPDY gateway. Because SPDY can multiplex many connections, the browser can now put literally EVERY request onto a single SPDY connection. Now, any time the browser needs to fetch a request, it can send the request right away, without needing to do a DNS lookup, or a TCP handshake, or even an SSL handshake. On top of that, every request is secure, not just those that go to SSL sites.

via Mike’s Lookout – SPDY of the Future Might Blow Your Mind Today. The pictures give a really good sense of what is going on.

07 Apr

Electronic Frontier Foundation – Fully-qualified Nonsense in the SSL Observatory

Yesterday, I posted about how internet certification authorities will sign unqualified names, which have no meaning on the internet.

In addition to unqualified names being meaningless — or, worse than meaningless — there are also meaningless fully-qualified names. And, yes, CAs will sign those names too.

As you may know, the internet domain name system (DNS) has a hierarchical structure: at the top are the top-level domains (TLDs) like .com, .org, and .net. Additionally, each two-letter ISO country code like UK, JP, and CN is also a valid country-code TLD (ccTLD). Finally, there are the lesser-known TLDs like .mobi, .museum, and .int.

Although you can register most any name (that contains letters, numbers, dashes, and arguably underscores) underneath the TLDs, the set of TLDs is fixed. Although ICANN might someday approve a .mars TLD for the red planet, they have not yet done so. If you try to browse to www.olympus-mons.mars, you won’t get anywhere. (Yet.)

However, CAs will sign certificates vouching for the identities of servers under non-existent TLDs and for names that are not legal DNS names (such as phrases containing spaces). Attached to this post, below, is a file containing a list of all the distinct TLDs in all the CA-validated names that the EFF SSL Observatory has observed.

via Electronic Frontier Foundation – Fully-qualified Nonsense in the SSL Observatory. What stupidity.