Four short links: 1 February 2013

Icon Font Fun, Rails Security, Indie Economics, and GitHub MITMed in China

  1. Icon Fonts are Awesome — yes, yes they are. (via Fog Creek)
  2. What the Rails Security Issue Means for Your Startup — excellent, clear, emphatic advice on how and why security matters and what it looks like when you take it seriously.
  3. The Indiepocalypse (Andy Baio) — We’re at the beginning of an indiepocalypse — a global shift in how culture is made, from a traditional publisher model to independently produced and distributed works.
  4. China, GitHub, and MITMNo browser would prevent the authorities from using their ultimate tool though: certificates signed by the China Internet Network Information Center. CNNIC is controlled by the government through the Ministry of Industry and Information Technology. They are recognized by all major browsers as a trusted Certificate Authority. If they sign a fake certificate used in a man-in-the-middle attack, no browser will warn of any usual activity. The discussion of how GitHub (or any site) could be MITM’d is fascinating, as is the pros and cons for a national security agency to coopt the certificate-signing NIC.
tags: , , , , , , ,

Get the O’Reilly Web Platform Newsletter

Stay informed. Receive weekly insight from industry insiders—plus exclusive content and offers.

  • Ivan Ristic

    About MITM attacks by a CA: I don’t believe it’s quite as straightforward as the snippet from the original text makes it sound. There is one browser — Chrome — that supports a technique called public key pinning, which enables it to detect MITM attacks, even if they are carried out by a CA. If such an attack is carried out, chances are it will be caught, and the CA removed from all browsers. So, it’s possible, but costly. Chrome currently hard-codes public key pins, but the hope is that in the (relatively near) future this sort of thing will be available to all web sites (similar to how HTTP Strict Transport Security is gaining popularity these days).