Most active commenters
  • schmuckonwheels(3)
  • 1970-01-01(3)
  • vpShane(3)

←back to thread

Linux CVEs, more than you ever wanted to know

(www.kroah.com)
103 points voxadam | 17 comments | 09 Dec 25 22:47 UTC | HN request time: 1.991s | source | bottom
1. schmuckonwheels ◴[09 Dec 25 23:38 UTC] No.46212214[source]
Objectively better than serving 12MB of JavaScript slop, trackers, and "analytics" over HTTPS so you can share a recipe for flan.

Greg K-H has more credibility than 99% of posters here.

He's literally the #2 guy in Linuxworld (behind Linus). What have you done?

replies(2): >>46212478 #>>46212559 #
2. kvemkon ◴[09 Dec 25 23:47 UTC] No.46212291[source]
But how do you know, that if kroah.com would use Let's Encrypt it would belong to Greg K-H? What if his true WEB-site would be e.g. greg-k-h.com?
replies(1): >>46212356 #
3. a99c43f2d565504 ◴[09 Dec 25 23:56 UTC] No.46212356[source]
Right. Also, when it comes to the other aspects of TLS, such as preventing middlemen from making sense of what information flows between you and the server, what exactly is the threat in this case? I mean, it's a public blog post, which you only ask to read and so you are served.
replies(2): >>46212532 #>>46213434 #
4. 1970-01-01 ◴[10 Dec 25 00:15 UTC] No.46212478[source]
You enumerated the security risks of clear text transmission over the Internet and everything came up green because the blogger works on Linux?
replies(2): >>46212553 #>>46214001 #
5. vpShane ◴[10 Dec 25 00:21 UTC] No.46212532{3}[source]
It's not about threat, it's about privacy. I understand your statements but 'what is the threat in this case' to answer that: I don't want to know, I've moved on from those worries. Always encrypt.
replies(1): >>46213113 #
6. schmuckonwheels ◴[10 Dec 25 00:25 UTC] No.46212553{3}[source]
If you are too afraid to click a cleartext HTTP link then don't; it's not for you. Just spare the rest of us the melodrama.

While you are at it, better not ever update Debian or any number of other OSes because their updates are served over plain HTTP.

replies(1): >>46212827 #
7. vpShane ◴[10 Dec 25 00:25 UTC] No.46212559[source]
I enjoy this person's writings, and contributions. I am Linux's biggest fan and research cyber security daily.

I would prefer https.

replies(1): >>46212584 #
8. schmuckonwheels ◴[10 Dec 25 00:29 UTC] No.46212584{3}[source]
I prefer a nice cappuccino, but sometimes all that's available is plain black coffee from the shared pot in the canteen (which someone could have tampered with).

But we drink it anyway (at risk) because it's free.

replies(1): >>46218215 #
9. 1970-01-01 ◴[10 Dec 25 01:04 UTC] No.46212827{4}[source]
You almost had a great point here. If he began every blog rant with BEGIN PGP SIGNED MESSAGE and included a digital key somewhere secure, somewhere that I could go and verify, just Debian does with updates, I maybe could tolerate the cleartext. But he clearly didn't (pun alert!)
replies(1): >>46218565 #
10. vhcr ◴[10 Dec 25 01:48 UTC] No.46213113{4}[source]
What privacy? Whoever is watching your traffic can see you accessed their website with HTTPS, they can guess with high accuracy which article you are reading based on the response size.
replies(1): >>46220843 #
11. ◴[10 Dec 25 02:46 UTC] No.46213434{3}[source]
12. MobiusHorizons ◴[10 Dec 25 04:11 UTC] No.46214001{3}[source]
Please don't get me wrong. I'm glad the world has mostly transitioned over to HTTPS, but what are you actually concerned about with reading a blog post over HTTP? If you had to log in or post form data, or hosted binaries or something I would get it. But what is wrong with reading an article in the clear? And how would SSL prevent that?
13. rithdmc ◴[10 Dec 25 14:40 UTC] No.46218215{4}[source]
"Quantum Insert" (packet injection) style attacks are easier without transport encryption.
14. zahlman ◴[10 Dec 25 15:12 UTC] No.46218565{5}[source]
Pardon; your threat model includes someone MITMing Greg's site to misrepresent what the blog article says?

... But you'll happily go to a forum site such as HN to discuss the post?

replies(1): >>46218912 #
15. 1970-01-01 ◴[10 Dec 25 15:37 UTC] No.46218912{6}[source]
https://apps.lansa.com/LearnLANSAWebMobile/index.html#!Docum...

XSS is real threat that everyone like you missed.

replies(1): >>46225423 #
16. vpShane ◴[10 Dec 25 17:45 UTC] No.46220843{5}[source]
Any hops along the paths and whatever they split off to by whoever. And of course they can, even with HTTPS the Client Hello is unencrypted.

Unencrypted data transmission just isn't a thing I'm interested in with it being 2025.

17. zahlman ◴[10 Dec 25 23:17 UTC] No.46225423{7}[source]
> The content is not shown because JavaScript is disabled.

Two can play the luddite game.