And there's the Chinese proverb, roughly translated and paraphrased: "solder who ran away 50 paces mocks another who ran 100 paces for his cowardice" [0].
I get it, preventing local privilege escalation on *NIX is hard, and I appreciate OpenBSD's focus and stance on security, v.s. say Linus's more laid-back attitude. And having arguably fewest of them is an achievement, even if it's not zero. Let's focus on making OpenBSD better and not belittling other's shortcomings.
I would imagine that it's a bit of both, but 1 point of comparison in OpenBSD's favor would be libressl vs openssl, the number & severity of issues in the OpenBSD maintained project has been significantly lower.
FYI, since you're here: visiting your site on FF in Windows 10 is throwing an insecure error, saying you're using an invalid certificate. 100% possible that's somehow an error on my end - but just in case it isn't, thought you'd want to know. Sample URL throwing it: https://www.tedunangst.com/flak/post/books-chapter-three
Side note: I'm hugely grateful for all your work on OpenBSD.
www.tedunangst.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.
Error code: SEC_ERROR_UNKNOWN_ISSUER
And in Chrome:
Attackers might be trying to steal your information from www.tedunangst.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
Despite the browsers' dire warnings, you are still far more protected visiting a website with a self-signed certificate than visiting a plain http website.
> Yesterday, reading this page in plaintext was perfectly fine, but today, add some AES to the mix, and it’s a terrible menace, unfit for even casual viewing.
March 24, 2017 -- "During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word 'PayPal' in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites" [1]
LetsEncrypt isn't perfect either. You've got to be cognizant of what details you are sharing over the connection, regardless of who signs the certificate.
> You've got to be cognizant of what details you are sharing over the connection, regardless of who signs the certificate.
So why not cut out the browser errors, for free? Somehow this vaguely feels like Don Quixote straining hard to hold onto the original definition of the term "hacker".
Props to this guy for sticking to his beliefs; I don't mean for this to be interpreted as saying anything should be changed.
Right. I've visited Ted's site in the past, and had no certificate warnings. Now, suddenly, I am getting warnings. So isn't that the exact scenario in which I should be very suspicious?
It's just a blog; I'm not submitting anything, but still it's an indicator that something fishy might be going on.
Given that one is one of the the most widely used OSs in the world and one is a fringe OS, which surely must affect likelihood of detection, I'm not sure any number above zero makes this a favorable comparison for OpenBSD.
