> - HTTP access, insecure and some browser functionality is unavailable for pages/SPA's served over HTTP.
> - HTTPS and tell the user (maybe in a previous HTTP page before a redirect) to dismiss the browser big warning.
That's not really true though, right? I think the options are actually:
- HTTP access, insecure and some browser functionality is unavailable for pages/SPA's served over HTTP.
- HTTPS, insecure and tell the user (maybe in a previous HTTP page before a redirect) to dismiss the browser big warning, but some more web APIs work.
Unless I'm mistaken with a self-signed cert you gain none of the actual security guarantees of https with a CA mostly stemming from the fact that there is no authenticity and MITM is trivial. I think it's a bad idea to pretend to a user that a connection is secure if it actually isn't. The solution I think would be to open up web apis to local http connections and create a verification system for self-signed devices like signal, matrix, and probably other systems have.
I work in manufacturing automation so I may be biased, but attempts to robotize the manufacturing of a product that's being iterated on continuously (Tesla) or automating the assembly of lots of low-volume products is always going to go poorly.
Large car companies like GM or Ford hire automation companies to build automation equipment that meets a very specific spec for assembly steps, tolerances, rates, etc. They design components with ease of manufacturing as a significant factor. How something will be assembled is a constant consideration while designing. The product being run on these lines never really changes and human are only used when the the operations are so complex that the equipment doesn't pay for itself in (typically) 2 years. This is very rare, mostly people are only there to keep the machines filled with parts.
In the sequence of
design -> automate -> manufacture
manufacture needs to be much larger than the others have good margins. You can't iterate on design without iterating on automate, so if you change the design a lot it's probably best to avoid trying to automate.
It would be interesting to see the comparison to a Ryzen 7 PRO 4750U, you can find that in a ThinkPad P14s for $60 less than the cheapest macbook air (same amount of ram and ssd size) so that seems like a fair comparison
I think the expectation is that employers would just reduce the salary of all WFH employees until they are paying the same amount as they were before. I would expect very few, if any, US companies would shoulder the burden themselves and keep their employees salaries the same
The difference between hardware and software is that copying is free for software. You can own the hardware and do whatever you want with it because for you to reproduce it would require you to effective be Nvidia. For software you can't give a user ownership of exactly 1 copy of software. If the purchaser has all of the rights of ownership they would have the right to distribute copies for free, which obviously make selling the same software impossible. Software is copied and hardware is moved, they're fundamentally different so the have to be treated differently
It really depends on what you want or what your personal situation is. I'll give my thoughts on a few possible adversaries.
- 1. An individual attempting to perform an MITM attack on you. The classic free wifi adversary you've probably heard about. There's little risk of this individual using the sites you visit against you so you only care that they can't manipulate your usage of said sites: Use HTTPS and you'll be fine.
- 2. Your ISP. You don't want them to see where any of your traffic is going because you don't trust them: Use a VPN. Shift the trust to either a VPN provider or a cloud-hosting provider by running your own VPN.
- 3. Your Government. Let's assume they can see all of the traffic within the country and you don't want them to associate your traffic with you: This is the step where it becomes challenging, you want to blend in, not just add more security steps. Ideally you want your traffic to leave the governments jurisdiction and if needed reenter looking like normal traffic from other countries. Tor is a good option here, there's a reasonable amount of traffic on the Tor network to hide in and your traffic is almost guaranteed to leave your country at some point. Alternatively choose a VPN provider that resides legally outside of your country and choose a server that resides physically outside of your country. Both options will move your traffic outside of the jurisdiction of your government, so this should be sufficient within the confines of the current example.
- - What about a self-hosted vpn in a region outside my country? If you ever connect to a server inside your country the full path of your traffic will be able to be seen by your government.
- - What about multiple self-hosted VPNs outside my country? This is an improvement on the previous issue, but it's unlikely to prevent your traffic from being correlated to you on timing alone.
- 4. God's Eye. Your adversary can see all internet traffic everywhere on Earth: Good luck. Maybe use Tor over a popular VPN service to increase the difficulty of correlating your traffic to you? Hope the Nym mixnet becomes popular?
Some additional considerations:
- What if I don't trust a VPN provider? You probably want to hide your traffic in their traffic so pick a VPN provider that requires no user info to sign up and let's you pay with a cryptocurrency or cash. I know of Mullvad that fits this requirement, there are probably others as well. Self host a VPN and to the VPN service through your VPN, now neither the VPN service or the cloud provider has a full view of your traffic (wireguard makes multihop VPNs easy). You could do the same by use 2 vpn providers.
> - HTTPS and tell the user (maybe in a previous HTTP page before a redirect) to dismiss the browser big warning.
That's not really true though, right? I think the options are actually:
- HTTP access, insecure and some browser functionality is unavailable for pages/SPA's served over HTTP.
- HTTPS, insecure and tell the user (maybe in a previous HTTP page before a redirect) to dismiss the browser big warning, but some more web APIs work.
Unless I'm mistaken with a self-signed cert you gain none of the actual security guarantees of https with a CA mostly stemming from the fact that there is no authenticity and MITM is trivial. I think it's a bad idea to pretend to a user that a connection is secure if it actually isn't. The solution I think would be to open up web apis to local http connections and create a verification system for self-signed devices like signal, matrix, and probably other systems have.