If I understand the discussion correctly, I think tptacek is right but he's not explaining his position well, which might be why he's been downvoted.
I think he's saying: let's say the correct IP address for example.com is 192.0.2.80. Instead of hijacking the prefix containing example.com's nameservers, an attacker could just hijack 192.0.2.0/24 and immediately get a DV cert. Within seconds they would be up and running and DNSSEC wouldn't have done a thing to prevent it.
I used to regularly buy from Amazon but stopped a while back. The final straw was some razor blades that were noticeably duller and inferior to previous units of the same product.
According to Google PageSpeed Insights, your speed scores are 59/100 for mobile and 40/100 for desktop. The "optimize images" section says there are 1.3MB of image optimizations to do. That's just the image bloat, not the image content, and it's just one of the improvements to make. If you want to make AMP go away, make slow webpages go away.
Interesting. I put my own blog (link in my profile) into there, and it scored only 90/100 on mobile. Google now wants to talk me into enabling compression and caching on a website that is literally 4.98 KB large (including all assets).
I got 91/100 mobile, 90/100 desktop for a site that is 4.95kb.
Reasons?
* Apparently the HTML should be minified.
* Apparently I should use gzip, because 4.95kb is too big.
* The inline styles are below the content to prevent showing the user nothing as it paints. Google thinks the 594 bytes of styles needs to be in a separate request.
I think insights is pretty useless at analysing sites below a certain size threshold.
At these sizes, network latency is the biggest drain on loading a page... Which effectively means users don't notice loading times when they click a link.
I don't disagree with you. However, I think the best solutions almost always address root issues, so I'd much rather Google more heavily penalized slow sites. That gets to the heart of the issue without harmful side effects. AMP does neither.
Can anyone think of other industries where this is the case? Imagine for a moment if grocery stores injected small amounts of lead into the food, or if gas stations injected water into the fuel (for bulking).
I know this kind of thing happens in China (think about toxic products added to baby milk, for example, to cheat protein tests). But that's at the "website" level, not the "ISP" level. I suppose healthcare (at least in the US) is the most likely industry to see attacker behavior.
It's interesting to think of it this way. Clearly, the attackers (being ISPs in this case) don't see it this way or don't want to see this sort of MITM this way. Following one of the links in the article [1], you get some great quotes:
> Comcast injects ads into unencrypted traffic, because "it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast".
So maybe someone out there actually feels this way when they find content has been directly injected in their unencrypted browsing session. I sure don't.
Anything can be spun to look more positive, or more negative. But that's BS. There are other ways for Comcast to inform their customers that it's a Comcast Wi-Fi. And even if there weren't, are they even working with the Wi-Fi Alliance to create a "perfect protocol" to do this in a secure way?
Let's assume Comcast really thinks it is a feature that many people will like (I personally rather think it is a feeble excuse, but don't want to completely exclude this possibility). But why doesn't Comcast enable people to opt out of this "feature" then?
A closer analogy would be if grocery stores were giving you reward/savings cards that you have to scan on every purchase. It is advertised as providing you a small discount after a certain number of purchases but really it is meant to track you over time.
Is this in the States? I've always been under the impression that this has more to do with the corn lobby than anything else, with a nod towards the environment in that it's a biofuel so it's renewable. That's offset by using a potential food source for fuel.
Here's a quote from Wikipedia that indicates ethanol (E85) actually worsens pollution:
A study by atmospheric scientists at Stanford University found that E85 fuel would increase the risk of air pollution deaths relative to gasoline by 9% in Los Angeles, US: a very large, urban, car-based metropolis that is a worst-case scenario. Ozone levels are significantly increased, thereby increasing photochemical smog and aggravating medical problems such as asthma.
One could say that non-cash (debit/credit) transactions are recorded by the devices that enable them, and thus recorded and tied to an identity. The information could then be used by matching your card number when you use it online or elsewhere.
> or if gas stations injected water into the fuel (for bulking)
Does this not happen in the US? It may be an urban legend, but in Poland, I did hear from drivers that some gas stations do that (usually non-franchise ones).
When I was visiting India roughly a decade ago, I was told that it was very common for gas stations to bulk gasoline with kerosine. Apparently kerosine is heavily subsidized by the state as it's used for cooking by poor people, so it's a lot cheaper than gasoline.
The problem with this is that it reduces the octane rating of the fuel, and as a result cars in India are apparently commonly detuned in order to avoid knocking when running on low octane gas.
That being said, bulking up gasoline with kerosine sounds like a less bad idea than using water, as I'd guess the water phase separates from the gasoline.
I think he's saying: let's say the correct IP address for example.com is 192.0.2.80. Instead of hijacking the prefix containing example.com's nameservers, an attacker could just hijack 192.0.2.0/24 and immediately get a DV cert. Within seconds they would be up and running and DNSSEC wouldn't have done a thing to prevent it.